On Mon, 2006-08-21 at 11:42 -0700, [EMAIL PROTECTED] wrote:
plain text document attachment (RE:)
The long version: We run security check software, which makes
connections
with various services, calls up the header, and then tells us that based
upon the version it read in the header,
On Mon, Aug 21, 2006 at 04:15:46PM -0500, Doug Nebeker wrote:
The problem is that virtually no legit users will ever look, but the
hackers
definitely will. I'll admit (being a geek) that I checked once when
logging
into my banking site for the first time many years ago. So maybe I was
Guys, While I appreciate the vibrant discussion, I was not asking for the pros and cons of hiding the header information, whether or not one feels it promotes security, and whether one believes meddling with this makes one a geek or not. In many people's desire to announce their opinion on the
Scott Campbell wrote:
[...]
My question is (rephrased), if possible, how can I hide the
headers in OpenSSL from being broadcast to software running
rudimentary security scans (e.g., Nessus)?
Is there a line I can add to a conf file?
Is preventing the broadcast of software,
You are correct; I did miss Lutz's email.Lutz ... thank you. That is exactly the answer I was looking for, to all my questions.Thank you openssl list, and to all those who provided helpful feedback.
Sincerely, ScottOn 8/22/06, Bernhard Froehlich [EMAIL PROTECTED] wrote:
Scott Campbell wrote: [...]
Title: Message
Folks,
For
the sake of closure (and finality, one would hope :-) ), the relevant Apache
configuration parameter is "ServerTokens". There is also a spiffy module
available to do just about anything you might desire here:
modsecurity.
Works
for me...
rnd
-Original
Dear All, The quick version: How can I disable or prevent OpenSSL headers from being viewable to outside traffic (similiar to when you disable Apache from allowing its header and version information from being viewable to the outside world)?
The long version: We run security check software, which
Scott Campbell wrote:
The long version: We run security check software, which makes
connections with various services, calls up the header, and then tells
us that based upon the version it read in the header, this service has
certain vulnerabilities. For security purposes, we would
The long version: We run security check software, which makes connections
with various services, calls up the header, and then tells us that based
upon the version it read in the header, this service has certain
vulnerabilities.
You mean it might have certain vulnerabilities. You
The long version: We run security check software, which makes
connections
with various services, calls up the header, and then tells us that based
upon the version it read in the header, this service has certain
vulnerabilities.
I just have to say one more thing:
You
Hello,
The quick version: How can I disable or prevent OpenSSL headers
from being viewable to outside traffic (similiar to when you disable
Apache from allowing its header and version information from being
viewable to the outside world)?
OpenSSL is realizing SSL3/TLS1 protocol and
David Schwartz wrote:
The long version: We run security check software, which makes connections
with various services, calls up the header, and then tells us that based
upon the version it read in the header, this service has certain
vulnerabilities.
You mean it might have certain
Thomas J. Hruska wrote:
David Schwartz wrote:
The long version: We run security check software, which makes
connections
with various services, calls up the header, and then tells us that based
upon the version it read in the header, this service has certain
vulnerabilities.
You mean it
The OP, however, is right. Why report the version at all to the user of
a website? There is no need to let them know you are even running
OpenSSL let alone the version being run. I'm not talking about security
through obscurity. I'm referring to common sense. Don't tell people
what you
Blocking the version number is worse
than reporting stale version information. At least they can determine a
minimum security level. Incorrect information cuts both ways, helping the
hacker and legitimate user at the same time. Better to prefer the legitimate
user's interest.
SP
[EMAIL
[EMAIL PROTECTED] wrote:
Blocking the version number is worse than reporting stale version
information. At least they can determine a minimum security level.
Incorrect information cuts both ways, helping the hacker and legitimate
user at the same time. Better to prefer the legitimate user's
Thomas J. Hruska wrote:
Now compare that number to how many hackers know and care about the same
information.
None. If an exploit exists, it will be exploited. You are a fool if you
expect that a hacker would rely on the reported version number to elect
one of the dozens of past exploits.
[EMAIL PROTECTED] wrote:
Blocking the version number is worse than reporting stale version
information. At least they can determine a minimum security level.
Incorrect information cuts both ways, helping the hacker and legitimate
user at the same time. Better to prefer the legitimate
The problem is that virtually no legit users will ever look, but the
hackers
definitely will. I'll admit (being a geek) that I checked once when
logging
into my banking site for the first time many years ago. So maybe I was
'benefitted' that one time (and my case is definitely not typical),
19 matches
Mail list logo