You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Thomas Eibner <th...@stderr.net> on 2001/11/20 06:39:45 UTC
Re: Better privacy with SERVER_SIGNATURE
On Wed, Oct 17, 2001 at 06:35:27AM +0200, Thomas Eibner wrote:
> I don't like the idea of people being able to change the server
> signature to something like "AnythingGoes/1.0", 'cause there is really
> no product called that, if it's Apache, it should say Apache or not
> say anything at all. And the disguising of the OS doesn't really matter
> either since there are other ways of figuring out what OS you're
> running. If people can't figure out how to patch the source to show
> up another name than Apache they really shouldn't be messing with it
> (IMHO).
>
> Is there a really good reason why you want something other than "Apache"
> to show up in the Server header? Security? Keeping up with security
> announcements and upgrading when necessary should be enough I think.
>
> Related to this: what is it going to do to the Netcraft survey when
> every kid on the block starts changing the server header to
> "MyCoolWebserver/2.0"?
To bring a little kick back in this old thread..
I noticed this while casually surfing with lwp-request:
$ lwp-request -m HEAD http://www.mandrake.com/ | grep Server
Server: Apache-AdvancedExtranetServer/1.3.12 (NetRevolution/Linux-Mandrake) PHP/3.0.17-dev mod_ssl/2.6.4 OpenSSL/0.9.5a
And it seems like this goes into Mandrake's default apache distribution
too.
So I thought, oh well, I guess Netcraft knows about this.. But in fact it
doesn't seem to be the case, on sites that use an unmodifed Apache header
they display the string: "Apache users include ..." which isn't the case
when you check www.mandrake.com.
I might be overreacting, but from: src/include/httpd.h:
* "Product tokens should be short and to the point -- use of them for
* advertizing or other non-essential information is explicitly forbidden."
It certainly seems like non-essential information to me, and I'm wondering
why Mandrake actually wants to call it Apache-AdvancedExtranetServer ?
Looking at http://www.securityspace.com/s_survey/data/200109/servers.html
it actually looks like a good deal of servers with this Server-string
is out there. Around 8200 hosts/vhosts alone in this survey.
Is this what people want to happen with the Server string or is it not
that big of a deal?
--
Thomas Eibner <http://thomas.eibner.dk/> DnsZone <http://dnszone.org/>
mod_pointer <http://stderr.net/mod_pointer>
Re: Better privacy with SERVER_SIGNATURE
Posted by Ian Holsman <ia...@cnet.com>.
On 11/19/01 9:39 PM, "Thomas Eibner" <th...@stderr.net> wrote:
> On Wed, Oct 17, 2001 at 06:35:27AM +0200, Thomas Eibner wrote:
>> I don't like the idea of people being able to change the server
>> signature to something like "AnythingGoes/1.0", 'cause there is really
>> no product called that, if it's Apache, it should say Apache or not
>> say anything at all. And the disguising of the OS doesn't really matter
>> either since there are other ways of figuring out what OS you're
>> running. If people can't figure out how to patch the source to show
>> up another name than Apache they really shouldn't be messing with it
>> (IMHO).
>>
>> Is there a really good reason why you want something other than "Apache"
>> to show up in the Server header? Security? Keeping up with security
>> announcements and upgrading when necessary should be enough I think.
>>
>> Related to this: what is it going to do to the Netcraft survey when
>> every kid on the block starts changing the server header to
>> "MyCoolWebserver/2.0"?
>
> To bring a little kick back in this old thread..
>
> I noticed this while casually surfing with lwp-request:
> $ lwp-request -m HEAD http://www.mandrake.com/ | grep Server
> Server: Apache-AdvancedExtranetServer/1.3.12 (NetRevolution/Linux-Mandrake)
> PHP/3.0.17-dev mod_ssl/2.6.4 OpenSSL/0.9.5a
>
> And it seems like this goes into Mandrake's default apache distribution
> too.
>
> So I thought, oh well, I guess Netcraft knows about this.. But in fact it
> doesn't seem to be the case, on sites that use an unmodifed Apache header
> they display the string: "Apache users include ..." which isn't the case
> when you check www.mandrake.com.
>
> I might be overreacting, but from: src/include/httpd.h:
>
> * "Product tokens should be short and to the point -- use of them for
> * advertizing or other non-essential information is explicitly forbidden."
>
> It certainly seems like non-essential information to me, and I'm wondering
> why Mandrake actually wants to call it Apache-AdvancedExtranetServer ?
>
> Looking at http://www.securityspace.com/s_survey/data/200109/servers.html
> it actually looks like a good deal of servers with this Server-string
> is out there. Around 8200 hosts/vhosts alone in this survey.
>
> Is this what people want to happen with the Server string or is it not
> that big of a deal?
Personally I always thought advertising your version # and list of modules
Is just an invitation to get hit...
The serverstring's only use IMHO is to get your netcraft numbers up.