Hari Kurup wrote:
Rocco,
My point was not about the merits or demerits of hiding version info,
but about the reference to "PCI" that you gave. If it is a commonly
referenced security standard, I must have been living under a rock
because I had never heard of it till today.
While we are at it, why does your own mail server disclose version info?
220-server.it-doc24.com ESMTP Exim 4.69
I know... could be a faked banner, its easy to change. And besides, from
4.69 to current 4.71 there is nothing much what happened.
Check again ;-)
--
Hari
On 11/28/09 1:39 PM, IT-Doc24 Ltd. - Rocco Radisch wrote:-
That is right. Its not a internet standard but a commonly used security
standard. Not only for the payment card industry but also for
web/internet server/services security audits amongst some other security
"recommendations". E.g. in case the website would process credit card
information.
Whether its a must or not, a standard or a recommendation, just go by
logic. Do you want to hand out (disclose) the version information of a
running service? Indicating which vulnerabilities the service has?
Believing the banner, Postfix 2.3.3 was released in Aug/Oct 2006 .......
Hari Kurup wrote:
On 11/28/09 12:21 PM, IT-Doc24 Ltd. - Rocco Radisch wrote:-
(the version information should be cut out, called banner, its against
PCI recommendation)
https://www.pcisecuritystandards.org/
right, so PCI stands for "Payment Card Industry"
They make standards that apply "to all organizations which hold,
process, or pass cardholder information from any card branded with the
logo of one of the card brands"
(ref:
http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard)
As they don't make internet standards (that is the work of the IETF), I
don't see why you would base on their recommendations unless you are one
of the said organisations.
--
Hari
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them
(including attachments if any). The List's Host is not responsible for
them in any way.
---------------------------------------
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them (including
attachments if any). The List's Host is not responsible for them in any
way.
---------------------------------------
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them (including
attachments if any). The List's Host is not responsible for them in any way.
---------------------------------------
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them (including
attachments if any). The List's Host is not responsible for them in any way.
---------------------------------------
