You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by "Roy T. Fielding" <fi...@kiwi.ics.uci.edu> on 1998/05/09 00:59:31 UTC

Re: cvs commit: apache-1.3/src/main http_main.c

>  	Change the default setting of AddVersionPlatform to 'on'.  Jim,
>  	Brian Havard, and Marc think that's better - and if Marc, who is
>  	so security-conscious, thinks it's a good idea that tips me over
>  	to that side as well.

Crikey, what the hell are you guys smoking?  It isn't often that the Apache
folks go out of their way to violate part of the Security section of
the HTTP specification.  This is just plain stupid.  NOBODY needs this
information (aside from those who want to find a particular OS without
tripping any cracker traps). NOBODY wants to give it away.  NOBODY wants
to add another five bytes of overhead to EVERY response just so Netcraft can
observe yet another misleading statistic.  Wake up.

....Roy

Re: security implications of 'Server:'

Posted by Brian Behlendorf <br...@hyperreal.org>.

At 11:12 PM 5/8/98 -0400, you wrote:
>Brian Behlendorf wrote:
>> 
>> I agree.  And as for the HTTP standard, the only thing I can find which
>> seems relevant is:
>>
>> 15.1.2:
>
>Also:
>>14.39 Server
>>15.4 Transfer of Sensitive Information

God, no wonder this document is 428K of wholesome fun.  I think 2068 has
clearly gone past being a document describing a protocol into a pseudocode
guide for server and client developers.  At a certain point, code *is*
specification.

	Brian

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
pure chewing satisfaction                                  brian@apache.org
                                                        brian@hyperreal.org

Re: security implications of 'Server:'

Posted by Rodent of Unusual Size <Ke...@Golux.Com>.

Brian Behlendorf wrote:
> 
> I agree.  And as for the HTTP standard, the only thing I can find which
> seems relevant is:
>
> 15.1.2:

Also:

>14.39 Server
>     Note: Revealing the specific software version of the server may
>     allow the server machine to become more vulnerable to attacks
>     against software that is known to contain security holes. Server
>     implementers are encouraged to make this field a configurable
>     option.

>15.4 Transfer of Sensitive Information
>    Revealing the specific software version of the server may allow the
>    server machine to become more vulnerable to attacks against software
>    that is known to contain security holes. Implementers SHOULD make the
>    Server header field a configurable option.

#ken	P-)}

Ken Coar                    <http://Web.Golux.Com/coar/>
Apache Group member         <http://www.apache.org/>
"Apache Server for Dummies" <http://Web.Golux.Com/coar/ASFD/>

security implications of 'Server:'

Posted by Brian Behlendorf <br...@hyperreal.org>.

At 05:42 PM 5/8/98 -0600, you wrote:
>I don't think it is a "good" idea, but I can find no security objections
>to it and can find more than one helpful debugging purpose.

I agree.  And as for the HTTP standard, the only thing I can find which
seems relevant is:

15.1.2:
| Revealing the specific software version of the server may allow the
| server machine to become more vulnerable to attacks against software
| that is known to contain security holes. Implementers SHOULD make the
| Server header field a configurable option.

which we of course (by virtue of source) do.

	Brian

p.s. - Marc, Roy's not on new-httpd, just apache-core, so he probably
didn't see your response.

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
pure chewing satisfaction                                  brian@apache.org
                                                        brian@hyperreal.org

Re: cvs commit: apache-1.3/src/main http_main.c

Posted by Marc Slemko <ma...@worldgate.com>.

On Fri, 8 May 1998, Roy T. Fielding wrote:

> >  	Change the default setting of AddVersionPlatform to 'on'.  Jim,
> >  	Brian Havard, and Marc think that's better - and if Marc, who is
> >  	so security-conscious, thinks it's a good idea that tips me over
> >  	to that side as well.
> 
> Crikey, what the hell are you guys smoking?  It isn't often that the Apache
> folks go out of their way to violate part of the Security section of
> the HTTP specification.  This is just plain stupid.  NOBODY needs this
> information (aside from those who want to find a particular OS without
> tripping any cracker traps). NOBODY wants to give it away.  NOBODY wants
> to add another five bytes of overhead to EVERY response just so Netcraft can
> observe yet another misleading statistic.  Wake up.

That's nice.

What, you going to try popping your head in again after the fact, after
something has been discussed to death and agreed on without presenting any
reasons?

I don't think it is a "good" idea, but I can find no security objections
to it and can find more than one helpful debugging purpose.