Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

noindex, no follow, no archive also for login page #9121

Closed
hpvd opened this issue Oct 29, 2015 · 4 comments
Closed

noindex, no follow, no archive also for login page #9121

hpvd opened this issue Oct 29, 2015 · 4 comments
Labels
wontfix If you can reproduce this issue, please reopen the issue or create a new one describing it.

Comments

@hpvd
Copy link

hpvd commented Oct 29, 2015

follow up to #6552
and as proposed in
#8058 (comment)

=> a new ticket for better security of login page:

From security point of view an easy to find login page is not that great.
One could e.g. easily do the following thing - FULLY AUTOMATED:

  1. search for login page
  2. start brute force attack
  3. when you are successful: look for ecommerce
  4. extract /download everything
  5. make a database of ecommerce data
  6. sell it to everyone (competitors)

on other systems their is a great effort to hide login page with the following:

  • of course for every kind of visitors: noindex, no follow, no archive
  • have a possibility to easily change login url within the backend

so I would strongly vote for noindex, no follow, no archive also for login page

another idea what could happen also on non ecommerce sites is written here: #8058 (comment)

@tsteur
Copy link
Member

tsteur commented Oct 29, 2015

👍

One could still crawl for Piwik installations though, at least in most cases when one uses JS tracking. Eg one can search for standard Piwik snippet in website and get the URL to the Piwik instance. This can be done automated too, it is harder this way though as one has to actually crawl websites. There are also some services I think that show which websites use Google Analytics, Piwik, ...

A very important thing would be to actually prevent brute forces eg via #2888 or by making authentication each time a few seconds slower when login fails etc

@hpvd
Copy link
Author

hpvd commented Oct 30, 2015

of course this is only one step and there are more to do!

hmm can one really find piwik by searching for a part of an embedded code snippet?
I thought google searches (shows) only for "visible" information.

Doing a site specific search on our domain (site:www. ... ) which is using piwik
for "piwiktracker" there were no results.
Do you have a working example finding piwik in source code?

@tsteur
Copy link
Member

tsteur commented Nov 1, 2015

You could crawl the internet yourself, eg with something like http://nutch.apache.org/ or any other web crawler. There might be even search engines already that let you search for certain snippets in a website. Just saying with enough effort your Piwik can be still found usually (unless you are using maybe LogImporter and do not track client side). Therefore it is also important to work on the brute force attack issue.

@mattab mattab modified the milestone: Mid term Nov 26, 2015
@mattab
Copy link
Member

mattab commented Nov 26, 2015

Thanks for suggestion! but because it does not help security, I don't want to do it. One is welcome to write a plugin to do it, but honestly there is no value in terms of security.

@mattab mattab closed this as completed Nov 26, 2015
@mattab mattab added the wontfix If you can reproduce this issue, please reopen the issue or create a new one describing it. label Nov 26, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
wontfix If you can reproduce this issue, please reopen the issue or create a new one describing it.
Projects
None yet
Development

No branches or pull requests

3 participants