lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <e8gena$c48$1@sea.gmane.org>
Date: Wed Jul  5 14:28:38 2006
From: davek_throwaway at hotmail.com (Dave "No, not that one" Korn)
Subject: Re: Google and Yahoo search engine zero-day code

Denis Jedig wrote:
> n3td3v wrote:
>
>> Today's disclosure involves Google and Yahoo search engines:
>>
>> All you need to do is put in the code to a web page, when Google and
>> Yahoo visit it, then the code exploits the software they use and
>> makes them start caching 'other' pages. Including 'no index' pages,
>> where sites have setup a robot text file on their server to protect
>> corporate and consumer interests.
>
> I think you missed the concept here. Whatever is on the webservers and
> is available to the public is... well... available to the public.
>
> It does not help security matters to introduce a robots.txt - the
> purpose of this directives file is not to secure something but to
> reduce traffic and keep irrelevant content out of search engines.
>
> If you need security, you introduce some kind of authentication
> *before* access is allowed to sensitive data. You will find that a
> sign reading "Do not enter and do not steal any gold" will not help
> much at the Fort Knox entrance if it is the only security measure.


  Also, Google and Yahoo *do* respect the robots.txt file and do check it
for every server they fetch files from, and the whole thing is garbage.  His
so-called 'example' is a fraud because it shows yahoo caching a page from
the site mtf.news.yahoo.com, which DOES NOT HAVE A ROBOTS.TXT FILE.

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....





Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