httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Darryl Miles <darryl-mailingli...@netbauds.net>
Subject Re: [PATCH 40026] ServerTokens Off
Date Mon, 21 Aug 2006 09:50:11 GMT
Mads Toftum wrote:
> +1 - looking at the number of IIS targeted worms that keep hitting my
> apache installs seem to suggest that obscuring the server name will at
> most lead to a false sense of security. Besides, if you really care, I'm
> pretty sure it wouldn't be all that hard to guess what server it is by
> looking at all the rest of the headers.

Looking at the way the TCPIP stack behaves under normal and error 
conditions.

Looking at the way the HTTP server behaves under normal and error 
conditions.

Looking at the way the file serving behaves under normal and error 
conditions.

Looking at the way any scripting technology behaves under normal and 
error conditions.

You can't hide everything and why waste your own CPU cycles trying to 
imitate another platforms quirks, when you could be serving documents 
with it.  Another major point about OSS security is that it can 
withstand source code disclosure _AND_ still be secure.  Maybe other 
servers implementations just aren't in the same league of security.

Darryl

Mime
View raw message