Thomas J. Hruska wrote:
David Schwartz wrote:
The long version: We run security check software, which makes
connections
with various services, calls up the header, and then tells us that based
upon the version it read in the header, this service has certain
vulnerabilities.
You mean it might have certain vulnerabilities. You certainly
can't be sure
just based on the version, local patches could have been applied.
For security purposes, we would like to disable the broadcasting of
headers so
outside users cannot simply call up the header and see what version
we're
running.
Right, we don't want the people who have to rely on us to be
secure to know
that we aren't secure. And if we are secure, we don't want to reassure
people that we did fix the latest bugs, because we just like to keep them
guessing.
Additionally, the vulnerabilities are wrong since the header is one
thing
but
the revision numbers indicate that the vulnerabilities have been
resolved
(those using RedHat RHEL should be familiar with this issue). What I
want
to do is prevent outside connections from seeing any version
information,
in
order to give potential abusers as little information about our
system as
possible.
Right, don't want to give those potential abusers any incorrect
information.
Wow, you guys do things very differently from the rest of us.
DS
The OP, however, is right. Why report the version at all to the user of
a website? There is no need to let them know you are even running
OpenSSL let alone the version being run. I'm not talking about security
through obscurity. I'm referring to common sense. Don't tell people
what you are running unless it is absolutely necessary for proper
operation. Since version information is "metadata", it is not necessary
for the proper operation of OpenSSL. The only thing it does is waste a
few bytes of bandwidth every time someone connects. Just a thought.
I should have mentioned that the OP is probably referring to Apache
headers - where OpenSSL and other modules get compiled into Apache. The
displayed "Server" HTTP header response contains "OpenSSL x.y.z" and is
usually the wrong version that gets reported. Most people patch OpenSSL
without rebuilding Apache. But why report anything in the first place?
There is no need to do so except to look geeky for those who care
about looking geeky. It isn't a matter of security. It is a matter of
who is the bigger geek/nerd/whatever.
--
Thomas Hruska
Shining Light Productions
Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL.
http://www.slproweb.com/
Ask me about discounts on any Shining Light Productions product!
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
