Security Of Cloud Shared Links
-
@Dashrender said in Security Of Cloud Shared Links:
@scottalanmiller said in Security Of Cloud Shared Links:
@Dashrender said in Security Of Cloud Shared Links:
@scottalanmiller said in Security Of Cloud Shared Links:
Even index.html isn't an exception to this, that is autolinked as a setting in the web server, too. Many of the links are by convention.
auto linked to what?
To whatever the default is set in the web server. Go to http://ntg.co/ (really, go to it, we need the hits) and the web server is informed to go "serve up the default link." In the case of that particular site, the default is set to index.php. You set this for all web servers. If you don't set it for Apache, it has a default setting of index.html and IIS has a built in default of index.htm.
The whole it's linked is where I'm getting hung up here - I agree that those are the default locations where those services will send people - but calling them links or linked - not sure you've convinced me yet.
It only sends people there because of the links. You can argue that index.html is not a link, but only that one case. All other resources are only available by links, there is no default to get people there.
-
@Dashrender said in Security Of Cloud Shared Links:
Then what's the problem with leaving the default directories and junk behind in an IIS install - if nothing links to those things, what harm is there in them being there? I suppose their being there as a directly accessible folder and the tyranny of the default is what creates the harm. So if you know that that is a default folder, you can try to go there directly and attempt to execute something that might be there...
Because if it is generic, then malicious users can try to access it because they know that it is commonly there. It's a bigger attack surface.
-
My example I used was that if I create a page OUTSIDE my WordPress site, there is no way anything can find it.
So if I made www.brra.com/SAM, no one would ever see it.
Well, they would now because I posted here on ML. But you get the drift.
-
@scottalanmiller said in Security Of Cloud Shared Links:
@Dashrender said in Security Of Cloud Shared Links:
@scottalanmiller said in Security Of Cloud Shared Links:
@Dashrender said in Security Of Cloud Shared Links:
@scottalanmiller said in Security Of Cloud Shared Links:
Even index.html isn't an exception to this, that is autolinked as a setting in the web server, too. Many of the links are by convention.
auto linked to what?
To whatever the default is set in the web server. Go to http://ntg.co/ (really, go to it, we need the hits) and the web server is informed to go "serve up the default link." In the case of that particular site, the default is set to index.php. You set this for all web servers. If you don't set it for Apache, it has a default setting of index.html and IIS has a built in default of index.htm.
The whole it's linked is where I'm getting hung up here - I agree that those are the default locations where those services will send people - but calling them links or linked - not sure you've convinced me yet.
It only sends people there because of the links. You can argue that index.html is not a link, but only that one case. All other resources are only available by links, there is no default to get people there.
I completely agree with the rest being links.. just the default page loaded when visiting a folder directly be it www.google.com or www.google.com\scottalenmiller
-
@BRRABill said in Security Of Cloud Shared Links:
My example I used was that if I create a page OUTSIDE my WordPress site, there is no way anything can find it.
So if I made www.brra.com/SAM, no one would ever see it.
Well, they would now because I posted here on ML. But you get the drift.
Yesterday I would have said that Google could find it.. but now with an education from Scott and strongbad - I guess not.
-
@Dashrender said
Yesterday I would have said that Google could find it.. but now with an education from Scott and strongbad - I guess not.
You and me, both.
I really thought that is how it worked. It crawled through the SITE looking for files, not looking for links.
-
@BRRABill said in Security Of Cloud Shared Links:
@Dashrender said
Yesterday I would have said that Google could find it.. but now with an education from Scott and strongbad - I guess not.
You and me, both.
I really thought that is how it worked. It crawled through the SITE looking for files, not looking for links.
Well - that's kinda semantics, but not entirely.
What I didn't know, that @StrongBad pointed out, is that the HTTP protocol has not way of displaying content of a folder itself. That those webservers that do show the folder contents do so because of a function of the web server, not a function of HTTP - and on the web server side, it can be turned off - which was something I know could happen, but I didn't know to what level it actually kept people out - sounds like it actually does a pretty damned good job. -
I didn't realize I could put items outside the realm on my site and not have them seen.
