CertiGuide to Security+  9  Chapter 2:  Communication Security (Domain 2.0; 20%)       9  2.3  The Web            9  2.3.4  Vulnerabilities

Dependence on “Security Through Obscurity” 1 Web Software Flaws

Speaking of web search engines, yet another web-related security issue is similar to the issue of email retention. Once a piece of information is out on the web, it really DOES seem to consciously WANT to be free.

For example, documents get picked up by random surfers and reposted to other sites (with or without the original webmaster’s permission), or a search service like Google snares a copy of it for indexing purposes, kindly, squirreling it away in its cache for searchers’ convenience later. After all, it’s quite an inconvenience to an attacker when he sees the memo about the default password policy for new system accounts, which he found through Google, is no longer on-line at its original site. Google empathizes with the attacker, and provides him a cached copy of the document, as originally indexed, from its own terabytes (petabytes?) of disk upon request. One of your authors discovered the default password policy for a state government division this way, during an audit.

Also, to ensure that no bad site design ever goes unremembered by history, there’s the Internet Archive Wayback Machine²¹³. This is a time-based web archiving service that takes snapshots of web pages periodically allowing it to serve as a history of the evolution of web sites throughout the months and years. As with the Google cache, in addition to providing a look at what the site was like at a certain time, it could also provide access to data that the site has since thought to remove from public view.

Dependence on “Security Through Obscurity” 1 Web Software Flaws