Re: Removing Server: header

2003-03-27 Thread David Burry
- Original Message - From: "Graham Leggett" > Martin Kutschker wrote: > > > Removing the server header won't hurt. > > Removing the server header is a protocol viloation, and serves no purpose. How is it a protocol violation? I can't find anywhere in the HTTP 1.1 protocol where it says t

Re: Removing Server: header

2003-03-27 Thread Aaron Bannert
On Thursday, March 27, 2003, at 01:36 AM, Sander Striker wrote: People, why, oh why, do we need to muck with the Server header? Who cares? Attacks will be run regardless of Server headers (and if not, they will as soon as we start removing them). So, in the end, what good does it do? I totally

Re: Removing Server: header

2003-03-27 Thread Graham Leggett
Martin Kutschker wrote: Removing the server header won't hurt. Removing the server header is a protocol viloation, and serves no purpose. Regards, Graham -- - [EMAIL PROTECTED] "There's a moon over Bourb

RE: Removing Server: header

2003-03-27 Thread Sander Striker
> From: Martin Kutschker [mailto:[EMAIL PROTECTED] > Sent: Thursday, March 27, 2003 10:13 AM > Date: Wed, 26 Mar 2003 15:30:53 -0500 > From: "Brass, Phil (ISS Atlanta)" <[EMAIL PROTECTED]> > Removing the server header won't hurt. > > Perhaps you could try to make the ordering od the added header

RE: Removing Server: header

2003-03-27 Thread Martin Kutschker
Date: Wed, 26 Mar 2003 15:30:53 -0500 From: "Brass, Phil (ISS Atlanta)" <[EMAIL PROTECTED]> > OK, so given that Date and Last-Modified are required response headers > and everybody pretty much hates the idea of removing them, and that > removing the Server header amounts to nothing more than secur

RE: Removing Server: header

2003-03-26 Thread David Burry
ar options. Dave -Original Message- From: Brass, Phil (ISS Atlanta) [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 26, 2003 12:31 PM To: [EMAIL PROTECTED] Subject: RE: Removing Server: header OK, so given that Date and Last-Modified are required response headers and everybody pretty much

RE: Removing Server: header

2003-03-26 Thread Brass, Phil (ISS Atlanta)
ED] > Subject: Re: Removing Server: header > > > On Saturday, March 22, 2003, at 07:15 AM, Brass, Phil (ISS Atlanta) > wrote: > > The point of stripping Date and Last-modified headers is that HTTP > > fingerprinting tools look at things like header order, the > f

Re: Removing Server: header

2003-03-25 Thread Roy T. Fielding
On Saturday, March 22, 2003, at 07:15 AM, Brass, Phil (ISS Atlanta) wrote: The point of stripping Date and Last-modified headers is that HTTP fingerprinting tools look at things like header order, the formatting of dates and times, etc. So change the format and order. Stripping them is a protoc

Re: Removing Server: header

2003-03-22 Thread Graham Leggett
Brass, Phil (ISS Atlanta) wrote: The point of stripping Date and Last-modified headers is that HTTP fingerprinting tools look at things like header order, the formatting of dates and times, etc. The Date and Last-Modified headers exist as an integral part of HTTP/1.1, and removing and/or fiddling

RE: Removing Server: header

2003-03-22 Thread Brass, Phil (ISS Atlanta)
] > Sent: Saturday, March 22, 2003 9:55 AM > To: [EMAIL PROTECTED] > Subject: Re: Removing Server: header > > > Brass, Phil (ISS Atlanta) wrote: > > > Hi, I recently patched my debian apache server source to add a new > > ServerToken value, ServerToken=Hide,

Re: Removing Server: header

2003-03-22 Thread Graham Leggett
Brass, Phil (ISS Atlanta) wrote: Hi, I recently patched my debian apache server source to add a new ServerToken value, ServerToken=Hide, which will remove the Server, Date, and Last-Modified headers (to make server identification a little more difficult (yes I know this is bad for proxies, if that