Re: HEAD / HTTP/1.0 - To sign or not to sign?

[Owen Boyle]

[EMAIL PROTECTED] wrote:

> I still think publicising your server version is like writing the PIN number
> to your burglar alarm on your front door. 

Come now, John. This is just nonsense. It is more like scrubbing the
brand-name off your burglar alarm. If someone could hack into a system
just by knowing the version number, it would take them about 3 guesses
on average to break into most systems:

- Hmmm, let's try 1.3.9 - nope...
- 1.3.12?..... nope, 
- 1.3.17? .... Aha! - now to do my fiendish hacking....

My point is a subtle one and it is not suprising that many people
misunderstand it: "Reducing the likelihood of an attack is NOT a
security measure". The attack will come - you have to be ready when it
does, not put it off a few days or weeks or whatever....

Rgds,

Owen Boyle.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]