Avi Rappoport wrote:
>
> Yeah, I read something about that once. Basically, it said not to
> name sensitive and private areas on your site with obvious names and
> put them in robots.txt.
>
> But I say that security by obscurity is a bad idea anyway: you should
> use access control (user names & passwords) to keep out everyone, not
> just robots or those who read robots.txt.
I can't speak to the original intent of the warning, but there is
a valid if subtle point here (subtle being my way of saying that I
will likely not make it myself). Providing information to an attacker
is bad -- even if you're just pointing them to a well protected area
of your site. It's much worse if that area is not protected at all,
but it's not good either way.
A good place to start hacking a web site is the CGI script directory.
As likely as not it will be found in "/cgi-bin". If not, the bar
is raised just a little bit for the attacker. But immediately lowered
again if you mention "/hidden-cgi-bin" in /robots.txt. It's even
worse if there's an entry like "/cgi-bin/script-with-a-hole" in
the robots.txt file. Now the attacker knows exactly where to start
hacking.
Sure, it's not like they couldn't find that script by going through your
site with a spider, but that attracts attention and is a heck of a lot
harder than grabbbing /robots.txt.
It's good to remember that security _only_ by obscurity is bad news, but
that doesn't mean that obscurity is a bad thing. I don't know about you,
but I don't head off to the bar every Friday and hand out cards with my
home address and asset list to anyone who'll take them.
-- George
