- From: Justin Erenkrantz <justin@erenkrantz.com>
- Date: Tue, 6 Mar 2007 13:33:11 -0800
- To: "David Morris" <dwm@xpasc.com>
- Cc: ietf-http-wg@w3.org, "Nicolas Krebs" <nicolas1.krebs3@netcourrier.com>
On 3/1/07, David Morris <dwm@xpasc.com> wrote: > It is worth noting that it is sometimes not advisable to provide details > in the Server: field. Crackers are known to use this information to > identify vulnerabilities unique to the http server or host OS based > on version information. What we tend to see is that they just try all exploits irregardless of what is reported by the server. Now, someone who specifically wants to target your box may use that info to get more information - but there are generally easier ways to fingerprint OSes (via TCP/IP sequence numbers, etc.) that you can't really control for either. Just another lesson that security by obscurity is bad. -- justin
Received on Tuesday, 6 March 2007 21:33:24 UTC