httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alvaro Martinez Echevarria <alvaro-ht...@lander.es>
Subject Re: 1.3b8
Date Fri, 29 May 1998 02:27:56 GMT
On Thu, 28 May 1998, Rasmus Lerdorf wrote:

> > I'm not kidding. I really think this is a serious option. And
> > anyway, I am pretty sure that as soon as you program such a
> > configurable option (ServerVersion off, or whatever) and
> > pronounce the word "security", Apache will fall from 50% to 40%.
> > Think about MS and Netscape releasing press notes about the
> > "decreasing market share of Apache".
> So what?  This isn't a marketing contest, this is about producing a decent
> product to meet the needs of the serious web community.

Sure. I don't mean we should drop quality in favor of marketing.
But I really don't think Apache will be less serious or decent if
you don't provide a runtime option to disable the "Server"
disclosure. Actually, I don't think that's a serious way to
increase security. ¿Would you say that changing the server
greeting is a safe way to protect a site running sendmail 8.6.9?
We should focus in making Apache secure, at least as secure as it
has proven to be so far.

And anyway, don't forget that Apache is fighting in a gigantic
market against giants like MS. We just want to make a great
server software, but the others (who are earning tons of money
with this) would be probably happy to kill us if they could; so
we better don't give them a chance to do so. Moreover, I
personally wouldn't like to see Apache losing its leadership in
this industry.

> And besides, if
> Apache is the only server to allow you to disable the Server header, then
> even with the header off it still uniquely identified.
> -Rasmus

Well, I wouldn't say that is a very scientific opinion. In a
server survey I did a couple of months ago, I found out that
about 1.5% of all servers didn't reveal its server software. For
example, www.yahoo.com, ad.doubleclick.net, and
graph.hotmail.com. And I wouldn't be sure that they are running
Apache.
Regards.

.------------------------------------------------------------------.
|   Alvaro Martínez Echevarría   |      LANDER SISTEMAS            |
|        alvaro@lander.es        |      Pº Castellana, 121         |
`--------------------------------|      28046 Madrid, SPAIN        |
                                 |      Tel: +34-91-5562883        |
                                 |      Fax: +34-91-5563001        |
                                 `---------------------------------'


Mime
View raw message