Free Ways To Hide Files From Snoopers
Sometimes database files must be protected from scrutiny.
Files with email addresses or credit card information come
to mind.
Even if the information isn't sensitive, it's still no one
else's business.
Password management software can be obtained and installed.
And elaborate file encryption methods can be employed.
But all that's rarely necessary just to protect some files.
Snooping generally occurs with the HTTP protocol. That's the
protocol browsers use, and spiders and snooping robots.
Other Protocols
Other protocols might be used, like FTP, telnet, or SSH. To
access files with any of those protocols, your username and
password must be known or guessed. Protecting access info
could an entire other article, and much has been written on
the subject. But here are just a few points to keep in mind:
-
Use long passwords with non-alphanumeric characters
interspersed.
-
Change passwords after program installers, site
designers, or other third-parties have been granted
access to your server. (This is not an act of
distrust. It's plain common sense. Passwords can be
compromised unknowingly. If your server is broken
into, your list of people who have the password is
shorter. Honest installers and designers appreciate
your thoughtful removing of possible suspicion.)
-
Change server access passwords frequently. The
more people have server access, the more likely
inadvertent disclosure will occur, and the more
often passwords should be changed.
-
Don't use server access passwords in other
applications — like software control panels and
membership sites. Server access passwords should
not be used anywhere but for server access.
Protection From HTTP Protocol Snoopers
The HTTP protocol is the public's access to information
on your server. It's primarily used to view files (like
displaying web pages), but can also be used for activities
like downloading files and submitting forms.
The HTTP protocol by itself can not be used to change the
contents on a server (it would require the cooperation of
a program on the server). But HTTP can be used to view
files.
And some files left exposed should not be viewed by the
public.
Following are three protection methods, the file name
extension spoof, the unfulfilled password, and the curtain.
The File Name Extension Spoof
Changing a database file name extension can can force the
server to treat the file as a different file type.
Specifically, renaming a file in the cgi-bin from file.txt
to file.cgi or file.pl will cause an Internal Server Error
when a browser tries to access it. That's because the
server tries to run the database file as if it were a
script, instead of displaying the file in the browser.
CGI programs can still access a file directly regardless
of its file name: file.txt or file.cgi, it doesn't matter.
This is a great way to protect data stored in the cgi-bin.
The Unfulfilled Password Method
This is so cool. An entire directory is protected, but the
password can never be guessed because no password has ever
been assigned.
When server programs, like CGI programs, update files on a
server in public locations other than the cgi-bin, browsers
can be locked out of the entire directory with these four
lines in the .htaccess file:
AuthName "No Access"
AuthType Basic
AuthUserFile /.missing
Require valid-user
The .htaccess file must be in the directory to be locked.
Because no AuthUserFile ".missing" exists on the server, no
file containing passwords is available. No matter how long
they try, snoopers can never guess a password that doesn't
exist.
Browsers are locked out. But server programs can access the
files directly.
This unfulfilled password method can also be used in the
cgi-bin. But be careful that you don't lock out any CGI
programs that need to be accessed with a browser. When
only data files are in the directory, feel free to use
this method.
The Curtain
With this method, you simply hide the files.
Put an index.html file in the directory where the files are
located. The index.html file may be blank, if you wish.
Alternatively, it can redirect snoop attempts to a different
URL anywhere on the Internet.
With the index.html file in the directory, all other files
in the directory are hidden. Snoopers must guess the file
name in order to access it.
No links may point to any of the files to be hidden.
This "curtain" method is the least effective because the
file names might be guessed and then the file viewed.
It's a quick method, though, and might be I utilized when
the file to be protected won't be on the server for a
substantial length of time. An example of use would be to
provide links to private web pages or downloadable files
for clients or friends, with the files removed from the
server immediately after they've served their purpose.
Question:
Did you find this article interesting and understandable? How can it be improved?
Your response is anonymous.
When done typing, click anywhere outside the box. [more info]
Will Bontrager
©2005 Bontrager Connection, LLC
Please note:
Articles on this website are presented "as is". However -
If you have a question about a CGI script, HTML, CSS, PHP, or JavaScript
Ask one of our Experts and you'll have your answer!
Click here for details.
