httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Manoj Kasichainula <man...@io.com>
Subject Re: 1.3b8
Date Fri, 29 May 1998 04:42:45 GMT
On Thu, May 28, 1998 at 09:54:01PM -0400, Rasmus Lerdorf wrote:
> > I'm not kidding. I really think this is a serious option. And
> > anyway, I am pretty sure that as soon as you program such a
> > configurable option (ServerVersion off, or whatever) and
> > pronounce the word "security", Apache will fall from 50% to 40%.
> > Think about MS and Netscape releasing press notes about the
> > "decreasing market share of Apache".
> 
> So what?  This isn't a marketing contest, this is about producing a decent
> product to meet the needs of the serious web community.

This argument has been made before, but I'll make it anyway. If the
*serious* web community cares for some reason, I think either the
provider of binaries will disable such a setting or the webmaster who
is compiling source can disable it.

The only reason I can think of for not including the Server: header is
"security" and this is security through obscurity, which is generally
doomed to failure. Also, since Apache & derivatives runs > 50% of web
servers, any competant or incompetant cracker will pull Apache cracks
out of his toolbox first, anyway.

Also, I think one possible reading of the relevant RFC section might
be that the "specific software version" can be omitted by the user.
So, even if you ignore the "source-provided" requirement, it *might*
be enough to have an option for the server to only specify "Apache" or
"Apache/0.0" instead of the actual version. The statement only says
that the field must be configurable, not what it must be configurable
to.

-- 
Manoj Kasichainula - manojk at io dot com - http://www.io.com/~manojk/
"When you say `I wrote a program that crashed Windows', people just stare at
you blankly and say `Hey, I got those with the system, *for free*'"
  -- Linus Torvalds

Mime
View raw message