> Thanks for the response, this was essentially the answer I was looking for. > I do have a question though -- what do you mean by "Make sure that the site > is NOT available through SSL"? Perhaps I'm missing something but it would > seem that if anything, it would be more imperative to ensure that the site > is not available without SSL (ie, no way to get in without SSL).
Hmm, I was writing this reply when half asleep aparently: it should be 'without' indeed (what's the point of having a secure site with SSL, when it's still possible for users to get in withouth SSL?) Always assume that your users are stupid: don't rely on their knowledge of HTTP/HTTPS, even if you hammer that they should use the 'https' link, some of them will use plain http if it's available. > As for robots.txt and security -- hahaha. I would imagine that any would-be > hax0r would immediately look at robots.txt to see if anyone was disallowing > /admin or /password and then request that very document. Yes, indeed. > Thanks again. NP, Johannes > > To answer the original question: yes, if the username/password > > authentication is done through SSL, you are relatively safe. > > Be sure to at > > least follow the following steps: > > > > - Make sure that the site is NOT available through SSL > > - Make sure that .htaccess files are non-retrievable (but > > still readable > > by the webserver though) > > - Make sure that the files for usernames+passwords are > > located outside the > > webroot > > - Try to sniff yourself (with tcpdump for example) to be 100% sure > -- /===================================\ /====================================\ | Johannes Verelst | Email: [EMAIL PROTECTED] | | Web: http://www.verelst.net | IRC: nl.eu.slashnet.org / Gullie | +===================================/ \====================================+ |"Programming today is a race between software engineers striving to build | |bigger and better idiot-proof programs, and the Universe trying to produce| |bigger and better idiots. So far, the Universe is winning." | \==========================================================================/
