RE: Hiding headers for OpenSSL
On Mon, 2006-08-21 at 11:42 -0700, [EMAIL PROTECTED] wrote: plain text document attachment (RE:) The long version: We run security check software, which makes connections with various services, calls up the header, and then tells us that based upon the version it read in the header, this service has certain vulnerabilities. I just have to say one more thing: You run security check software, and you are asking us for help in reducing the effectiveness of that software? Are you really more concerned with keeping your vulnerabilities secret than in fixing them? We don't now how this software is use. Security scanners (like Nessus) has distributed architecture and agents may be installed on checked systems. In this situation banners are not important because security scanner agent has access to operating system and may exactly check installed patches/versions/... without looking at banners. And next thing: if someone wants to hide his software - he has right for that, of course this is not defence against hackers, but there is nothing bad in that. We know to little of this system/person to judge or even to offend other persons. Live and let to live others. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Hiding headers for OpenSSL
On Mon, Aug 21, 2006 at 04:15:46PM -0500, Doug Nebeker wrote: The problem is that virtually no legit users will ever look, but the hackers definitely will. I'll admit (being a geek) that I checked once when logging into my banking site for the first time many years ago. So maybe I was 'benefitted' that one time (and my case is definitely not typical), but the hackers could be 'benefitting' over and over with internal knowledge. The same arguments (showing that I'm trustworthy) could be made for posting company network diagrams, physical site security procedures, backup courier, etc, but nobody does that. The risk/reward ratio doesn't justify giving the information out in my opinion. This discussion is useless: * OpenSSL does not disclose its version to attackers coming from the network as the SSL/TLS protocol does not give any version information of the software used (it does give protocol compatibility information needed for interoperability wrt SSLv2, SSLv3 etc) * It is the application using OpenSSL (in this case Apache) disclosing the information. - Please complain to the Apache people. * Both projects OpenSSL and Apache are Open Source projects. If you find anything about it annoying please feel free to make any modification you want. * Meta bullet point: This discussion about version information and security through obscurity has been seen often enough (have a look into the OpenSSH mailing list archives) and it finally leads nowhere. I will therefore not comment wrt my personal point of view. Best regards, Lutz [EMAIL PROTECTED] wrote on 08/21/2006 03:15:33 PM: The OP, however, is right. Why report the version at all to the user of a website? There is no need to let them know you are even running OpenSSL let alone the version being run. I'm not talking about security through obscurity. I'm referring to common sense. Don't tell people what you are running unless it is absolutely necessary for proper operation. Since version information is metadata, it is not necessary for the proper operation of OpenSSL. The only thing it does is waste a few bytes of bandwidth every time someone connects. Just a thought. We've come along way from the time when banks posted their reserve ratios in the window. If you have fixed the latest vulnerabilities, why would you want to keep this a secret from the people you are asking to trust you? And if you have not, what right do you have to keep that secret? The main reason you run SSL is because you are going to ask other people to trust you with their personal data. It comes down to that fundamental question, why should I trust you? If the answer is because you do things securely, fixing vulnerabilities and choosing proven products, why should that need to be a secret? And if a new vulnerability appears and you haven't had a chance to fix it yet, shouldn't I at least have a chance to know that before I trust you with sensitive information? Security through obscurity is wrong for more than just one reason. But a big one is that it robs the people you interoperate with of the chance to judge for themself whether you are trustworthy. They may just find someone else who is more transparent. So here's my primary answer: suppose a new SSL bug is discovered. It's fixed in version Y but not version X. I need to put a million dollar order through to your server. What should I do? Should I not give you the order until I can somehow confirm you have version Y? (Which, according to you, I should never be able to do. So in this case you don't get the order.) Or should I just assume you do, because you're typically on the ball? (Which might not be what you want, depending on what the consequences are to *you* if the data leaks to a competitor.) Why force the people you are asking to trust you into such craziness? Why not reassure them, assuming you do things right. And if you do things wrong, is it really in your interest to dupe people into trusting you. Think long and hard about that -- it may not be. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] To find out more about Reuters visit www.about.reuters.com Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager
