Hari,
I forgot to comment about the other extract.
I might have misunderstood your comment about the IETF. It often happens
when talking about security matters that a 'head in the sand' mentality
shows up. “Is it a standard? Is it necessary? Does it influence my
set-up?” That is why I tried to explain the point of hiding version
information. After revising your comment, I can now see your issue about
the reference to the PCI recommendations.
It might not be of concern to Ugandan industry yet. Processing of
payment/credit card data in on-line applications is not common in Uganda
at the moment. But the international industry has picked up on the
matter and that not only because of the security issues but also because
of business logic.
They can sell and distinguish from other products by implementing the
PCI DSS recommendations into their applications or as a standard
configuration of their products. The value added service is that it is
easier for the end user to pass a compliance test without in depth
alteration of the configuration or application. That is a convincing
selling point. Even web hosting control panels such as Plesk, ISPConfig,
LxAdmin, cPanel, etc start to implement those recommendations into the
standard "server" settings or at least as optionals. Or open source
on-line shop software. Or if you look at the changes in a standard
configured php.ini file of different Linux Distributions over the years.
So even if it’s not an internet standard the PCI DSS recommendations
have gained importance in the industry. E.g. the redpepper.ug website is
not processing credit card information (I suppose), yet the http
server's version information is hidden in the http request header. That
is in accordance with the PCI recommendations even though it wouldn't be
necessary. That could be due to the provider's standard configuration
policy.
Best regards,
Rocco
Hari Kurup wrote:
Rocco,
My point was not about the merits or demerits of hiding version info,
but about the reference to "PCI" that you gave. If it is a commonly
referenced security standard, I must have been living under a rock
because I had never heard of it till today.
While we are at it, why does your own mail server disclose version info?
220-server.it-doc24.com ESMTP Exim 4.69
--
Hari
On 11/28/09 1:39 PM, IT-Doc24 Ltd. - Rocco Radisch wrote:-
That is right. Its not a internet standard but a commonly used security
standard. Not only for the payment card industry but also for
web/internet server/services security audits amongst some other security
"recommendations". E.g. in case the website would process credit card
information.
Whether its a must or not, a standard or a recommendation, just go by
logic. Do you want to hand out (disclose) the version information of a
running service? Indicating which vulnerabilities the service has?
Believing the banner, Postfix 2.3.3 was released in Aug/Oct 2006 .......
Hari Kurup wrote:
On 11/28/09 12:21 PM, IT-Doc24 Ltd. - Rocco Radisch wrote:-
(the version information should be cut out, called banner, its against
PCI recommendation)
https://www.pcisecuritystandards.org/
right, so PCI stands for "Payment Card Industry"
They make standards that apply "to all organizations which hold,
process, or pass cardholder information from any card branded with the
logo of one of the card brands"
(ref:
http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard)
As they don't make internet standards (that is the work of the IETF), I
don't see why you would base on their recommendations unless you are one
of the said organisations.
--
Hari
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them
(including attachments if any). The List's Host is not responsible for
them in any way.
---------------------------------------
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them (including
attachments if any). The List's Host is not responsible for them in any
way.
---------------------------------------
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them (including
attachments if any). The List's Host is not responsible for them in any way.
---------------------------------------
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them (including
attachments if any). The List's Host is not responsible for them in any way.
---------------------------------------
