At 05:24 PM 5/3/2002, you wrote: >On Fri, 3 May 2002, Rasmus Lerdorf wrote: > > > Ok, but where should this information go then? Apache has definitely > > benefitted by having this information available. Some sort of > > X-SERVER-INFO: header then? > >What I meant was I don't think the MPM should be announced to the client. >What possible benefit could there be to doing that?
And I agree here with Cliff... The Server String provides clients some very useful information in compensating for discrepancies between HTTP implementations. I've never agreed that this "exposure of potential expoits" has any impact; most crackers are just pummeling every useful vulnerability against as many random machines as possible. Changing the ServerString doesn't provide any useful data, since all MPMs treat the HTTP protocol the same (and outright MPM bugs can't really be adjusted for). Denial of service exploits, however, may depend on understanding the request processing model. A denial of service against worker likely has little or no impact against perchild, etc. The only advantage is for tracking mpm adoption rates, and I don't think that's a sufficient benefit to outweigh this disadvantage. If HTTP requests would react differently under different MPMs, my opinion would be swayed. -0 on this concept here. Bill