Re: Hiding headers for OpenSSL
Guys, While I appreciate the vibrant discussion, I was not asking for the pros and cons of hiding the header information, whether or not one feels it promotes security, and whether one believes meddling with this makes one a geek or not. In many people's desire to announce their opinion on the matter, the question was ignored. Your thoughts are much appreciated, but I need a technical answer. My question is (rephrased), if possible, how can I hide the headers in OpenSSL from being broadcast to software running rudimentary security scans (e.g., Nessus)? Is there a line I can add to a conf file? Is preventing the broadcast of software, version, and OS through Apache all I need to do to prevent people from seeing that information? Last (though new) question: I thought that OpenSSL does not pass header information back and forth to the client when establishing a secure connection, but in fact, only certificate authenticating is performed? In other words, the client (however legitimate) doesn't need to know the header information of my OpenSSL; if the certificate is authenticated, the connection is made. Thanks in advance, Scott
Re: Hiding headers for OpenSSL
Scott Campbell wrote: [...] My question is (rephrased), if possible, how can I hide the headers in OpenSSL from being broadcast to software running rudimentary security scans (e.g., Nessus)? Is there a line I can add to a conf file? Is preventing the broadcast of software, version, and OS through Apache all I need to do to prevent people from seeing that information? Last (though new) question: I thought that OpenSSL does not pass header information back and forth to the client when establishing a secure connection, but in fact, only certificate authenticating is performed? In other words, the client (however legitimate) doesn't need to know the header information of my OpenSSL; if the certificate is authenticated, the connection is made. Thanks in advance, Scott Looks like you missed Lutz' mail, since he (IMHO) answers your questions: This discussion is useless: * OpenSSL does not disclose its version to attackers coming from the network as the SSL/TLS protocol does not give any version information of the software used (it does give protocol compatibility information needed for interoperability wrt SSLv2, SSLv3 etc) * It is the application using OpenSSL (in this case Apache) disclosing the information. - Please complain to the Apache people. * Both projects OpenSSL and Apache are Open Source projects. If you find anything about it annoying please feel free to make any modification you want. I might add the following: There is a configuration option of Apache which allows you to customize the reported version string in the HTTP headers, but I just don't remember its name. If that is not flexible enough (and I remember it correctly) the responsible part of the Apache source code is not hard to find either. ;) Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 smime.p7s Description: S/MIME Cryptographic Signature
Re: Hiding headers for OpenSSL
You are correct; I did miss Lutz's email.Lutz ... thank you. That is exactly the answer I was looking for, to all my questions.Thank you openssl list, and to all those who provided helpful feedback. Sincerely, ScottOn 8/22/06, Bernhard Froehlich [EMAIL PROTECTED] wrote: Scott Campbell wrote: [...] My question is (rephrased), if possible, how can I hide the headers in OpenSSL from being broadcast to software running rudimentary security scans (e.g., Nessus)? Is there a line I can add to a conf file? Is preventing the broadcast of software, version, and OS through Apache all I need to do to prevent people from seeing that information? Last (though new) question: I thought that OpenSSL does not pass header information back and forth to the client when establishing a secure connection, but in fact, only certificate authenticating is performed?In other words, the client (however legitimate) doesn't need to know the header information of my OpenSSL; if the certificate is authenticated, the connection is made. Thanks in advance, ScottLooks like you missed Lutz' mail, since he (IMHO) answers your questions: This discussion is useless: * OpenSSL does not disclose its version to attackers coming from the network as the SSL/TLS protocol does not give any version information of the software used (it does give protocol compatibility information needed for interoperability wrt SSLv2, SSLv3 etc) * It is the application using OpenSSL (in this case Apache) disclosing the information. - Please complain to the Apache people. * Both projects OpenSSL and Apache are Open Source projects. If you find anything about it annoying please feel free to make any modification you want.I might add the following: There is a configuration option of Apachewhich allows you to customize the reported version string in the HTTPheaders, but I just don't remember its name. If that is not flexible enough (and I remember it correctly) theresponsible part of the Apache source code is not hard to find either. ;)Ted;)--PGP Public Key InformationDownload complete Key from http://www.convey.de/ted/tedkey_convey.ascKey fingerprint = 31B0 E029 BCF9 6605 DAC1B2E1 0CC8 70F4 7AFB 8D26 -- Scott Campbell[EMAIL PROTECTED]Listen to the mustn'ts, child...
