From: Robert Cummings on
On 10-08-17 04:39 PM, Peter Lind wrote:
> On 17 August 2010 22:35, Robert Cummings<robert(a)interjinn.com> wrote:
>>
>>
>> On 10-08-17 04:23 PM, Peter Lind wrote:
>>>
>>> On 17 August 2010 22:17, tedd<tedd(a)sperling.com> wrote:
>>>>
>>>> Hi gang:
>>>>
>>>> The subject line says it all.
>>>>
>>>> How secure is a .htaccess file to store passwords and other sensitive
>>>> stuff?
>>>>
>>>> Can a .htaccess file be viewed remotely?
>>>
>>> No, Apache won't serve it.
>>
>> It's a configuration setting though, and not a hard-coded feature.
>
> Set by default in your apache2.conf file which you're rather unlikely
> to mess with as that is not how you're setting up sites.

Totally agreed... but I've seen worse in my travels :)

Cheers,
Rob.
--
E-Mail Disclaimer: Information contained in this message and any
attached documents is considered confidential and legally protected.
This message is intended solely for the addressee(s). Disclosure,
copying, and distribution are prohibited unless authorized.
From: tedd on
At 4:23 PM -0400 8/17/10, Robert Cummings wrote:
>On 10-08-17 04:17 PM, tedd wrote:
>>Hi gang:
>>
>>The subject line says it all.
>>
>>How secure is a .htaccess file to store passwords and other sensitive stuff?
>>
>>Can a .htaccess file be viewed remotely?
>
>It depends on the server configuration. I think for the most part
>apache servers disable viewing these files by default. But, in any
>event, when these include access restriction, I always point it at a
>user/password file outside the web tree.
>
>Cheers,
>Rob.
>--

Rob:

When you're on a shared hosting account, they typically prohibit
files being outside of the web root. Some do, some don't. For
example, GoDaddy.com prohibits files outside of the web root while
Parasane.net doesn't, at least my experience with my accounts.

I'm simply trying to find the "best" method to hide sensitive
information on a shared hosting environment. Thus far, it appears
that .htaccess files are the safest bet, but I understand that
nothing is certain -- every method has risks.

GoDaddy.com brags about not being hacked in 6 years and thus offers
some verbal assurances that they are secure. However, I am not sure
as to what they would do if they were hacked and sensitive
information was made public. I'll ask them in writing and see what
they say.

In the meantime, I think I'll use .htaccess files for secure stuff.

Cheers,

tedd

--
-------
http://sperling.com/
From: Peter Lind on
On 18 August 2010 01:41, tedd <tedd(a)sperling.com> wrote:
> At 4:23 PM -0400 8/17/10, Robert Cummings wrote:
>>
>> On 10-08-17 04:17 PM, tedd wrote:
>>>
>>> Hi gang:
>>>
>>> The subject line says it all.
>>>
>>> How secure is a .htaccess file to store passwords and other sensitive
>>> stuff?
>>>
>>> Can a .htaccess file be viewed remotely?
>>
>> It depends on the server configuration. I think for the most part apache
>> servers disable viewing these files by default. But, in any event, when
>> these include access restriction, I always point it at a user/password file
>> outside the web tree.
>>
>> Cheers,
>> Rob.
>> --
>
> Rob:
>
> When you're on a shared hosting account, they typically prohibit files being
> outside of the web root. Some do, some don't. For example, GoDaddy.com
> prohibits files outside of the web root while Parasane.net doesn't, at least
> my experience with my accounts.
>
> I'm simply trying to find the "best" method to hide sensitive information on
> a shared hosting environment. Thus far, it appears that .htaccess files are
> the safest bet, but I understand that nothing is certain -- every method has
> risks.

Try accessing a .htaccess file that you have created - if you get a
403 or anything to that effect, you're safe. You might also want to
try the same with .htpasswd and .htgroups (they'll likely be blocked
as well, but better safe than sorry). That way you'll actually know if
they're safe instead of just relying on our guesses about your
servers.

Regards
Peter

--
<hype>
WWW: http://plphp.dk / http://plind.dk
LinkedIn: http://www.linkedin.com/in/plind
BeWelcome/Couchsurfing: Fake51
Twitter: http://twitter.com/kafe15
</hype>
From: Nathan Rixham on
tedd wrote:
> Hi gang:
>
> The subject line says it all.
>
> How secure is a .htaccess file to store passwords and other sensitive
> stuff?
>
> Can a .htaccess file be viewed remotely?

Semi-safe,

..htaccess is prevented from being served by configuration options (which
come as default), however these can be overwritten so best to check by
doing a GET on the resource URI.

This doesn't prevent them from being exposed via other processes though,
for instance a poorly coded 'download.php?path=/path/to/.htaccess' could
still expose the file.

Typically, its obviously better to store only a hash of a password
rather than the pass in plain text, choosing the strongest algorithm you
can; password security is of course relative though, a sha-512 of
'password1' is far from secure.

A good way to approach encryption for files is to openssl_seal them
using a public key which is only available to your application - this
doesn't negate insecure code, but it at least ensures the raw files are
encrypted securely enough to negate any of these worries. (just keep
your private key safe, preferably in a pkcs12 w/a strong 64char+ pass)

Best,

Nathan
From: Andre Polykanine on
Hello Nathan,

Sorry, could you provide any links to read for a security noob?)
Actually, I know that the md5 is decryptable (there are bases with
words encrypted in md5), but I thought the SHA1 was secure...
--
With best regards from Ukraine,
Andre
Skype: Francophile
Twitter: http://twitter.com/m_elensule
Facebook: http://facebook.com/menelion

----- Original message -----
From: Nathan Rixham <nrixham(a)gmail.com>
To: tedd <tedd(a)sperling.com>
Date: Thursday, August 19, 2010, 12:03:12 PM
Subject: [PHP] Re: How safe is a .htaccess file?

tedd wrote:
> Hi gang:
>
> The subject line says it all.
>
> How secure is a .htaccess file to store passwords and other sensitive
> stuff?
>
> Can a .htaccess file be viewed remotely?

Semi-safe,

..htaccess is prevented from being served by configuration options (which
come as default), however these can be overwritten so best to check by
doing a GET on the resource URI.

This doesn't prevent them from being exposed via other processes though,
for instance a poorly coded 'download.php?path=/path/to/.htaccess' could
still expose the file.

Typically, its obviously better to store only a hash of a password
rather than the pass in plain text, choosing the strongest algorithm you
can; password security is of course relative though, a sha-512 of
'password1' is far from secure.

A good way to approach encryption for files is to openssl_seal them
using a public key which is only available to your application - this
doesn't negate insecure code, but it at least ensures the raw files are
encrypted securely enough to negate any of these worries. (just keep
your private key safe, preferably in a pkcs12 w/a strong 64char+ pass)

Best,

Nathan

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php