[EMAIL PROTECTED] wrote:
Blocking the version number is worse than reporting stale version
information. At least they can determine a minimum security level.
Incorrect information cuts both ways, helping the hacker and legitimate
user at the same time. Better to prefer the legitimate user's interest.
SP
How many "legitimate users" even know of the existence of the OpenSSL
version number? How many of those actually care?
Now compare that number to how many hackers know and care about the same
information. Percentage-wise, users don't care. Hackers do. As well
as geeks. If you care, you are either a hacker or a geek. The average
user doesn't even know about the existence of OpenSSL, let alone its
version number, and they also don't care. They implicitly trust that
people are doing their jobs and keeping servers up-to-date. Hence geeks
and hackers are the only people who will ever see an OpenSSL version
number. And hackers are the only ones who will abuse it. The OP's
point is still valid...users don't care. And most people spending a
million dollars are not geeks.
My point is that 100% of the people here aren't qualified to discuss how
users think because we're all geeks and assume the rest of the world
is/should be too (anyone brilliant enough to join openssl-users is a
geek - yes, I realize I'm calling myself that too). The OP wants to
remove the Apache server header announcing that Apache is being used and
what compiled modules are included (one of them being OpenSSL). That is
doable. I'm pretty sure there is an option somewhere in the httpd.conf
file. Edit that and restart the server. Just realize you are a geek
and you'll be fine (or maybe you'll realize you don't want to be one and
will decide to change careers).
--
Thomas Hruska
Shining Light Productions
Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL.
http://www.slproweb.com/
Ask me about discounts on any Shining Light Productions product!
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]