RE: Hiding headers for OpenSSL
Title: Message Folks, For the sake of closure (and finality, one would hope :-) ), the relevant Apache configuration parameter is "ServerTokens". There is also a spiffy module available to do just about anything you might desire here: modsecurity. Works for me... rnd -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott CampbellSent: Tuesday, August 22, 2006 11:21 AMTo: openssl-users@openssl.orgSubject: Re: Hiding headers for OpenSSLYou are correct; I did miss Lutz's email.Lutz ... thank you. That is exactly the answer I was looking for, to all my questions.Thank you openssl list, and to all those who provided helpful feedback.Sincerely, Scott On 8/22/06, Bernhard Froehlich [EMAIL PROTECTED] wrote: Scott Campbell wrote: [...] My question is (rephrased), if possible, how can I hide the headers in OpenSSL from being broadcast to software running rudimentary security scans (e.g., Nessus)? Is there a line I can add to a conf file? Is preventing the broadcast of software, version, and OS through Apache all I need to do to prevent people from seeing that information? Last (though new) question: I thought that OpenSSL does not pass header information back and forth to the client when establishing a secure connection, but in fact, only certificate authenticating is performed?In other words, the client (however legitimate) doesn't need to know the header information of my OpenSSL; if the certificate is authenticated, the connection is made. Thanks in advance, ScottLooks like you missed Lutz' mail, since he (IMHO) answers your questions: This discussion is useless: * OpenSSL does not disclose its version to attackers coming from the network as the SSL/TLS protocol does not give any version information of the software used (it does give protocol compatibility information needed for interoperability wrt SSLv2, SSLv3 etc) * It is the application using OpenSSL (in this case Apache) disclosing the information. - Please complain to the Apache people. * Both projects OpenSSL and Apache are Open Source projects. If you find anything about it annoying please feel free to make any modification you want.I might add the following: There is a configuration option of Apachewhich allows you to customize the reported version string in the HTTPheaders, but I just don't remember its name. If that is not flexible enough (and I remember it correctly) theresponsible part of the Apache source code is not hard to find either. ;)Ted;)--PGP Public Key InformationDownload complete Key from http://www.convey.de/ted/tedkey_convey.ascKey fingerprint = 31B0 E029 BCF9 6605 DAC1B2E1 0CC8 70F4 7AFB 8D26-- Scott Campbell[EMAIL PROTECTED]"Listen to the mustn'ts, child..."
Hiding headers for OpenSSL
Dear All, The quick version: How can I disable or prevent OpenSSL headers from being viewable to outside traffic (similiar to when you disable Apache from allowing its header and version information from being viewable to the outside world)? The long version: We run security check software, which makes connections with various services, calls up the header, and then tells us that based upon the version it read in the header, this service has certain vulnerabilities. For security purposes, we would like to disable the broadcasting of headers so outside users cannot simply call up the header and see what version we're running. Additionally, the vulnerabilities are wrong since the header is one thing but the revision numbers indicate that the vulnerabilities have been resolved (those using RedHat RHEL should be familiar with this issue). What I want to do is prevent outside connections from seeing any version information, in order to give potential abusers as little information about our system as possible. In Apache, you can modify the information sent to almost anything. We disable such broadcasting, and I was hoping you can do the same with OpenSSL. Thank you in advance, Scott
Re: Hiding headers for OpenSSL
Scott Campbell wrote: The long version: We run security check software, which makes connections with various services, calls up the header, and then tells us that based upon the version it read in the header, this service has certain vulnerabilities. For security purposes, we would like to disable the broadcasting of headers so outside users cannot simply call up the header and see what version we're running. Additionally, the vulnerabilities are wrong since the header is one thing but the revision numbers indicate that the vulnerabilities have been resolved (those using RedHat RHEL should be familiar with this issue). What I want to do is prevent outside connections from seeing any version information, in order to give potential abusers as little information about our system as possible. It sounds as if you're approaching this in a bass-ackwards way. First - fix the false positives in your vulnerability reporting. Second - the bid for security through obscurity in not reporting the version number seems misguided to me. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Hiding headers for OpenSSL
