Security Basics mailing list archives
Re: response header fields
From: Edjenguele <christian.edjenguele () owasp org>
Date: Wed, 12 Aug 2009 21:00:15 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris Brenton wrote:
On Miércoles 12 Agosto 2009 11:00:48 Edjenguele escribió:Hi as I know, suppressing Apache headers informations could be done by two way 1) patch Apache and recompile the source code, probably the best way 2) modify/wrap response from java code using a servlet.Or just edit httpd.conf and change "ServerTokens" to "Prod".
yes, but this only reduce the signature to the "product name" so "Apache", even if it doesn't reveal the os type a malicious user can force an attack by trying all possible exploit against the host.
On Wed, 2009-08-12 at 12:56 -0430, Aarón Mizrachi wrote:In terms of security, you are doing nothing. In terms of impact and probability of penetration, you are reducing risks, what is good.I dig this distinction. Very well said Aaron. The analogy I like to use is: You are playing Five Card Draw against a number of opponents. Your opponent’s cards are well hidden in their hands, while your cards are laid out on the table for all to see. What are your chances of walking away the big winner at the end of the night? Displaying version banners to connecting clients puts you in a similar position. If an attacker can see what software you are running along with the specific version, they can immediately determine if you are vulnerable to any of the attacks in their arsenal. So by displaying a software banner you have effectively helped the attacker get it right on the first try. Without the benefit of the banner, the attacker would be forced to try each of their attacks in order to see if they will work. If we are vulnerable, we’re still going to get whacked. If we’re not, we have just forced the attacker to start generating log entries that will clue us in that the source IP is hostile. In other words, we’ve called their bluff so we now get to see their losing cards. This gives us an audit history and time to respond accordingly. HTH, C --- www.chrisbrenton.org
- -- Christian Eric Edjenguele IT Security Engineer PGP KeyID: 0xB1654498 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJKgxE5AAoJENETScWxZUSYLekH/0t/9g1u5rTSVej3Q4wk6nh4 PC8L8RjkFQ6fyoUBVhjt/JwyaLM2OTEwxat/aKp0Yc2j4NXFL8zNmb1aTiI7Nd9o W6tVsQmCqIwMthqTfiCYHCnMYLGImXkfELObg0CuVuutdXt4WDrHQSL625oChy9O pN6ndhGknkuRbpjyO5iuJ+qSgKSMr/hHq4GpP0143BHlRVvVzqwd+xM80+r0Z3ig nJXCNvsglf2dPLY/4Qws9L9CX7kDp9SprP1AWoxO8Q1hg4OnB9E8hWURafgoKOdf b1OZhNjwBMaL2X8GRugJYyZCwdzROsRaJ7jM0IXmb7TL1fLa6kZl01RofKE0GXE= =3MYD -----END PGP SIGNATURE----- ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- response header fields Andre Rodrigues (Aug 12)
- Re: response header fields Edjenguele (Aug 12)
- Re: response header fields Aarón Mizrachi (Aug 12)
- Re: response header fields Chris Brenton (Aug 12)
- Re: response header fields Edjenguele (Aug 12)
- Re: response header fields Chris Brenton (Aug 12)
- Re: response header fields Aarón Mizrachi (Aug 12)
- Re: response header fields Edjenguele (Aug 12)
- Re: response header fields Federico Maggi (Aug 12)