W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2007

Re: products in Server header field

From: Justin Erenkrantz <justin@erenkrantz.com>
Date: Tue, 6 Mar 2007 13:33:11 -0800
Message-ID: <5c902b9e0703061333l37810e2ag6d56b028751a15e2@mail.gmail.com>
To: "David Morris" <dwm@xpasc.com>
Cc: ietf-http-wg@w3.org, "Nicolas Krebs" <nicolas1.krebs3@netcourrier.com>

On 3/1/07, David Morris <dwm@xpasc.com> wrote:
> It is worth noting that it is sometimes not advisable to provide details
> in the Server: field. Crackers are known to use this information to
> identify vulnerabilities unique to the http server or host OS based
> on version information.

What we tend to see is that they just try all exploits irregardless of
what is reported by the server.  Now, someone who specifically wants
to target your box may use that info to get more information - but
there are generally easier ways to fingerprint OSes (via TCP/IP
sequence numbers, etc.) that you can't really control for either.
Just another lesson that security by obscurity is bad.  -- justin
Received on Tuesday, 6 March 2007 21:33:24 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:00 GMT