The long version: We run security check software, which makes connections with various services, calls up the header, and then tells us that based upon the version it read in the header, this service has certain vulnerabilities. You mean it might have certain vulnerabilities. You certainly can't be sure just based on the version, local patches could have been applied. For security purposes, we would like to disable the broadcasting of headers so outside users cannot simply call up the header and see what version we're running. Right, we don't want the people who have to rely on us to be secure to know that we aren't secure. And if we are secure, we don't want to reassure people that we did fix the latest bugs, because we just like to keep them guessing. Additionally, the vulnerabilities are wrong since the header is one thing but the revision numbers indicate that the vulnerabilities have been resolved (those using RedHat RHEL should be familiar with this issue). What I want to do is prevent outside connections from seeing any version information, in order to give potential abusers as little information about our system as possible. Right, don't want to give those potential abusers any incorrect information. Wow, you guys do things very differently from the rest of us. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Hiding headers for OpenSSL
The long version: We run security check software, which makes connections with various services, calls up the header, and then tells us that based upon the version it read in the header, this service has certain vulnerabilities. I just have to say one more thing: You run security check software, and you are asking us for help in reducing the effectiveness of that software? Are you really more concerned with keeping your vulnerabilities secret than in fixing them? DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Hiding headers for OpenSSL
Hello, The quick version: How can I disable or prevent OpenSSL headers from being viewable to outside traffic (similiar to when you disable Apache from allowing its header and version information from being viewable to the outside world)? OpenSSL is realizing SSL3/TLS1 protocol and there is no place to put any upper library version information. Of course attacker may use some specific behaviour of SSL layer to guess what version you have but you have no control on that. In general in SSL protocol there is no place for for example OpenSSL x.y.z string. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Hiding headers for OpenSSL
David Schwartz wrote: The long version: We run security check software, which makes connections with various services, calls up the header, and then tells us that based upon the version it read in the header, this service has certain vulnerabilities. You mean it might have certain vulnerabilities. You certainly can't be sure just based on the version, local patches could have been applied. For security purposes, we would like to disable the broadcasting of headers so outside users cannot simply call up the header and see what version we're running. Right, we don't want the people who have to rely on us to be secure to know that we aren't secure. And if we are secure, we don't want to reassure people that we did fix the latest bugs, because we just like to keep them guessing. Additionally, the vulnerabilities are wrong since the header is one thing but the revision numbers indicate that the vulnerabilities have been resolved (those using RedHat RHEL should be familiar with this issue). What I want to do is prevent outside connections from seeing any version information, in order to give potential abusers as little information about our system as possible. Right, don't want to give those potential abusers any incorrect information. Wow, you guys do things very differently from the rest of us. DS The OP, however, is right. Why report the version at all to the user of a website? There is no need to let them know you are even running OpenSSL let alone the version being run. I'm not talking about security through obscurity. I'm referring to common sense. Don't tell people what you are running unless it is absolutely necessary for proper operation. Since version information is metadata, it is not necessary for the proper operation of OpenSSL. The only thing it does is waste a few bytes of bandwidth every time someone connects. Just a thought. -- Thomas Hruska Shining Light Productions Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL. http://www.slproweb.com/ Ask me about discounts on any Shining Light Productions product! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Hiding headers for OpenSSL
Thomas J. Hruska wrote: David Schwartz wrote: The long version: We run security check software, which makes connections with various services, calls up the header, and then tells us that based upon the version it read in the header, this service has certain vulnerabilities. You mean it might have certain vulnerabilities. You certainly can't be sure just based on the version, local patches could have been applied. For security purposes, we would like to disable the broadcasting of headers so outside users cannot simply call up the header and see what version we're running. Right, we don't want the people who have to rely on us to be secure to know that we aren't secure. And if we are secure, we don't want to reassure people that we did fix the latest bugs, because we just like to keep them guessing. Additionally, the vulnerabilities are wrong since the header is one thing but the revision