Return-Path: 
 <dev-return-29395-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 50769 invoked by uid 500); 4 May 2002 16:01:09 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
list-post: <mailto:dev@httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 50756 invoked from network); 4 May 2002 16:01:09 -0000
Errors-To: <wrowe@rowe-clan.net>
Message-Id: <5.1.0.14.2.20020503221459.027897d0@pop3.rowe-clan.net>
X-Sender: wrowe%rowe-clan.net@pop3.rowe-clan.net
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Fri, 03 May 2002 22:27:37 -0500
To: dev@httpd.apache.org
From: "William A. Rowe, Jr." <wrowe@rowe-clan.net>
Subject: RE: [Patch] Concept: have MPM identify itself in Server header
In-Reply-To: <000301c1f318$bfc50790$0a01230a@KOJ>
References: <5.1.0.14.2.20020503192109.0356ac60@pop3.rowe-clan.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

At 10:06 PM 5/3/2002, you wrote:
> > From: William A. Rowe, Jr. [mailto:wrowe@rowe-clan.net]
> > At 06:08 PM 5/3/2002, Ian Holsman wrote:
> > >
> > >On this note what do people think in making the 'default' install only 
> show the
> > >major version (ie.. Apache 2.0) instead of showing everything?
> >
> > -0 here too... the problem is that a proxy engine, knowing of a specific
> > bug with Apache 2.0.41 and prior could compensate for that shortcoming.
> > Having no version information means the proxy or other client may be
> > unable to accommodate that discrepancy with the HTTP specification.
>
>How prevalent is that in reality?  I mean we allow anybody to bring what
>we report down to just major version number, so we really can't expect
>proxy servers to use what we report to circumvent problems, can we?

Of course it won't catch them all.  That's when you end up with proxy
failure errors.  The point is that a proxy _could_ correct for a bad server
if it knew what to expect.  Take certain flaws in IIS's implementation.
Recognized, they can be worked around.  Unrecognized, the proxies
of the world will simply throw up.  Big deal.

There's another aspect to this debate.  It isn't impossible to come up with
heuristics that describe a given server (based on header presence, absence,
order of headers, capitalization, and even bug results.)  This can be down
to the specific sub revision or service pack level, depending on how the
behavior has been altered.  IMHO - it's fruitless to "mask" the identity
of the HTTP protocol software.  Brute force attacks will still succeed
against vulnerable servers, no matter what their identity reveals.

However, there is _no_ discrepancy in MPM responses, except for very
subtle timing disparities.  It's the same server.  So I don't see how
identifying the HTTP server, but not disclosing the MPM would contract
each other.  Denial of Service isn't a one-shot, it may take a sustained
effort.  So an MPM's vulnerability could be disclosed for targeted,
explicit exploit.

Just my 2c (US).

Bill