>> yong321@yahoo.com wrote:
>> 
>> Please tell me whether there's a security problem in the following
>> scenario. I put secret.txt, a file containing sensitive data, on my Web
>> site so people can go to http://mywebserver/secret.txt to view it. But
>> I only tell the URL to those I trust. And there's no link from any of
>> my Web pages to this file. Is there any problem with this "URL is
>> password" security strategy? Let's assume those I trust do not share
>> their own computers with others.
>> 
>> Some more notes. Obviously I need index.html (or default.htm etc.) if
>> secret.txt is at the server document root, or I need to turn off
>> directory browsing in web server configuration. If I put secret.txt
>> under a subdirectory on the web server, I have to turn off directory
>> browsing.
>> 
>> Please, from the hacking point of view, is there anything obviously
>> wrong? Thanks.
>> 
>> Yong Huang
>> yong321@yahoo.com

> [somebody's response snipped]

Thanks for your response. I think for my security requirement which is fairly 
low, the only thing you mentioned that worries me is proxy caching on the 
client side (I mean like the IT department of a company where one of the 
trusted users works). It caches the URL viewable by the proxy server 
administrator. I don't care about browser caching, browser storing URL history, 
or even someone looking over the trusted party's shoulder, because I assume the 
trusted user doesn't share his computer and works in his own cubicle. Sniffing 
the wire is a generic problem so I don't worry much either.

I don't worry about file permission being "world"-readable for secret.txt 
because it's readable by the people working at the site serving the Web on the 
server side, not surfing the Web on the client side. (i.e. not a big deal if my 
staff see the file!)

As a matter of fact, what I call "URL is password" is a popular Web publishing 
technique, particularly useful when you can't write server-side scripts but you 
need some access control. I use it at an Alumni member list to avoid potential 
spammers stealing our members' email addresses (look at the Javascript at 
http://beidahouston.org/htmls/member.html). But what really triggered my posting of 
this message was the fact that our company's former Web programmers stored 
files such as opendb.inc (a file containing database username / password) 
*under* the Web server document root. The really bad part was they left the Web 
server directory browsing *allowed*. I took over the project and immediately 
turned off directory browsing so at least my "URL is password" works. Then I 
moved files such as opendb.inc above and out of the document root. Another Web 
server I just took over had similar problem but I don't bother to move the 
opendb.inc because this time, this file tells you how to get the database 
password from NT registry (we're using WindowsNT), rather than directly showing 
the password string. I'm not sure whether a mediocre hacker can hack this.

Thanks for reading.

Yong Huang
yong321@yahoo.com