numbers indicate that the vulnerabilities have been resolved (those using RedHat RHEL should be familiar with this issue). What I want to do is prevent outside connections from seeing any version information, in order to give potential abusers as little information about our system as possible. Right, don't want to give those potential abusers any incorrect information. Wow, you guys do things very differently from the rest of us. DS The OP, however, is right. Why report the version at all to the user of a website? There is no need to let them know you are even running OpenSSL let alone the version being run. I'm not talking about security through obscurity. I'm referring to common sense. Don't tell people what you are running unless it is absolutely necessary for proper operation. Since version information is metadata, it is not necessary for the proper operation of OpenSSL. The only thing it does is waste a few bytes of bandwidth every time someone connects. Just a thought. I should have mentioned that the OP is probably referring to Apache headers - where OpenSSL and other modules get compiled into Apache. The displayed Server HTTP header response contains OpenSSL x.y.z and is usually the wrong version that gets reported. Most people patch OpenSSL without rebuilding Apache. But why report anything in the first place? There is no need to do so except to look geeky for those who care about looking geeky. It isn't a matter of security. It is a matter of who is the bigger geek/nerd/whatever. -- Thomas Hruska Shining Light Productions Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL. http://www.slproweb.com/ Ask me about discounts on any Shining Light Productions product! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Hiding headers for OpenSSL
The OP, however, is right. Why report the version at all to the user of a website? There is no need to let them know you are even running OpenSSL let alone the version being run. I'm not talking about security through obscurity. I'm referring to common sense. Don't tell people what you are running unless it is absolutely necessary for proper operation. Since version information is metadata, it is not necessary for the proper operation of OpenSSL. The only thing it does is waste a few bytes of bandwidth every time someone connects. Just a thought. We've come along way from the time when banks posted their reserve ratios in the window. If you have fixed the latest vulnerabilities, why would you want to keep this a secret from the people you are asking to trust you? And if you have not, what right do you have to keep that secret? The main reason you run SSL is because you are going to ask other people to trust you with their personal data. It comes down to that fundamental question, why should I trust you? If the answer is because you do things securely, fixing vulnerabilities and choosing proven products, why should that need to be a secret? And if a new vulnerability appears and you haven't had a chance to fix it yet, shouldn't I at least have a chance to know that before I trust you with sensitive information? Security through obscurity is wrong for more than just one reason. But a big one is that it robs the people you interoperate with of the chance to judge for themself whether you are trustworthy. They may just find someone else who is more transparent. So here's my primary answer: suppose a new SSL bug is discovered. It's fixed in version Y but not version X. I need to put a million dollar order through to your server. What should I do? Should I not give you the order until I can somehow confirm you have version Y? (Which, according to you, I should never be able to do. So in this case you don't get the order.) Or should I just assume you do, because you're typically on the ball? (Which might not be what you want, depending on what the consequences are to *you* if the data leaks to a competitor.) Why force the people you are asking to trust you into such craziness? Why not reassure them, assuming you do things right. And if you do things wrong, is it really in your interest to dupe people into trusting you. Think long and hard about that -- it may not be. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Hiding headers for OpenSSL
Blocking the version number is worse than reporting stale version information. At least they can determine a minimum security level. Incorrect information cuts both ways, helping the hacker and legitimate user at the same time. Better to prefer the legitimate user's interest. SP [EMAIL PROTECTED] wrote on 08/21/2006 03:15:33 PM: The OP, however, is right. Why report the version at all to the user of a website? There is no need to let them know you are even running OpenSSL let alone the version being run. I'm not talking about security through obscurity. I'm referring to common sense. Don't tell people what you are running unless it is absolutely necessary for proper operation. Since version information is metadata, it is not necessary for the proper operation of OpenSSL. The only thing it does is waste a few bytes of bandwidth every time someone connects. Just a thought. We've come along way from the time when banks posted their reserve ratios in the window. If you have fixed the latest vulnerabilities, why would you want to keep this a secret from the