Using random folder name on web server to restrict access to it - bad idea?

views:

322

answers:

+2 Q:

Using random folder name on web server to restrict access to it - bad idea?

Lets say I have "admin" folder in my public_html and I don't want anyone except me to be able to access it. What if instead of password protecting it (using apache htaccess) I just rename it to "admin-7815696ecbf1c96e6894b779456d330e" and leave it open (with disabled folder indexes of course)?

People usually freak out from such "solution" as it seems extremely vulnerable. But is it really any worse than password protecting? I can't think about any major security risks comparing to password protecting. Would anyone be ever able to find out a name of this folder?

+3 A:

Yes its a bad idea.

If you don't use a password, other systems won't treat it as such.

For example, your browser will now cache that url in its history. It won't do that automatically for passwords (at least not Firefox)

What about the list permission? What about internet hops, they'll see your URL.

If you start going around the security system, the security system won't know you want to be secure.

EDIT

Another way to think about it is, when software sees a password it goes, "This is an security issue and I will treat it as such." But for URLs, it goes "Meh, another piece of data"

Pyrolistical 2009-07-31 18:59:24

My browser would cache my password as well (as most people select "remember"). What do you mean by internet hops? Also I am not talking about enterprise level security, just the most basic one for personal use.

serg 2009-07-31 19:06:11

Your browser will tell every website your referrer, so they'll be able to see the hidden folder's name. It's security through obscurity, you're not gaining anything through it, especially when doing it *properly* is so easy.

Kitsune 2009-07-31 19:14:26

Ok, referrers is good point. Still I can have no external links there. Maybe it is not even web application just bunch of documents. Maybe I am not gaining anything (if not count simplicity), but the question is - is it any less secure from technical point of view comparing to password protecting or not.

serg 2009-07-31 19:20:10

I agree with serg555 on that. So long as nothing in there is referring to anything external, that issue becomes moot.

madcolor 2009-07-31 19:24:52

It's not really any simplier (creating a little .htaccess file is really easy), but it's incredibly brittle. It might work *for now*, but as time goes on and you change what's in there you run the risk that you expose yourself without realizing it. It's simply a bad practice.

Kitsune 2009-07-31 19:33:12

Ok, so what you are saying is it is more psychological problem rather than technical. I can agree with that, but still the point is - if you want to be secure with random url you CAN be, there are no any significant technical problems with that (somethign you can't overtake). You don't post your password on webpages for search spiders to pick it up, you might as well not post your random url - same level.

serg 2009-07-31 19:38:22

+4 A:

For a personal site, it's probably OK - but only you know the value of what you are protecting. One thing to be wary of is if you have webpages in that directory that link to external sources - by clicking a link to one of those external URLs you will (probably) pass on your "secret" url in the HTTP Referrer header. Also, it only takes on link back to your "secret" url and robots and spiders could be all over it and then you'll find it in Google. So, be very careful!

Dan Diplo 2009-07-31 19:19:25

As Pyrolistical was saying, a randomized URL isn't protected with the same degree of care as a password would be. There's a lot of security research that goes into the systems that store and transmit passwords, and if you just use a randomized URL instead, you get none of that. (Well, you can force HTTPS for the URL, that gives you some benefit) But if you just want to deter casual snoopers, it's probably good enough. I've used that technique in the past when I wanted to share a URL with a few people, given that the data stored at the URL wasn't especially sensitive.

As for whether the randomized URL approach is appropriate for you, it depends - what web pages can you access from it? Typically "admin" means things like system control apps or database interfaces (phpMyAdmin and the like), and those sorts of things I wouldn't trust to a randomized URL scheme. Basically, if the web pages you're trying to protect are things that allow you to make changes to the system, go with password protection. But if they're read-only monitoring apps, like server statistics (and if there is no sensitive or personally identifying information involved), a randomized URL might be fine.

Honestly, though, why wouldn't you just set up password authentication, given how easy it is?

David Zaslavsky 2009-07-31 19:22:49

You say "URL isn't protected with the same degree of care" and "those sorts of things I wouldn't trust to a randomized URL scheme" but why exactly? :) Password protecting is easy but random folder name is easier.

serg 2009-07-31 19:29:37

Well, for instance, there's the referrer URL that other people have mentioned, and there's also the issue of my browser caching the page, and storing the URL in its history. And if I'm not using HTTPS, the URL is also visible to the 20-something routers that carry the data between my computer and the server. And what if someone's watching over my shoulder? They can see the URL... really, though, password protection is barely any harder than random folder name. (Trust me, like I said, I've done both)

David Zaslavsky 2009-07-31 19:52:54

+5 A:

Bad idea - It's basically security by obscurity.

This is the sort of thing you'd use to protect a phpbb /install/ folder during an install, but not as a permanent solution.

gridzbi 2009-07-31 19:25:11

This is a form of security through obscurity - and it's bad security.

Carl Manaster 2009-07-31 19:25:46

I use a random folder name with htaccess password and an SSL certificate. The password is a simple fallback, just in case someone clever (say the dude running the IT at the coffee shop) is able to get between your computer and the internet. The SSL encryption is necessary since htaccess passwords are not encrypted.

Whatever you do, make sure you don't have a link anywhere to your page.

Juan 2009-07-31 19:28:57

+1 A:

Contrary to what others have said, this is not security through obscurity, and depending on how the random folder name is assigned, and how that name is protected, this can be a very secure solution.

First, choose the folder name from a large "space". Due to the size of the number in the question, it looks like that has been done. Personally, I'd choose a number randomly in a range up to between 2¹¹² or 2¹²⁸, then encode it to text using hexadecimal (base-64 would work in some contexts, but it's not handy for directory names).

The random component should be chosen from a cryptographic quality random number generator.

Then, protect the random name by transmitting and storing it only on secure media. This means, for example, only accessing the contents of the directory over HTTPS. Without SSL, an man-in-the-middle would learn the secret directory name and have unrestricted access.

If this is done by an administrator for their own use only, it's a quick and easy solution. If multiple parties need access to the directory, user names and passwords (which must also be transmitted only over a secure channel) quickly become more convenient because rights can be granted only by an administrator and can be revoked without affecting other users.

erickson 2009-07-31 19:56:03

I'd say it takes less effort to say, just kick on HTTP authentication in apache than it is to remember some 32+ character gibberish domain name.

Wyatt Barnett 2009-07-31 19:59:03

ansaurus

tags:

views:

answers:

Using random folder name on web server to restrict access to it - bad idea?

related questions