From dev-return-74991-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org Wed Mar 21 12:34:07 2012 Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id E6D2298C7 for ; Wed, 21 Mar 2012 12:34:07 +0000 (UTC) Received: (qmail 55819 invoked by uid 500); 21 Mar 2012 12:34:07 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 55738 invoked by uid 500); 21 Mar 2012 12:34:06 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 55724 invoked by uid 99); 21 Mar 2012 12:34:06 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 21 Mar 2012 12:34:06 +0000 X-ASF-Spam-Status: No, hits=0.7 required=5.0 tests=RCVD_IN_DNSWL_NONE,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: 76.96.30.24 is neither permitted nor denied by domain of jim@jagunet.com) Received: from [76.96.30.24] (HELO qmta02.emeryville.ca.mail.comcast.net) (76.96.30.24) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 21 Mar 2012 12:33:56 +0000 Received: from omta01.emeryville.ca.mail.comcast.net ([76.96.30.11]) by qmta02.emeryville.ca.mail.comcast.net with comcast id oCYz1i0060EPchoA2CZZaa; Wed, 21 Mar 2012 12:33:33 +0000 Received: from [192.168.199.10] ([69.251.91.46]) by omta01.emeryville.ca.mail.comcast.net with comcast id oCZX1i00R100q0d8MCZYsG; Wed, 21 Mar 2012 12:33:33 +0000 Subject: Re: TRACE still enabled by default Mime-Version: 1.0 (Apple Message framework v1257) Content-Type: text/plain; charset=iso-8859-1 From: Jim Jagielski In-Reply-To: <201203202004.31796.sf@sfritsch.de> Date: Wed, 21 Mar 2012 08:33:31 -0400 Cc: "Roy T. Fielding" Content-Transfer-Encoding: 7bit Message-Id: <10EBFF04-E21C-4BE2-8373-9335CC4FAC4E@jaguNET.com> References: <201203202004.31796.sf@sfritsch.de> To: dev@httpd.apache.org X-Mailer: Apple Mail (2.1257) X-Virus-Checked: Checked by ClamAV on apache.org On Mar 20, 2012, at 3:04 PM, Stefan Fritsch wrote: > On Saturday 17 March 2012, Roy T. Fielding wrote: >>> We still enable TRACE by default. >>> >>> >>> >>> Is this useful enough to justify making every other poor sap with >>> a security scanner have to manually turn it off? >> >> Yes. >> >>> I'm hoping 2.4.x is early enough in life where flipping this >>> wouldn't be too astonishing. >> >> I don't change protocols based on fool security researchers and >> their failure to correctly direct security reports. TRACE is not >> a vulnerability. > > That doesn't mean that it's a good idea to have it on by default. I > can't remember ever having needed it for debugging. While it may > actually be useful in reverse-proxy situations, it is usually > necessary to disable it there because one does not want to leak > internal information like the private IPs from X-Forwarded-For. > > It can also compound security issues in webapps. In general, one can > say that it increases the attack surface a web server presents to the > internet. I think it is a good idea to make it default to off. > I agree w/ Roy that having our defaults be non-compliant is bad, and actions which seem to imply that the idea that TRACE is a vulnerability is valid should be avoided.