Colm MacCarthaigh wrote: > > On Tue, Jan 13, 2004 at 03:04:30PM +0100, Lars Eilebrecht wrote: > > - It's only security by obscurity and providing such a > > "security feature" may be misleading for our users. > > - We don't want people to obfuscate the server name, do we? > > It's a terrible terrible terrible idea, and makes auditing your > own network much much harder, but it's really a decision for > administrators to make - if they want to shoot themselves in the > foot, let them :) > > Most admins never compile apache :) >
It's from various admins, using open source and commercial versions of Apache that I've rec'd the "request" from. One request from an admin was to make it *easier* to audit his network, by allowing each machine to have a slightly different "real" name. Compiling several dozens of versions of Apache to do this is nasty. :) And yes, the FAQ specifically addresses this, but we already don't really honor it all that much (what other rationale is there for ServerTokens other than obfuscation? :) ). -- =========================================================================== Jim Jagielski [|] [EMAIL PROTECTED] [|] http://www.jaguNET.com/ "A society that will trade a little liberty for a little order will lose both and deserve neither" - T.Jefferson
