httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ian Holsman <i...@cnet.com>
Subject Re: Better privacy with SERVER_SIGNATURE
Date Tue, 20 Nov 2001 05:42:44 GMT
On 11/19/01 9:39 PM, "Thomas Eibner" <thomas@stderr.net> wrote:

> On Wed, Oct 17, 2001 at 06:35:27AM +0200, Thomas Eibner wrote:
>> I don't like the idea of people being able to change the server
>> signature to something like "AnythingGoes/1.0", 'cause there is really
>> no product called that, if it's Apache, it should say Apache or not
>> say anything at all. And the disguising of the OS doesn't really matter
>> either since there are other ways of figuring out what OS you're
>> running. If people can't figure out how to patch the source to show
>> up another name than Apache they really shouldn't be messing with it
>> (IMHO).
>> 
>> Is there a really good reason why you want something other than "Apache"
>> to show up in the Server header? Security? Keeping up with security
>> announcements and upgrading when necessary should be enough I think.
>> 
>> Related to this: what is it going to do to the Netcraft survey when
>> every kid on the block starts changing the server header to
>> "MyCoolWebserver/2.0"?
> 
> To bring a little kick back in this old thread..
> 
> I noticed this while casually surfing with lwp-request:
> $ lwp-request -m HEAD http://www.mandrake.com/ | grep Server
> Server: Apache-AdvancedExtranetServer/1.3.12  (NetRevolution/Linux-Mandrake)
> PHP/3.0.17-dev mod_ssl/2.6.4 OpenSSL/0.9.5a
> 
> And it seems like this goes into Mandrake's default apache distribution
> too. 
> 
> So I thought, oh well, I guess Netcraft knows about this.. But in fact it
> doesn't seem to be the case, on sites that use an unmodifed Apache header
> they display the string: "Apache users include ..." which isn't the case
> when you check www.mandrake.com.
> 
> I might be overreacting, but from: src/include/httpd.h:
> 
> * "Product tokens should be short and to the point -- use of them for
> * advertizing or other non-essential information is explicitly forbidden."
> 
> It certainly seems like non-essential information to me, and I'm wondering
> why Mandrake actually wants to call it Apache-AdvancedExtranetServer ?
> 
> Looking at http://www.securityspace.com/s_survey/data/200109/servers.html
> it actually looks like a good deal of servers with this Server-string
> is out there. Around 8200 hosts/vhosts alone in this survey.
> 
> Is this what people want to happen with the Server string or is it not
> that big of a deal?

Personally I always thought advertising your version # and list of modules
Is just an invitation to get hit...
The serverstring's only use IMHO is to get your netcraft numbers up.


Mime
View raw message