It raises the question of whether there exists a set of instructions to follow that will achieve the goal of completely masking the fact that you are running ColdFusion, even from fingerprinting scan tools. I have never seen any whitepapers on this and would assume that none exist. Some major Web sites obscure what application server they are using for security reasons.
I generally don't mess with the file extensions because it can make development more difficult. The lack of a .cfm extension on a file would potentially confuse the IDE as well as other developers who have to work on the code after you. It could make it harder to use frameworks and downloaded code samples (ex: varScoper). It makes the code less reusable. Some third party management and security products that expect a .cfm extension might not work properly. None of these are major drawbacks, but they could be annoying to the developers having to work on the site. If you are able to successfully hide which application server you are running then your site should be more secure. Imagine if a major vulnerability were discovered with a feature of ColdFusion, such as with the FCKEditor. A hacker might create a simple automated hack script using Google search results as a list of target sites. If your site doesn't come up in any search engine when searching for "index.cfm," then you are better protected from that type of random automated attack. -Mike Chabot http://www.linkedin.com/in/chabot On Mon, Jun 14, 2010 at 9:17 PM, Dave Watts <[email protected]> wrote: > >> Client is interested in obscuring that it's CF. They know that it's >> not fool-proof by any means. They don't have anything against CF, >> obviously. If they were running a php site, they'd want to obscure >> that too. > > That only obscures things for regular users. Any scan tool will still > fingerprint your CF server. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > http://training.figleaf.com/ > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > GSA Schedule, and provides the highest caliber vendor-authorized > instruction at our training centers, online, or onsite. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:334561 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
