Stat Security
I just noticed that our stats are completely open to anyone that is smart enough to try /stat/ after our s3 bucket name. I consider this a very large security hole. What solutions can you offer to prevent this open access to our stat information which we consider to be private. Thanks.
tms
Wednesday, March 17, 2010
That's right. The stats we generate are publicly visible by default.Unfortunately, there's not much we can do about it, given the way that S3 handles security. Objects are either visible to all web browsers or none of them, so the only choice we have is to make them public.It's been suggested by plenty of smart people that we could at least let you choose your own stats folder name so that it was less guessable. While it's not a perfect solution, that's probably the route we'll take.I'll keep you posted.
Jason Kester
Sunday, March 21, 2010
[ reply to this topic ]
[ return to topic list ]
|