Blocking the version number is worse than reporting stale version information. At least they can determine a minimum security level. Incorrect information cuts both ways, helping the hacker and legitimate user at the same time. Better to prefer the legitimate user's interest.
SP
[EMAIL PROTECTED] wrote on 08/21/2006 03:15:33 PM:
>
> > The OP, however, is right. Why report the version at all to the user of
> > a website? There is no need to let them know you are even running
> > OpenSSL let alone the version being run. I'm not talking about security
> > through obscurity. I'm referring to common sense. Don't tell people
> > what you are running unless it is absolutely necessary for proper
> > operation. Since version information is "metadata", it is not necessary
> > for the proper operation of OpenSSL. The only thing it does is waste a
> > few bytes of bandwidth every time someone connects. Just a thought.
>
> We've come along way from the time when banks posted their reserve ratios
> in the window.
>
> If you have fixed the latest vulnerabilities, why would you want to keep
> this a secret from the people you are asking to trust you? And if you have
> not, what right do you have to keep that secret? The main reason you run SSL
> is because you are going to ask other people to trust you with their
> personal data.
>
> It comes down to that fundamental question, "why should I trust you?" If
> the answer is because you do things securely, fixing vulnerabilities and
> choosing proven products, why should that need to be a secret? And if a new
> vulnerability appears and you haven't had a chance to fix it yet, shouldn't
> I at least have a chance to know that before I trust you with sensitive
> information?
>
> Security through obscurity is wrong for more than just one reason. But a
> big one is that it robs the people you interoperate with of the chance to
> judge for themself whether you are trustworthy. They may just find someone
> else who is more transparent.
>
> So here's my primary answer: suppose a new SSL bug is discovered. It's
> fixed in version Y but not version X. I need to put a million dollar order
> through to your server. What should I do? Should I not give you the order
> until I can somehow confirm you have version Y? (Which, according to you, I
> should never be able to do. So in this case you don't get the order.) Or
> should I just assume you do, because you're typically on the ball? (Which
> might not be what you want, depending on what the consequences are to *you*
> if the data leaks to a competitor.)
>
> Why force the people you are asking to trust you into such craziness? Why
> not reassure them, assuming you do things right. And if you do things wrong,
> is it really in your interest to dupe people into trusting you. Think long
> and hard about that -- it may not be.
>
> DS
>
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager [EMAIL PROTECTED]
- RE: Hiding headers for OpenSSL Steve . Pauly
- Re: Hiding headers for OpenSSL Thomas J. Hruska
- Re: Hiding headers for OpenSSL William A. Rowe, Jr.
- RE: Hiding headers for OpenSSL David Schwartz
- RE: Hiding headers for OpenSSL Doug Nebeker
- Re: Hiding headers for OpenSSL Lutz Jaenicke
- Re: Hiding headers for OpenSSL Scott Campbell
- Re: Hiding headers for OpenSSL Bernhard Froehlich
- Re: Hiding headers for OpenSSL Scott Campbell
- RE: Hiding headers for Open... Diffenderfer, Randy
- RE: Hiding headers for OpenSSL Marek Marcola
