Mailing-List: contact new-httpd-help@apache.org; run by ezmlm
Delivered-To: mailing list new-httpd@apache.org
Received: (qmail 73313 invoked from network); 17 Feb 2000 12:29:08 -0000
Received: from taz.hyperreal.org (HELO hyperreal.org) (209.133.83.16)
  by locus.apache.org with SMTP; 17 Feb 2000 12:29:08 -0000
Received: (qmail 27270 invoked from network); 17 Feb 2000 12:29:07 -0000
Received: from devsys.jagunet.com (206.156.208.6)
  by taz.hyperreal.org with SMTP; 17 Feb 2000 12:29:07 -0000
Received: (from jim@localhost)
	by devsys.jaguNET.com (8.9.3/jag-2.6) id HAA29914
	for new-httpd@apache.org; Thu, 17 Feb 2000 07:29:03 -0500 (EST)
From: Jim Jagielski <jim@jaguNET.com>
Message-Id: <200002171229.HAA29914@devsys.jaguNET.com>
Subject: Re: Server: response header field and ServerTokens again
To: new-httpd@apache.org
Date: Thu, 17 Feb 2000 07:29:02 -0500 (EST)
Reply-To: jim@jaguNET.com
In-Reply-To: <38ABE9AD.9A45920E@Golux.Com> from "Rodent of Unusual Size" at
 Feb 17, 2000 07:29:33 AM
X-Mailer: ELM [version 2.5 PL2]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

I see no reason not to extend ServerTokens as required.

Rodent of Unusual Size wrote:
> 
> According to some mail I've been getting, at least one online
> 'security' consultancy <http://www.icsa.net/> is telling their
> customers that their Web servers need to omit the Server field
> from the response header, or at least any version information
> from it.  This is to avoid helping crackers go directly to
> version-specific exploits.  (Their specific instructions to
> customers describing how to change the field setting for Apache
> are laughable, but..)  Apparently some Web customers are requiring
> 'ICSA compliance,' which means making their Web service providers
> make this happen.
> 
> I'm not in favour of omitting the field altogether, but is it
> worthwhile to add something like "ServerTokens ProductOnly"
> so that the field look like only "Server: Apache"?  2616
> permits this; the product-version portion is optional.
> 
> Of course, a cracker is going to try *all* the known exploits,
> not just some that seem to apply to a specific version, so
> the *need* for this is infinitesmal at best.  But would adding
> this do any harm?  It would avoid non-developer Apache people
> having to hack/rebuild the source, or possibly moving to another
> server just to satisfy their customers..  we *are* supposed to
> be the most featureful server. ;->
> -- 
> #ken    P-)}
> 
> Ken Coar                    <http://Golux.Com/coar/>
> Apache Software Foundation  <http://www.apache.org/>
> "Apache Server for Dummies" <http://Apache-Server.Com/>
> 
> Come to the first official Apache Software Foundation
> Conference!  <http://ApacheCon.Com/>
> 


-- 
===========================================================================
   Jim Jagielski   [|]   jim@jaguNET.com   [|]   http://www.jaguNET.com/
                "Are you suggesting coconuts migrate??"