Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 29707 invoked from network); 21 Aug 2006 09:11:02 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 21 Aug 2006 09:11:02 -0000 Received: (qmail 76727 invoked by uid 500); 21 Aug 2006 09:10:57 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 76672 invoked by uid 500); 21 Aug 2006 09:10:56 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 76646 invoked by uid 99); 21 Aug 2006 09:10:56 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 21 Aug 2006 02:10:56 -0700 X-ASF-Spam-Status: No, hits=0.7 required=10.0 tests=X_MAILER_SPAM X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: local policy) Received: from [83.90.230.146] (HELO cr.toftum.org) (83.90.230.146) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 21 Aug 2006 02:10:54 -0700 Received: from localhost (localhost [127.0.0.1]) by cr.toftum.org (Postfix) with ESMTP id 656EB68 for ; Mon, 21 Aug 2006 11:10:28 +0200 (CEST) X-Virus-Scanned: amavisd-new at toftum.dk Received: from cr.toftum.org ([127.0.0.1]) by localhost (cr.toftum.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YCnoWyJlISB2 for ; Mon, 21 Aug 2006 11:10:23 +0200 (CEST) Received: by cr.toftum.org (Postfix, from userid 1000) id 42AC826A7BE; Mon, 21 Aug 2006 11:10:23 +0200 (CEST) Date: Mon, 21 Aug 2006 11:10:23 +0200 From: Mads Toftum To: dev@httpd.apache.org Subject: Re: [PATCH 40026] ServerTokens Off Message-ID: <20060821091023.GD4248@cr> Mail-Followup-To: dev@httpd.apache.org References: <44D03F79.2030303@nohn.net> <44DCA97F.80100@nohn.net> <20060811165000.GA3095@eilebrecht.net> <44E89412.1020206@nohn.net> <20060821003455.0bee3ff4@doubleshadow.eilebrecht.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060821003455.0bee3ff4@doubleshadow.eilebrecht.net> X-Mailer: mutt X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N On Mon, Aug 21, 2006 at 12:34:55AM +0200, Lars Eilebrecht wrote: > Well, when we've had similar discussions in the past they were > usually about argument No. 1, but the consensus was always that > a security-by-obscurity feature in Apache does not make sense. > +1 - looking at the number of IIS targeted worms that keep hitting my apache installs seem to suggest that obscuring the server name will at most lead to a false sense of security. Besides, if you really care, I'm pretty sure it wouldn't be all that hard to guess what server it is by looking at all the rest of the headers. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall