httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm MacCarthaigh <>
Subject Re: vote on concept of ServerTokens Off
Date Wed, 06 Dec 2006 22:00:23 GMT
On Wed, Dec 06, 2006 at 01:43:49PM -0500, Jeff Trawick wrote:
> * The Apache HTTP Server project believes that most people who want to
> avoid sending the Server header mistakenly think that doing so may
> protect their server from attacks based on known flaws in older Apache
> HTTPD releases, when in fact the only reasonable way to address these
> flaws is to upgrade to new Apache HTTPD releases which correct
> security problems affecting your configuration.  By restricting the
> ability to configure Apache in this manner, we wish to raise awareness
> of the need to upgrade when critical vulnerabilities are addressed.
> (what other reasons go here?)

I think the more important thing about the "security" reason, is that it
actually *degrades* security, because it impedes the ability to audit.
Finding out-of-date installations is an nmap one-liner if you leave the
Server header alone. If you disable it, you have to start logging in to
the boxes (and getting that access and so on) and check things locally.

I'd make that point. Personally I think we should include the
functionality, I'm always in favour of allowing people to shoot
themselves in the foot. Sometimes it's the only way they learn ;-)

Colm MacCárthaigh                        Public Key:

View raw message