@tsteur opened this Pull Request on June 8th 2015 Member

fixes #6552

I tried to write a UI test to check for meta tags but failed after 2 hours. Eg I couldn't make the Installation tests working on my local server since the fixture installation fails and I couldn't write an assert for selectors.

I reckon it would be okay without tests but if someone wants to have tests I will go back to this.

@hpvd commented on October 28th 2015

as commented in #6552:

just wanted comment on mattabs comment above:
"it's good to index the login pages of Piwik (for example they link to piwik.org)"

of course from seo point of view (backlinks) I could understand that.

From security point of view an easy to find login page is not that great.
One could e.g. easily do the following thing - FULLY AUTOMATED:
1) search for login page
2) start brute force attack
3) when you are successful: look for ecommerce
4) extract /download everything
5) make a database of ecommerce data
6) sell it to everyone (competitors)

on other systems their is a great effort to hide login page with the following:

  • of course for every visitor: noindex, no follow, no archive
  • have a possibility to easily change login url within the backend

so I would strongly vote for noindex, no follow, no archive also for login page

@hpvd commented on October 28th 2015

other impact possibilities for non ecommerce sites:
some piwik users set visitor names similar to these used in their forum..
so the steps are the following:
1) search for piwik login page
2) start brute force attack
3) when you are successful: look for uncommon visitor names
4) extract /download the names (e.g. from visitorlog)
5) make a database of these
6) go to forum page
7) use again brute force to got in with several with several usernames
8) spam forum...

so not only ecommerce sites may be are affected

@tsteur commented on October 28th 2015 Member

:+1: maybe create a new issue for this? The privacy of users should be above possible benefits for Piwik (and the benefits are not even very clear if it is a clear benefit since couple of people say it's not that much of a benefit anymore)

@wishsimply commented on November 21st 2018

Hmm.. could you @tsteur open the new issue ? I am a bit confused that why login page should be left out, and why this has not been already implemented as there has been requests for it since 2009 (https://forum.matomo.org/t/exclude-piwik-from-being-indexed-by-search-engines/363) and also other issue (https://github.com/matomo-org/matomo/issues/6552 ) since 2014 with commits for it, and you have been already testing it.

Or can you reopen this or the other issue (6552) ?

This Pull Request was closed on June 8th 2015
Powered by GitHub Issue Mirror