> PS One poster compared the default server signature to
> leaving a note on
> your door for a burglar saying where the keys are hidden.
> Come on! - it
> isn't even close....
>
> PPS Check out IBM, HP, Compaq, the CIA, the FBI... none of
> them hide the
> signature!
I do believe that both the CIA and FBI websites have been defaced in the
past as well. "Central Stupidity Agency" was written on the home page in the
case of the first one. Not the best of examples methinks.
It's not a matter of going to bed thinking "I hope no-one finds out we are
running PHP" (incidentally we are, and I'm not scared!). It's a matter of
making it more difficult for attackers to exploit security flaws when they
are discovered.
At last years Infosec show in the UK Ira Winkler stated that the best
security was to ensure that vendors patches are installed as soon as
possible. In the case of MS, we all know that breaks things and there may
well be times when the latest "patch" version will not install (we get
regular posts about exactly that almost every day). At this years Infosec
show the keynote speaker (whose name escapes me now) spoke on "Time Based
Security", ie limiting the time that systems can be exploited to minimise
loss. His main thrust was to set up automated responses, because even human
responses take at best 16 minutes to act on security breaches.
I do believe that some people are under the impression that security is like
a safe that keeps everyone out. However, once a safe is stolen, the "bad"
guys can get into it given enough time.
In exactly the same way SSL can be broken given enough time and processing
power. In both cases, ie using SSL and hiding the server version, you are
placing a barrier of time in the way of a potential attacker. Why attack an
unknown server when you can attack a known server version with known
security problems?
I think an analogy with car crime would help. Suppose a number of Ford
Granadas have been recalled because the locks are faulty and can be broken
into (AFAIK Granadas are hard to break into). No manufacturer in his right
mind would mark on each car the lock version (and then publicise on their
website which versions are vulnerable). So why announce to the world that
you have a vulnerable version?
It may interest you to know that IIS is the most attacked server version,
and I don't believe it has any way of hiding its server signature.
Owen has said that if you hide the server version then the only thing
protecting you is luck if you haven't fixed it. Well, it's precisely the
same kind of "luck" that has kept the UK mainland free of Foot and Mouth
disease for the last 34 years. The UK still has no system in place to
prevent fmd coming back in either.
I cannot agree with the statement that "attackers should not get in at all"
since perfect security is not possible when we are dealing with computers,
as they are finite state automatas. That means they have a number of
different states they can be in that cannot all be tested within a
reasonable timeframe.
If security really could be perfect, then we would never need security
patches. In that case, we'd all have far less work to do!
-
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
