> From: Martin Kutschker [mailto:[EMAIL PROTECTED]
> Sent: Thursday, March 27, 2003 10:13 AM
> Date: Wed, 26 Mar 2003 15:30:53 -0500
> From: "Brass, Phil (ISS Atlanta)" <[EMAIL PROTECTED]>
> Removing the server header won't hurt.
>
> Perhaps you could try to make the ordering od the added headers quasi random. I
> don't know how
> much room the RFC lets you to use a quasi random formatting of the headers's values.
>
> Your casual wannabe hacker will be confused (or his script). But I don't think that
> this simple
> obscuring scheme will block any serious attack.
>
> Masi
>
> PS: Some HTTP clients fake theri identity. Why not lie on the server side. Add a
> fake Server
> header on a random basis. Now we're an IIS, the next moment we're a Zeus :-)
Great. Now we have >60% market share according to NetCraft and after a stunt with
random
Server headers we have ?
People, why, oh why, do we need to muck with the Server header? Who cares? Attacks
will
be run regardless of Server headers (and if not, they will as soon as we start
removing them).
So, in the end, what good does it do?
Sander
PS. Please search the archives before responding, because this is a topic that seems
to come back every six months or so.
