To me, security is a sequence of roadblocks. It is never perfect, but I see no reason to remove roadblocks because they are not 100% effective. I could stop locking my home's front door since it can be broken with a large pair of ChannelLocks, but I don't.
I think web server DoS attacks will become a great concern in the years ahead, and IMO we are very ill-prepared to deal with them. I could take down almost any web site in a matter of minutes just by making legitimate but time-consuming requests in a loop. It'd take about 4 lines of TCL (although easily traceable). THIS is what keeps me up at night -- not the guy trying to fingerprint my TCP stack or examine my Server header. But if I discourage one cracker by removing the header and it serves no useful purpose otherwise, then why not remove it? Jim > On 2001.10.20, Jim Wilcoxson <[EMAIL PROTECTED]> wrote: > > I think all sites should remove the Server: header. It's only usefulness > > I can see is for stats and to help people attack a site more efficiently. > > It'll be off ours soon (for the latter reason). > > Security through obscurity, huh? > > People can "TCP fingerprint" different operating systems by > properties of their IP stacks. Don't tempt me to create a > program that fingerprints webservers. ;-) > > -- Dossy > > -- > Dossy Shiobara mail: [EMAIL PROTECTED] > Panoptic Computer Network web: http://www.panoptic.com/ > "He realized the fastest way to change is to laugh at your own > folly -- then you can let go and quickly move on." (p. 70) >
