On 09/22/2010 11:38 AM, Ben Bucksch wrote: > In bug <https://bugzilla.mozilla.org/show_bug.cgi?id=572659>, I argued > that I'd be better to hide the minor version. If don't run the very > latest minor version, I am basically advertising to the world that I am > vulnerable. I argued that this is not a good idea.
[snip] > Two lessons, IMHO: > 1. It does indeed give attackers an advantage to know which security > holes I am vulnerable to. IMHO, that makes advertising the minor version > dangerous in a way. I more or less agree with this. The key, however, is balancing users' anonymity here with the usefulness that comes from it. If we can help provide functionality/usability on the web making the risk worthwhile, the minor version should stay. If not, it should go. The risk is that of configuration broadcast. If attackers know I'm vulnerable, are they actually more likely to mount an attack? Seems to me that the usual M.O. is to carpet bomb all the users and hope some break, so the gain in risk reduction by hiding the minor version might not be that great. But as you mentioned Ben, just because it's not being used commonly now by the "lazy" attackers, it could potentially be leveraged to mount more discreet attacks. [snip] > 2. Don't conclude from current attacks. Just because current attacks > don't do A today doesn't mean it's neglectable. In fact, that's where > the worst security holes come from. Right, but we have to be careful about what we consider non-neglectable, because surely not all values of A are worth our time. Let A = "use hundreds of multi-billion-dollar specialized vector engines to brute force 2048-bit RSA keys". We don't protect against that right now even though it's conceivable that it may happen in the future. If we spend all our time dreaming up movie-plot threats for A, we'll never fix the likely A's that create risk not worth the functionality gain. To be clear I am not saying we should avoid protecting against possible future attack techniques. We absolutely *must* do that -- but we have to be careful to focus on the likely/rational/risky values of A, and the ones that don't sacrifice currently useful features for a not-yet-existent threat. I still am not completely convinced the minor version advertising is totally worthwhile (at least not in all cases) but based on the previous discussion in the bug the pro/con balance seems to be in favor of keeping it around. If we see it being abused by focused attacks, we should definitely revisit the balance discussion, but breaking the bits of the web that legitimately benefit from this currently seems to outweigh the gain from a speculatively useful attack technique. -Sid _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