Sweet.
-
Then there's the otherside of this - the fact that there aren't that many static pages anymore. Most of the time things are generated on the fly by an application installed into the web server, such as WordPress. So even if you could search the directory, there wouldn't be anything there. instead the file is created only upon request and delivered to the end user, and not written to the directory.
-
@BRRABill said in Security Of Cloud Shared Links:
I didn't realize I could put items outside the realm on my site and not have them seen.
Sweet.
Only not seen as long as someone doesn't guess the direct path - but now we're back to guessing the path to the above mentioned sharing files - if someone guesses it right, they get right in, but what are the chances? 1 in 10^42?
-
@Dashrender said
Only not seen as long as someone doesn't guess the direct path - but now we're back to guessing the path to the above mentioned sharing files - if someone guesses it right, they get right in, but what are the chances? 1 in 10^42?
Yeah, almost impossible.
-
@Dashrender said in Security Of Cloud Shared Links:
I completely agree with the rest being links.. just the default page loaded when visiting a folder directly be it www.google.com or www.google.com\scottalenmiller
Right, that one is a link because it is listed in DNS. So still a link, just not a generated one
So http://ntg.co/ is still a link, just one linked from DNS.
-
@Dashrender said in Security Of Cloud Shared Links:
Then there's the otherside of this - the fact that there aren't that many static pages anymore. Most of the time things are generated on the fly by an application installed into the web server, such as WordPress. So even if you could search the directory, there wouldn't be anything there. instead the file is created only upon request and delivered to the end user, and not written to the directory.
Correct, IF you were sitting on the server and looking at the file system. But that's not how any of these things work so not really a factor.
-
@scottalanmiller said in Security Of Cloud Shared Links:
@Dashrender said in Security Of Cloud Shared Links:
I completely agree with the rest being links.. just the default page loaded when visiting a folder directly be it www.google.com or www.google.com\scottalenmiller
Right, that one is a link because it is listed in DNS. So still a link, just not a generated one
So http://ntg.co/ is still a link, just one linked from DNS.
What? a link from DNS? that's a stretch. So DNS entries are now links?
-
@Dashrender said in Security Of Cloud Shared Links:
@scottalanmiller said in Security Of Cloud Shared Links:
@Dashrender said in Security Of Cloud Shared Links:
I completely agree with the rest being links.. just the default page loaded when visiting a folder directly be it www.google.com or www.google.com\scottalenmiller
Right, that one is a link because it is listed in DNS. So still a link, just not a generated one
So http://ntg.co/ is still a link, just one linked from DNS.
What? a link from DNS? that's a stretch. So DNS entries are now links?
What would you call them? They are a publicly listed link to your site. How do you think of them that would make them something other than a link? If you put a DNS entry into your URL bar, you go to the page, right? What is the A Record list but a collection of links? I mean literally... what else is it?
-
Or, let's ask the opposite, what do you feel is required for something to be a link?
-
If I get a text output from a DNS server, I get a collection of links both FQDN and IP Addresses (and in some cases extra stuff.) Both the FQDN and the IP Address are just links. Sure, if it is pure text then there is no anchor tag, but that's just one way to make something a link. The A and CNAME and PTR records in DNS are all just nothing but links. Anything reading the DNS entries has links to your sites.
-
I see it more grey than that. I don't have a name for what they are.
-
@Dashrender said in Security Of Cloud Shared Links:
I see it more grey than that. I don't have a name for what they are.
But the verb that they do is.... link to your site, right? They aren't an anchor tag, but what grey makes them in any form not a link? I'm unclear where the grey is here. They are just one thing, a link, right? It's not like they are anything else.
-
Let's try it this way....
What is a link? I'd say that, in this context, it is a pointer to a resource available over HTTP.
That's how I would qualify something as a link. And DNS does this fully, as much as any other kind of link.
