httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm MacCarthaigh <>
Subject Re: [users@httpd] Stop Apache from reporting version number anywhere..
Date Mon, 26 Jan 2004 10:38:10 GMT
On Mon, Jan 26, 2004 at 11:00:23AM +0100, Boyle Owen wrote:
> - The "token senders" have known all about the server signature thing
> for a long time and understand its purpose, which is to help the
> internet remain a "community". When you advertise your server signature,
> you allow people like the W3C, ICAN etc to collect statistics on who's
> using what servers and at what version. This is useful information and
> helps the web to evolve.

I don't think this is about ICANN and the W3C at all - they don't 
even do large-scale surveys, I think netcraft are the only people 
who do these days. It's not about old fogeys remembering the good
old days of openness and cooperation, it's must more pragmatic and
practical than that.

Server signatures are once of the most positive useful security resources, 
they are a tool which allows you to collect information and statistics 
about what's on your own network. I'm a member of a reasonably large NOC, 
and personally maintain dozens of webservers, within our whole network 
we're easily into the thousands of webservers.

When a vulnerability is found, we can quickly identify which of our
machines need upgrading, and give clients an idea of what machines they
need to look at - because I can easily automate connecting to them all
and finding out what they're running.

If someone obfuscates their banner, we lose that easy ability, and I'm
not going to the trouble of writing a whisker implementation - if someone
is hiding their Server signature - I'm assuming they don't want me to
know what it's running (despite how trivial it is to find out anyway)
and hence don't want the benifits of an advance warning.

Server signatures are great security resources. Turning them off has
entirely negative consequences, ranging from the above to the very human
tendancy to put off an upgrade becase you've "already taken care of that,
they won't find it for now".

There is simply no reliable way to hide the server your running, it
can't be done. HTTP is a complex protocol with literally billions of
permutations of responses, header orderings, error documents, directory
indexes, escape sequencing and plain old bugs. There will always a way
to fingerprint a server, and noone has ever managed to make two versions
behave exactly alike (then why would there be another version?).

Personally I'm in favour of implementing an option in Apache to obfuscate
signatures. It comes up so often, and so many people patch it in anyway
that it hardly seems worth not affording people the choice. But frankly,
anyone who obfuscates their Server Signature is simply displaying their
ignorance and niavety, for very real-world important reasons.

Colm MacCárthaigh                        Public Key:

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message