httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Wilson <and...@www.elsevier.co.uk>
Subject Re: NCSA 1.4 --- core dumps seen with /~user problem
Date Thu, 06 Apr 1995 20:13:45 GMT

> On Thu, 6 Apr 1995, Andrew Wilson wrote:
> > COMMA used to have ~user URLs when we first set the server up in 93,
> > but Robert Evans deemed that any program that gave away real usernames
> > to the ouside world was intrinsically a bad thing - too easy for
> > crackers to get into poorly passworded accounts etc, etc.
> 
> So I guess you guys never use email?  Any system that gave away 
> *arbitrary* information about accounts could be considered a negative 
> thing - like finger @site for example - but /~user/ URL's aren't indexed 
> anywhere, so someone pretty much has to know about it first before being
> able to access it (unless the site creates their own menus of /~user/s.)

We use e-mail.  My COMMA drop is Andrew.Wilson@cm.cf.ac.uk heheheheh...

Lots of people have /~user/ URLs as their home pages, given away in .sigs
and you see them all over the place.  I know it wouldn't be a good idea to
remove the ~user code from Apache, 'cuz that'd stop apache being a plug-in
replacement for NCSA, but a note to the effect that if you were really
hard-core about security you shouldn't incourage the use of ~user URLs.  But
anyway, I'm not saying it's like a religious issue or anything.

> 	Brian "Bogosity Vanquishor" B.

Yeah, death to obfuscators, etc. ;)
Ay.

     Andrew Wilson	     URL: http://www.cm.cf.ac.uk/User/Andrew.Wilson/
Elsevier Science, Oxford   Office: +44 01865 843155    Mobile: +44 0589 616144

Mime
View raw message