On 8/25/21 1:51 AM, Roy T. Fielding wrote:
>> On Aug 18, 2021, at 12:21 AM, Piotr Sionkowski
>> <piotr.g.sionkow...@gsk.com.INVALID
>> <mailto:piotr.g.sionkow...@gsk.com.INVALID>>
>> wrote:
>>
>> Hello httpd docs @ Apache Software Foundation,
>>
>> I am writing this e-mail to learn more about ASF attitude towards presenting
>> or hiding httpd server version details in headers.
>>
>> I have read the FAQ and documentation and agree with some statements and
>> disagree with most. That is why I would like to have it
>> clarified.
>>
>> Both in FAQ[1] and in documentation[2] it is discouraged to obscure the
>> details of httpd server. The rationale provided is that
>> (all are quotations from [1] and [2]):
>>
>> Arg1: It does nothing at all to make your server more secure
>> Arg2: The idea of "security through obscurity" is a myth and leads to a
>> false sense of safety
>> Arg3: mistaken understanding that this will make the system more secure
>> Arg4: the same exploits will likely be attempted regardless of the header
>> information
>> Arg5: it makes it more difficult to debug interoperational problems
>>
>> I have checked the reccomendation from OWASP[3] and they advise to remove or
>> alter the headers so that no unnecessary details
>> are presented.
>>
>> I tend to subscribe to owasp's point on view and would like to elaborate on
>> it so that we can argue more precisely and reach
>> meaningful conclusions.
>
> Hi Piotr,
>
> The Server header field is used by clients (especially user agents) to adjust
> their behavior with respect to known errors in
> servers. While OWASP is welcome to choose an opinion that is "more secure"
> based on a theoretical concern, I can assure you (as
> the HTTP editor) that their opinion is simply wrong with regards to the
> usability of the Web as a long-lived system in the real
> world. It simply doesn't matter to an attacker. The version does matter to
> admins and customers, who can use automated tools to
> ensure their websites are running the right version (or at least not the
> wrong version) and trigger testing whenever that version
> changes. That tends to result in systems that are actually more secure,
> rather than trying to obscure that they aren't being
> maintained properly.
In addition with many servers in the real world being delivered by LTS Linux
distributions just knowing the version number doesn't
tell you if a system is vulnerable to a particular security issue or not. For
example RedHat 7 ships with version 2.4.6. But if
you run this package in the latest release it is not vulnerable to the security
issues that a vanilla 2.4.6 server is vulnerable
to. The only thing the version number tells you here is that this server is not
vulnerable to issues that only affect versions
below 2.4.6.
And with regards to the product announced in the header I can tell you from
practice that despite the servers I have managed
clearly announce that they are an Apache I see tons of tries for IIS
vulnerabilities being tested.
The next thing you have to consider is that when you evaluate the Server header
that you cannot be sure that the server you are
talking to is really using the particular software announced in the header or
if this the software used by some system further
down below the chain and you are talking to a gateway system which does not
have the vulnerabilities you might expect when looking
at the header.
The point is: If you as an attacker rely on the information of the header even
if it is not obscured you can be severely misguided
about the setup and you might miss a lot of attack opportunities if you rule
them out upfront based on the header. Hence you need
to try them out anyway unless you have other information sources that tell you
reliably that it is not worth trying them.
Regards
Rüdiger
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org
For additional commands, e-mail: docs-h...@httpd.apache.org
