I should've guessed that this might turn into a bit of a debate...
To recap, the orginal poster was concerned that the default behaviour of
apache to advertise itself with something like:
"Apache/1.3.6 (Unix) PHP/3.0.16 mod_perl/1.21 mod_ssl/2.2.8
OpenSSL/0.9.2b"
was a security risk (by the way, this example comes from the British
Ministry of Defence).
My argument is that it is not. Your system should be secure *even if* an
attacker knows this trivial information. Otherwise, you'd go to bed each
night worrying, "I hope no-one finds out we've installed PHP..."
One poster worried that if a hole was discovered, for example, in PHP,
you'd become immediately vulnerable - well that would be true whether or
not you advertise it. The hole would still be there even if you suppress
the signature and an attacker might still have a go at it. The only
thing protecting you would be luck.
Security should be systematic and precise - attackers should not get in
at all. Security should not be based on ideas like "If we hide the
version number, we are 20% less likely to get attacked".
The default behaviour is good because it advertises to the world what a
great server we're using and lets developers keep track of uptake of
upgrades - it's an excellent way of tracking the development of the web
and contributes to the feel-good community spirit of the the Wonderful
World Wide Web. If we all start hiding things for no good reason, we get
hung up on this suspicious, scaredy-cat, keep-everything-secret
mentality which is bad for the soul.
I'll shut up now.....
Owen Boyle.
PS One poster compared the default server signature to leaving a note on
your door for a burglar saying where the keys are hidden. Come on! - it
isn't even close....
PPS Check out IBM, HP, Compaq, the CIA, the FBI... none of them hide the
signature!
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
