httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Eibner <>
Subject Re: [PATCH] for ServerSignatures / ServerTokens
Date Wed, 17 Oct 2001 14:51:41 GMT
On Wed, Oct 17, 2001 at 07:34:29AM -0700, Marc Slemko wrote:
> > 
> > Attached is a patch which allows you to configure the Signature and the
> > Token's arbitrarily (along with their old options of course):
> > 
> > 	ServerTokens "Apache/1.3 (PR7;Patch 2001-10-13) %O"
> > 	ServerSignature "This is apache <a href='mailto:me@foo'>"
> > 	ServerTokens Minimal
> > 	ServerTokens "%a/%v (%P)"
> > 
> > etc. I guess that part of the debate should be if this needs a big #ifdef
> > I_KNOW_WHAT_I_AM_DOIGN around it; so that it is not tooo easy to edit the
> > server string :-) and skew netcraft. On the other hand - I've found this
> > is a very common consultancy style change to make. For good reasons
> > usually (such as a wap-gateway getting confused; or some other third party
> > which thinks should use the Server: field for some interpretive dancing).
> Just because there is stupid software out there that is too broken to
> deserve to exist in the real world doesn't mean we need to provide 
> explicit support for that.

Right. And everyone that works on Apache knows that it wouldn't take
more than two minutes to find the place to fix it and recompile.

> Being configurable is great, but this seems to just be bloat to me
> that legitimizes twiddling with the server string because people
> think it is cool or they are using very braindead software or doing
> so at a very braindead company.  I think it is a lot better for it
> to be obvious that "this need is caused by unreasonable software
> or policies and requires hacking on the code of Apache and any
> other webserver just because this other thing is horribly broken"
> instead of "oh, no problem, we can just twiddle this config directive
> and it is all good".

Hear! I remember (With failing memory and all) reading the sources of
some early 1.3.x where it said you couldn't change the server string,
but that might just be some memory corruption.

> You already have ignorant "security professionals" suggesting you hack 
> the source to change the name so "no one knows what server you are running".
> In reality, that is completely futile.

Security through obscurity was the first thing that came to my mind. If
the Server: header is empty or not showing up something must be wrong
with what they're running, let's just try some basic attacks on this

> I'm just not sure there is enough of a real need out there for this sort
> of thing to make the benefits outweight the disadvantages and extra code
> that it adds...

+ the testing it will require.

  Thomas Eibner <> DnsZone <>
  mod_pointer <> 

View raw message