Return-Path: 
 <dev-return-40693-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-dev-archive@www.apache.org
Received: (qmail 46418 invoked from network); 13 Jan 2004 14:35:27 -0000
Received: from daedalus.apache.org (HELO mail.apache.org) (208.185.179.12)
  by minotaur-2.apache.org with SMTP; 13 Jan 2004 14:35:27 -0000
Received: (qmail 21308 invoked by uid 500); 13 Jan 2004 14:35:18 -0000
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 21200 invoked by uid 500); 13 Jan 2004 14:35:18 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
list-post: <mailto:dev@httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 21187 invoked from network); 13 Jan 2004 14:35:17 -0000
Received: from unknown (HELO devsys.jaguNET.com) (209.133.192.6)
  by daedalus.apache.org with SMTP; 13 Jan 2004 14:35:17 -0000
Received: (from jim@localhost)
	by devsys.jaguNET.com (8.11.7a/jag-2.6) id i0DEZJC05346
	for dev@httpd.apache.org; Tue, 13 Jan 2004 09:35:19 -0500 (EST)
From: Jim Jagielski <jim@jaguNET.com>
Message-Id: <200401131435.i0DEZJC05346@devsys.jaguNET.com>
Subject: Re: Proposal: Allow ServerTokens to specify Server header completely
To: dev@httpd.apache.org
Date: Tue, 13 Jan 2004 09:35:15 -0500 (EST)
Reply-To: jim@jaguNET.com
In-Reply-To: <no.id> from "Ivan Ristic" at Jan 13, 2004 02:25:36 PM
X-Mailer: ELM [version 2.5 PL5]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N
X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N

Ivan Ristic wrote:
> 
> 
> > As Lars said (and I agree), it has nothing to do with security. Why do you
> > provide such a "feature" then?
> 
>    Because I believe that changing the signature prevents some
>    automated tools from attacking the server.
> 
>    So, the signature
>    does matter.
> 

Without a doubt. Look at how many exploits grep on not only
the "name" of the server but also the version. 

I didn't propose this to create (yet another) heated discussion,
simply to suggest that we take ServerTokens to its logical
conclusion based on some requests I've seen. :)
-- 
===========================================================================
   Jim Jagielski   [|]   jim@jaguNET.com   [|]   http://www.jaguNET.com/
      "A society that will trade a little liberty for a little order
             will lose both and deserve neither" - T.Jefferson