people you are asking to trust you? And if you have not, what right do you have to keep that secret? The main reason you run SSL is because you are going to ask other people to trust you with their personal data. It comes down to that fundamental question, why should I trust you? If the answer is because you do things securely, fixing vulnerabilities and choosing proven products, why should that need to be a secret? And if a new vulnerability appears and you haven't had a chance to fix it yet, shouldn't I at least have a chance to know that before I trust you with sensitive information? Security through obscurity is wrong for more than just one reason. But a big one is that it robs the people you interoperate with of the chance to judge for themself whether you are trustworthy. They may just find someone else who is more transparent. So here's my primary answer: suppose a new SSL bug is discovered. It's fixed in version Y but not version X. I need to put a million dollar order through to your server. What should I do? Should I not give you the order until I can somehow confirm you have version Y? (Which, according to you, I should never be able to do. So in this case you don't get the order.) Or should I just assume you do, because you're typically on the ball? (Which might not be what you want, depending on what the consequences are to *you* if the data leaks to a competitor.) Why force the people you are asking to trust you into such craziness? Why not reassure them, assuming you do things right. And if you do things wrong, is it really in your interest to dupe people into trusting you. Think long and hard about that -- it may not be. DS __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Hiding headers for OpenSSL
[EMAIL PROTECTED] wrote: Blocking the version number is worse than reporting stale version information. At least they can determine a minimum security level. Incorrect information cuts both ways, helping the hacker and legitimate user at the same time. Better to prefer the legitimate user's interest. SP How many legitimate users even know of the existence of the OpenSSL version number? How many of those actually care? Now compare that number to how many hackers know and care about the same information. Percentage-wise, users don't care. Hackers do. As well as geeks. If you care, you are either a hacker or a geek. The average user doesn't even know about the existence of OpenSSL, let alone its version number, and they also don't care. They implicitly trust that people are doing their jobs and keeping servers up-to-date. Hence geeks and hackers are the only people who will ever see an OpenSSL version number. And hackers are the only ones who will abuse it. The OP's point is still valid...users don't care. And most people spending a million dollars are not geeks. My point is that 100% of the people here aren't qualified to discuss how users think because we're all geeks and assume the rest of the world is/should be too (anyone brilliant enough to join openssl-users is a geek - yes, I realize I'm calling myself that too). The OP wants to remove the Apache server header announcing that Apache is being used and what compiled modules are included (one of them being OpenSSL). That is doable. I'm pretty sure there is an option somewhere in the httpd.conf file. Edit that and restart the server. Just realize you are a geek and you'll be fine (or maybe you'll realize you don't want to be one and will decide to change careers). -- Thomas Hruska Shining Light Productions Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL. http://www.slproweb.com/ Ask me about discounts on any Shining Light Productions product! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Hiding headers for OpenSSL
Thomas J. Hruska wrote: Now compare that number to how many hackers know and care about the same information. None. If an exploit exists, it will be exploited. You are a fool if you expect that a hacker would rely on the reported version number to elect one of the dozens of past exploits. They simply pound all of them at the server until they discover one works. Legitimate users are the actual browsers and other non-interactive clients which make deterministic decisions about process flow and exploit *features* based on if they know the server is capable of using the optimization or bandwidth saving feature reliably. Close any vulnerabilities by applying the current/corrected code, if you actually want to prevent your server from being exploited. Hiding your head in the sand by attempting to hide the software you are running is foolish and silly. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Hiding headers for OpenSSL
