On 12/6/06, Colm MacCarthaigh <[EMAIL PROTECTED]> wrote:
On Wed, Dec 06, 2006 at 01:43:49PM -0500, Jeff Trawick wrote:
> * The Apache HTTP Server project believes that most people who want to
> avoid sending the Server header mistakenly think that doing so may
> protect their server from attacks based on known flaws in older Apache
> HTTPD releases, when in fact the only reasonable way to address these
> flaws is to upgrade to new Apache HTTPD releases which correct
> security problems affecting your configuration. By restricting the
> ability to configure Apache in this manner, we wish to raise awareness
> of the need to upgrade when critical vulnerabilities are addressed.
>
> (what other reasons go here?)
I think the more important thing about the "security" reason, is that it
actually *degrades* security, because it impedes the ability to audit.
Finding out-of-date installations is an nmap one-liner if you leave the
Server header alone. If you disable it, you have to start logging in to
the boxes (and getting that access and so on) and check things locally.
The admin who would want to code "ServerTokens Off" is already coding
"ServerTokens Prod", so that is an argument to stop doing what you've
been able to do since 1.3.14.
