Re: response header fields

[Edjenguele <christian.edjenguele () owasp org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris Brenton wrote:
> > On Miércoles 12 Agosto 2009 11:00:48 Edjenguele escribió:
> > > Hi as I know, suppressing Apache headers informations could be done by
> > > two way
> > > 1) patch Apache and recompile the source code, probably the best way
> > > 2) modify/wrap response from java code using a servlet.
>
> Or just edit httpd.conf and change "ServerTokens" to "Prod".

yes, but this only reduce the signature to the "product name" so
"Apache", even if it doesn't reveal the os type a malicious user can
force an attack by trying all possible exploit against the host.

> On Wed, 2009-08-12 at 12:56 -0430, Aarón Mizrachi wrote:
> > In terms of security, you are doing nothing. In terms of impact and 
> > probability of penetration, you are reducing risks, what is good.
>
> I dig this distinction. Very well said Aaron.
>
> The analogy I like to use is: 
> You are playing Five Card Draw against a number of opponents. Your
> opponent’s cards are well hidden in their hands, while your cards are
> laid out on the table for all to see. What are your chances of walking
> away the big winner at the end of the night?
>
> Displaying version banners to connecting clients puts you in a similar
> position. If an attacker can see what software you are running along
> with the specific version, they can immediately determine if you are
> vulnerable to any of the attacks in their arsenal. So by displaying a
> software banner you have effectively helped the attacker get it right on
> the first try.
>
> Without the benefit of the banner, the attacker would be forced to try
> each of their attacks in order to see if they will work. If we are
> vulnerable, we’re still going to get whacked. If we’re not, we have just
> forced the attacker to start generating log entries that will clue us in
> that the source IP is hostile. In other words, we’ve called their bluff
> so we now get to see their losing cards. This gives us an audit history
> and time to respond accordingly.
>
> HTH,
> C
> ---
> www.chrisbrenton.org


- --
Christian Eric Edjenguele
IT Security Engineer
PGP KeyID: 0xB1654498

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJKgxE5AAoJENETScWxZUSYLekH/0t/9g1u5rTSVej3Q4wk6nh4
PC8L8RjkFQ6fyoUBVhjt/JwyaLM2OTEwxat/aKp0Yc2j4NXFL8zNmb1aTiI7Nd9o
W6tVsQmCqIwMthqTfiCYHCnMYLGImXkfELObg0CuVuutdXt4WDrHQSL625oChy9O
pN6ndhGknkuRbpjyO5iuJ+qSgKSMr/hHq4GpP0143BHlRVvVzqwd+xM80+r0Z3ig
nJXCNvsglf2dPLY/4Qws9L9CX7kDp9SprP1AWoxO8Q1hg4OnB9E8hWURafgoKOdf
b1OZhNjwBMaL2X8GRugJYyZCwdzROsRaJ7jM0IXmb7TL1fLa6kZl01RofKE0GXE=
=3MYD
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------