[EMAIL PROTECTED] wrote: Blocking the version number is worse than reporting stale version information. At least they can determine a minimum security level. Incorrect information cuts both ways, helping the hacker and legitimate user at the same time. Better to prefer the legitimate user's interest. SP How many legitimate users even know of the existence of the OpenSSL version number? How many of those actually care? How many legitimate users can perform an RSA operation? Obviously we don't mean human beings do it literally. Now compare that number to how many hackers know and care about the same information. Percentage-wise, users don't care. We don't mean that humans will literally look at the data, we mean automated processes will to assure that they have a certain level of security. I don't know if you read the O.P. but that's why he cares -- a security tool is reporting him as having vulnerabilities or possible vulnerabilityes. Hackers do. As well as geeks. If you care, you are either a hacker or a geek. The average user doesn't even know about the existence of OpenSSL, let alone its version number, and they also don't care. Right, that's why average users use automated tools that well may care about such things. They implicitly trust that people are doing their jobs and keeping servers up-to-date. Hence geeks and hackers are the only people who will ever see an OpenSSL version number. And hackers are the only ones who will abuse it. The OP's point is still valid...users don't care. And most people spending a million dollars are not geeks. And automated tools used by normal people and hackers. And auditors. My point is that 100% of the people here aren't qualified to discuss how users think because we're all geeks and assume the rest of the world is/should be too (anyone brilliant enough to join openssl-users is a geek - yes, I realize I'm calling myself that too). The OP wants to remove the Apache server header announcing that Apache is being used and what compiled modules are included (one of them being OpenSSL). That is doable. I'm pretty sure there is an option somewhere in the httpd.conf file. Edit that and restart the server. Just realize you are a geek and you'll be fine (or maybe you'll realize you don't want to be one and will decide to change careers). If you really believed what you are saying, you would have to argue that the worst people to design security systems are experts in security. That's a complete load of crap. He's trying to hide the version from automated auditing processes that are helping human beings audit security levels and be cautioned about vulnerabilities. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Hiding headers for OpenSSL
The problem is that virtually no legit users will ever look, but the hackers definitely will. I'll admit (being a geek) that I checked once when logging into my banking site for the first time many years ago. So maybe I was 'benefitted' that one time (and my case is definitely not typical), but the hackers could be 'benefitting' over and over with internal knowledge. The same arguments (showing that I'm trustworthy) could be made for posting company network diagrams, physical site security procedures, backup courier, etc, but nobody does that. The risk/reward ratio doesn't justify giving the information out in my opinion. [EMAIL PROTECTED] wrote on 08/21/2006 03:15:33 PM: The OP, however, is right. Why report the version at all to the user of a website? There is no need to let them know you are even running OpenSSL let alone the version being run. I'm not talking about security through obscurity. I'm referring to common sense. Don't tell people what you are running unless it is absolutely necessary for proper operation. Since version information is metadata, it is not necessary for the proper operation of OpenSSL. The only thing it does is waste a few bytes of bandwidth every time someone connects. Just a thought. We've come along way from the time when banks posted their reserve ratios in the window. If you have fixed the latest vulnerabilities, why would you want to keep this a secret from the people you are asking to trust you? And if you have not, what right do you have to keep that secret? The main reason you run SSL is because you are going to ask other people to trust you with their personal data. It comes down to that fundamental question, why should I trust you? If the answer is because you do things securely, fixing vulnerabilities and choosing proven products, why should that need to be a secret? And if a new vulnerability appears and you haven't had a chance to fix it yet, shouldn't I at least have a chance to know that before I trust you with sensitive information? Security through obscurity is wrong for more than just one reason. But a big one is that it robs the people you interoperate with of the chance to judge for themself whether you are trustworthy. They may just find someone else who is more transparent. So here's my primary answer: suppose a new SSL bug is discovered. It's fixed in version Y but not version X. I need to put a million dollar order through to your server. What should I do? Should I not give you the order until I can somehow confirm you have version Y? (Which, according to you, I should never be able to do. So in this case you don't get the order.) Or should I just assume you do, because you're typically on the ball? (Which might not be what you want, depending on what the consequences are to *you* if the data leaks to a competitor.) Why force the people you are asking to trust you into such craziness? Why not reassure them, assuming you do things right. And if you do things wrong, is it really in your interest to dupe people into trusting you. Think long and hard about that -- it may not be. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] To find out more about Reuters visit www.about.reuters.com Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
