On Wed, 9 May 2001, Owen Boyle wrote:
> I should've guessed that this might turn into a bit of a debate...
>
> To recap, the orginal poster was concerned that the default behaviour of
> apache to advertise itself with something like:
>
> "Apache/1.3.6 (Unix) PHP/3.0.16 mod_perl/1.21 mod_ssl/2.2.8
> OpenSSL/0.9.2b"
>
> was a security risk (by the way, this example comes from the British
> Ministry of Defence).
>
> My argument is that it is not. Your system should be secure *even if* an
> attacker knows this trivial information. Otherwise, you'd go to bed each
> night worrying, "I hope no-one finds out we've installed PHP..."
>
> One poster worried that if a hole was discovered, for example, in PHP,
> you'd become immediately vulnerable - well that would be true whether or
> not you advertise it. The hole would still be there even if you suppress
> the signature and an attacker might still have a go at it. The only
> thing protecting you would be luck.
Yes, still vulnerable, but harder to pick out of a crowd then had the
service been fully advertised.
>
> Security should be systematic and precise - attackers should not get in
> at all. Security should not be based on ideas like "If we hide the
> version number, we are 20% less likely to get attacked".
Not really, but, yer 20% of the time bound to see the prober move on
quickly to some other site they can get all the details of the servers
running behind the firewall if no valuable info can be gleened from the
initial probe.
>
> The default behaviour is good because it advertises to the world what a
> great server we're using and lets developers keep track of uptake of
> upgrades - it's an excellent way of tracking the development of the web
> and contributes to the feel-good community spirit of the the Wonderful
> World Wide Web. If we all start hiding things for no good reason, we get
> hung up on this suspicious, scaredy-cat, keep-everything-secret
> mentality which is bad for the soul.
>
Bogus, totally bogus.
[SNIP]
>
> PS One poster compared the default server signature to leaving a note on
> your door for a burglar saying where the keys are hidden. Come on! - it
> isn't even close....
>
> PPS Check out IBM, HP, Compaq, the CIA, the FBI... none of them hide the
> signature!
pretty near of of which have been compromised in one way or another.
The issue here remains, you have given no valid reason that obscuring the
info about what kind of server is ruuning should not be done, except
boasting rights as to what SW one is running, while folks
have mentioned a number of reasons that adding this obscuring feature to
the boxen offering services would add to the layered security features in
place.
Thanks,
Ron DuFresne
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior consultant: darkstar.sysinfo.com
http://darkstar.sysinfo.com
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart
testing, only testing, and damn good at it too!
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
