Mads Toftum wrote:
+1 - looking at the number of IIS targeted worms that keep hitting my apache installs seem to suggest that obscuring the server name will at most lead to a false sense of security. Besides, if you really care, I'm pretty sure it wouldn't be all that hard to guess what server it is by looking at all the rest of the headers.
Looking at the way the TCPIP stack behaves under normal and error conditions.
Looking at the way the HTTP server behaves under normal and error conditions.
Looking at the way the file serving behaves under normal and error conditions.
Looking at the way any scripting technology behaves under normal and error conditions.
You can't hide everything and why waste your own CPU cycles trying to imitate another platforms quirks, when you could be serving documents with it. Another major point about OSS security is that it can withstand source code disclosure _AND_ still be secure. Maybe other servers implementations just aren't in the same league of security.
Darryl
