I installed a wiki on my shared webhosting (using Apache) account. This wiki is set to private (no read/edit/create rights for unauthorized users) and I'm the only one with an account.
The wiki inserts the wiki page title in the URL path, e.g. a page titled "Foobar" would have the URL example.com/wiki/Foobar
.
I want to make sure three things:
- no-one shall be able to see my wiki content
- no-one shall be able to see if I created a certain wiki page
- no-one shall be able to see which wiki URLs I visit
In other words: not only the pages contain sensitive content, also the URL path is sensitive.
When I logout and visit example.com/wiki/Foobar
(existent) and example.com/wiki/FoobarNope
(non-existent) I (1.) can't see any content and (2.) there is no difference in the error message for the existent and the non-existent page.
I use the Firefox add-on RefControl to block the Referer
header when I click at links to external pages.
I use HTTPS to encrypt the content and the URL paths (so if I ever should visit my wiki from an untrusted network, no sniffer should be able to see which wiki pages I visit, right?).
Now the only thing I'm not sure about is: What can the other customers on the same shared host see?
Each customer has SSH access. Installation of software is allowed (as long as no root is required). Eveyone has access to /tmp
. I can start top
and see what processes the other customers use at the moment. And probably more … (I'm not that savvy with this).
May it be possible that other customers see GET
requests for the whole server? (if it matters: every customer has an own subdomain, the HTTPS encryption is accomplished by the hosters' wildcard SSL certificate)
Maybe something gets saved to /tmp
when I visit a page in my wiki? Cache?
Maybe there is a global (error) log?
Or anything else?