Nick Kew wrote:
On 16 Sep 2008, at 06:57, Hugh E Cruickshank wrote:That may be the case but their recommendation is still: Issue a "404 - Not Found" response status code for a forbidden resource, or remove it completely.Either they're wrong or you're misreading. But I can see what's happening. It's "chinese whispers", starting from the CIS benchmark. Most likely someone along the way (IBM's tech writer's boss or somesuch) insisted that a meaningful explanation would be too difficult for their lusers, and either didn't understand or didn't care that it's misleading. Security by Cookery. BTDT. I can feel a blog entry coming on.
~chuckle~Technically, cooking is following a detailed set of instructions, one set for each item being cooked, so it's not quite as bad as it sounds.
I don't disagree with the conclusion in this particular case, hiding filesystem structure in the documentroot is not an improvement in security. I'm always concerned with security issues, but it's in the app code and data verification that I see as being where to focus my attention. At least until such time as updated underlying technologies are implimented to address the security issues.
Since the internet was built at a time and in an environment where security wasn't a concern at all, the core technologies need to be rebuilt with security as a priority. That would probably impact the HTTP Server and many other projects, requiring a lot of work to have them function with the new system(s) properly.
Jaqui --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|