httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm MacCarthaigh <>
Subject Re: Proposal: Allow ServerTokens to specify Server header completely
Date Tue, 13 Jan 2004 15:50:41 GMT
On Tue, Jan 13, 2004 at 03:28:24PM +0000, Ivan Ristic wrote:
>   Also, imagine I have a PHP application (I chose PHP because
>   it runs on Windows and on Unix), and that someone is trying
>   to find a hole in the app. If they think I'm running Windows
>   they'll try to run Windows-specific attempts, completely
>   missing the point (I know about OS fingerprinting but a typical
>   Web attacker doesn't).

If you need to worry about the typical web attacker, you're in
big trouble. The typical web attacker is inept, capable mostly
of mindless regurgitation with the efforts of others. If you 
havn't defended against this vector; give up. A lot of them won't even
know what a server-token is.

If the attacker is in any way motivated or adept, they'll know about
whisker et al and changing the token will represent a minor curiousity -
but nothing else.

>   Changing the server signature is a small benefit, but one of
>   many you can have.

I'm utterly convinced that in 99% of circumstances it's of negative
security benifit. You gain pretty much nothing, and lose the ability
to telnet port 80 throughout your subnet and then reliably assess 
what you need to upgrade.

Where changing it would be useful is if you want to encode even 
more useful information easily, available for audit. Or if you're
and old-time show-off and just want to have a cool banner like
"EvilServer 3.1" that may impress the odd kid who can figure out
how to telnet port 80 :)

>   But, at the end of the day, I think sysadmins should be the ones
>   making the decision, with programmers giving them... rope :)

Absolutely! For good or for bad a lot of people want the ability.

Colm MacCárthaigh                        Public Key:

View raw message