httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeff Trawick" <traw...@gmail.com>
Subject Re: vote on concept of ServerTokens Off
Date Thu, 07 Dec 2006 12:38:55 GMT
On 12/6/06, Colm MacCarthaigh <colm@stdlib.net> wrote:
> On Wed, Dec 06, 2006 at 01:43:49PM -0500, Jeff Trawick wrote:
> > * The Apache HTTP Server project believes that most people who want to
> > avoid sending the Server header mistakenly think that doing so may
> > protect their server from attacks based on known flaws in older Apache
> > HTTPD releases, when in fact the only reasonable way to address these
> > flaws is to upgrade to new Apache HTTPD releases which correct
> > security problems affecting your configuration.  By restricting the
> > ability to configure Apache in this manner, we wish to raise awareness
> > of the need to upgrade when critical vulnerabilities are addressed.
> >
> > (what other reasons go here?)
>
> I think the more important thing about the "security" reason, is that it
> actually *degrades* security, because it impedes the ability to audit.
> Finding out-of-date installations is an nmap one-liner if you leave the
> Server header alone. If you disable it, you have to start logging in to
> the boxes (and getting that access and so on) and check things locally.

The admin who would want to code "ServerTokens Off" is already coding
"ServerTokens Prod", so that is an argument to stop doing what you've
been able to do since 1.3.14.

Mime
View raw message