httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Eibner <tho...@stderr.net>
Subject Re: Better privacy with SERVER_SIGNATURE
Date Tue, 20 Nov 2001 05:39:45 GMT
On Wed, Oct 17, 2001 at 06:35:27AM +0200, Thomas Eibner wrote:
> I don't like the idea of people being able to change the server
> signature to something like "AnythingGoes/1.0", 'cause there is really
> no product called that, if it's Apache, it should say Apache or not
> say anything at all. And the disguising of the OS doesn't really matter
> either since there are other ways of figuring out what OS you're 
> running. If people can't figure out how to patch the source to show
> up another name than Apache they really shouldn't be messing with it
> (IMHO).
> 
> Is there a really good reason why you want something other than "Apache"
> to show up in the Server header? Security? Keeping up with security
> announcements and upgrading when necessary should be enough I think.
> 
> Related to this: what is it going to do to the Netcraft survey when
> every kid on the block starts changing the server header to 
> "MyCoolWebserver/2.0"?

To bring a little kick back in this old thread..

I noticed this while casually surfing with lwp-request:
$ lwp-request -m HEAD http://www.mandrake.com/ | grep Server
Server: Apache-AdvancedExtranetServer/1.3.12  (NetRevolution/Linux-Mandrake) PHP/3.0.17-dev
mod_ssl/2.6.4 OpenSSL/0.9.5a

And it seems like this goes into Mandrake's default apache distribution
too. 

So I thought, oh well, I guess Netcraft knows about this.. But in fact it
doesn't seem to be the case, on sites that use an unmodifed Apache header
they display the string: "Apache users include ..." which isn't the case
when you check www.mandrake.com.

I might be overreacting, but from: src/include/httpd.h:

 * "Product tokens should be short and to the point -- use of them for 
 * advertizing or other non-essential information is explicitly forbidden."

It certainly seems like non-essential information to me, and I'm wondering
why Mandrake actually wants to call it Apache-AdvancedExtranetServer ?

Looking at http://www.securityspace.com/s_survey/data/200109/servers.html
it actually looks like a good deal of servers with this Server-string
is out there. Around 8200 hosts/vhosts alone in this survey. 

Is this what people want to happen with the Server string or is it not
that big of a deal?

-- 
  Thomas Eibner <http://thomas.eibner.dk/> DnsZone <http://dnszone.org/>
  mod_pointer <http://stderr.net/mod_pointer> 


Mime
View raw message