Re: Password protected pages?

• To: EHAMILT@ottsmtp.}.esc.lmco.com
• Subject: Re: Password protected pages?
• From: Pierre-Yves Bonnetain <pyb@cadrus.fr>
• Date: Wed, 24 Jul 1996 14:36:24 +0100
• CC: cibir@netcom.com, www-security@ns2.rutgers.edu
• In-reply-to: <31F3A3FE@monsmtp.esc.lmco.com> (EHAMILT@ottsmtp.}.esc.lmco.com)

> From: "Hamilton, Ed @ OTT" <EHAMILT@ottsmtp.}.esc.lmco.com>
> Cc: www-security <www-security@ns2.rutgers.edu>
> Date: Mon, 22 Jul 96 11:52:00 EDT
> Encoding: 46 TEXT
> X-Mailer: Microsoft Mail V3.0
> Sender: owner-www-security@ns2.Rutgers.EDU
> Precedence: bulk
> Errors-To: owner-www-security@ns2.Rutgers.EDU
> Content-Type: text
> 
> 
> I am no expert in this area, but these responses seem either incorrect or 
> obscure.
> 
> 1.   My understanding is that some java code can be hidden from the viewer 
> via the "View Source" option (i.e., selecting "View Source" will not reveal 
> it).  This does not necessarily mean that people can not "capture" this 
> code, it just means that they can not easily view it from the "view source" 
> (in netscape).

   We were speaking of HTML code. Indeed, if someone has included a Java applet
in his page, all the user will have when doing a 'View source' will be the
APPLET tag, not the exact code. But it would be IMHO some convoluted scheme to
write a Java applet that 'writes' your page as if it were a real HTML page.

> 2.   I am not too familiar with a server's authentication scheme, but if 
> pages x, y, and z exist and x requires a password to access (and contains 
> two links to y and z), can I not just bypass it by making a bookmark at page 
> y and/or z within the secured area and then jumping directly to that page? 
>  Sure I need the password once, but once I know where these pages are 
> located, can I not access them?  Certainly in some security implementations 
> you can do this (I have done this before).

   Again, we are both right (well, you are, at least :-). The authentication
scheme should be use to protect a _tree_ (which can be reduced to a single 
page). As you rightly points, it is rather foolish to protect the 'front' page
and let anyone access to the pages 'behind it' if he knows the proper URL. Such
a scheme can easily be circumvented, without even having a name/password, in
some cases (for example, if you have forgotten to disable directory browsing).

> I am not trying to correct the original response, as I am not knowledgeable 
> enough in this area to make that statement, however, I am trying to point 
> our what I believe are some oversights.  If they are not, well then I will 
> have learned something as well (assuming someone corrects these statements 
> if incorrect).

   No harm intended, none taken.
-- 
-+-+ Pierre-Yves BONNETAIN (aka Pyb)
     Consultant Internet/Securite

• Re: Password protected pages?
• From: "Hamilton, Ed @ OTT" <EHAMILT@ottsmtp.}.esc.lmco.com>

• Previous: unsubcribe
• Next: unsubcribe
• Index(es):
  • Index
  • Thread