httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@swx.com>
Subject RE: [users@httpd] Stop Apache from reporting version number anywhere..
Date Mon, 26 Jan 2004 10:51:34 GMT
> -----Original Message-----
> From: Colm MacCarthaigh [mailto:colm@stdlib.net]
> Sent: Montag, 26. Januar 2004 11:38
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Stop Apache from reporting version number
> anywhere..
> 
> 
> On Mon, Jan 26, 2004 at 11:00:23AM +0100, Boyle Owen wrote:
> > - The "token senders" have known all about the server 
> signature thing
> > for a long time and understand its purpose, which is to help the
> > internet remain a "community". When you advertise your 
> server signature,
> > you allow people like the W3C, ICAN etc to collect 
> statistics on who's
> > using what servers and at what version. This is useful 
> information and
> > helps the web to evolve.
> 
> I don't think this is about ICANN and the W3C at all - they don't 
> even do large-scale surveys, I think netcraft are the only people 
> who do these days. It's not about old fogeys remembering the good
> old days of openness and cooperation, it's must more pragmatic and
> practical than that.

I think we're singing off the same hymn-sheet... Most of the Hiders say
"what harm is there in me hiding my signature anyway?" I was trying to,
OTTOMH, think of a couple of reasons why its useful to broadcast it.
You've just given a couple of very good ones, which I will store away
for the next time this question comes up (as it surely wil). 

As for old fogeys, I once telnetted from a bedroom in Ipswich to an OS/9
crate controller in CERN: en clair, all the way... Firewalls? Luxury. We
used to dream of firewalls... 

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

> Server signatures are once of the most positive useful 
> security resources, 
> they are a tool which allows you to collect information and 
> statistics 
> about what's on your own network. I'm a member of a 
> reasonably large NOC, 
> and personally maintain dozens of webservers, within our 
> whole network 
> we're easily into the thousands of webservers.
> 
> When a vulnerability is found, we can quickly identify which of our
> machines need upgrading, and give clients an idea of what 
> machines they
> need to look at - because I can easily automate connecting to them all
> and finding out what they're running.
> 
> If someone obfuscates their banner, we lose that easy ability, and I'm
> not going to the trouble of writing a whisker implementation 
> - if someone
> is hiding their Server signature - I'm assuming they don't want me to
> know what it's running (despite how trivial it is to find out anyway)
> and hence don't want the benifits of an advance warning.
> 
> Server signatures are great security resources. Turning them off has
> entirely negative consequences, ranging from the above to the 
> very human
> tendancy to put off an upgrade becase you've "already taken 
> care of that,
> they won't find it for now".
> 
> There is simply no reliable way to hide the server your running, it
> can't be done. HTTP is a complex protocol with literally billions of
> permutations of responses, header orderings, error documents, 
> directory
> indexes, escape sequencing and plain old bugs. There will always a way
> to fingerprint a server, and noone has ever managed to make 
> two versions
> behave exactly alike (then why would there be another version?).
> 
> Personally I'm in favour of implementing an option in Apache 
> to obfuscate
> signatures. It comes up so often, and so many people patch it 
> in anyway
> that it hardly seems worth not affording people the choice. 
> But frankly,
> anyone who obfuscates their Server Signature is simply 
> displaying their
> ignorance and niavety, for very real-world important reasons.
> 
> -- 
> Colm MacCárthaigh                        Public Key: 
> colm+pgp@stdlib.net
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
>

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company. 



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message