Re: Hiding headers for OpenSSL

Mon, 21 Aug 2006 13:15:14 -0700 

[EMAIL PROTECTED] wrote:
Blocking the version number is worse than reporting stale version information. At least they can determine a minimum security level. Incorrect information cuts both ways, helping the hacker and legitimate user at the same time. Better to prefer the legitimate user's interest. 
SP



How many "legitimate users" even know of the existence of the OpenSSL 
version number?  How many of those actually care?



Now compare that number to how many hackers know and care about the same 
information.  Percentage-wise, users don't care.  Hackers do.  As well 
as geeks.  If you care, you are either a hacker or a geek.  The average 
user doesn't even know about the existence of OpenSSL, let alone its 
version number, and they also don't care.  They implicitly trust that 
people are doing their jobs and keeping servers up-to-date.  Hence geeks 
and hackers are the only people who will ever see an OpenSSL version 
number.  And hackers are the only ones who will abuse it.  The OP's 
point is still valid...users don't care.  And most people spending a 
million dollars are not geeks.



My point is that 100% of the people here aren't qualified to discuss how 
users think because we're all geeks and assume the rest of the world 
is/should be too (anyone brilliant enough to join openssl-users is a 
geek - yes, I realize I'm calling myself that too).  The OP wants to 
remove the Apache server header announcing that Apache is being used and 
what compiled modules are included (one of them being OpenSSL).  That is 
doable.  I'm pretty sure there is an option somewhere in the httpd.conf 
file.  Edit that and restart the server.  Just realize you are a geek 
and you'll be fine (or maybe you'll realize you don't want to be one and 
will decide to change careers).


--
Thomas Hruska
Shining Light Productions

Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL.
http://www.slproweb.com/

Ask me about discounts on any Shining Light Productions product!

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]






















					Reply via email to