Full Disclosure mailing list archives
*Including* Security through obscurity measures is good.
From: Brian Hatch <full-disclosure () ifokr org>
Date: Sun, 8 Dec 2002 10:47:16 -0800
[1] *Relying* on security through obscurity is bad. However *adding* security through obscurity is good. This distinction is too often overlooked. Why say "I'm running Apache 1.2.26 with mod_perl and mod_ssl version BLAH" when you can just say "Apache"? It only makes it easier for crackers to mark you down on their well- tailored lists.There is no security through security. ServerTokens Prod is a false sense of security, and when you think about it offers no real security at all. Script kiddies will still try the short list of apache exploits.
Say they have an exploit for some daemon that will either a) work, or b) crash the server and they have exploits tailored for 5 different versions of the daemon. If you don't tell them which you're running, then they have one shot to get it right, or the daemon dies and they can't try again. Would you not argue that withholding the version number helped out in this case? Is it 100% reliable? Hell no. Should it be your only line of defense? Hell no. Did it hurt to include this in your setup? No. Could it possibly help? Yes. So why not utilize it?
To me, "Apache" instead of the "Apache/1.3.27 (Unix) mod_ssl/2.8.11 OpenSSL/0.9.6g PHP/4.2.3" means "this admin is: 1.) Lazy and doesn't patch when needed.
The lazy administrator probably has no idea how to configure it to not withhold version info in the first place.
2.) Gullible, and thinks they can somehow magically prevent an automated worm or a determined script kiddie from compromising their server. P.S. The slapper worm variants don't go to netcraft and ask "what's that site running" before they use root you.
Nor did I say it did. However there have been vulnerabilities that needed to be tailored for a specific version. If they need to blindly try several exploits (and I admit they will) they might try the wrong ones first. Perhaps those wrong exploits will result in log entries indicating something is wrong, and they admin will check into it, whereas if the attacker tries the correct one and gets in without a trace that's one less thing to help the admin know something is amiss. Tell my why *including* security through obscurity is bad. I already know why *relying* on security through obscurity is bad. Using version numbers as our example, where could it be bad? Take ssh: the server exclaims it's version number, and this allows the client to work around known bugs in the server version. (OpenSSH has lots of workarounds for server bugs per version number.) Take a web server, on the other hand, do clients need to work around bugs in specific versions? No. What do we gain by having the server announce it? Nothing. What do we loose by having the server announce it? Nothing, except a small addition of obscurity that *may* help some day down the road. -- Brian Hatch "I am a Ranger. We walk in the dark places Systems and no others will enter. We stand on the Security Engineer bridge and no one may pass. http://www.ifokr.org/bri/ We live for the One, we die for the One." Every message PGP signed
Attachment:
_bin
Description:
Current thread:
- UN support for "security by obscurity" Richard M. Smith (Dec 06)
- Re: UN support for "security by obscurity" Brian Hatch (Dec 06)
- Re: UN support for "security by obscurity" Rick Updegrove (Dec 07)
- *Including* Security through obscurity measures is good. Brian Hatch (Dec 08)
- Re: UN support for "security by obscurity" Rick Updegrove (Dec 07)
- Re: UN support for "security by obscurity" Georgi Guninski (Dec 07)
- Re: UN support for "security by obscurity" Michal Zalewski (Dec 07)
- Re: UN support for "security by obscurity" Brian McWilliams (Dec 07)
- "security by obscurity" Berend-Jan Wever (Dec 07)
- Re: "security by obscurity" Niels Bakker (Dec 08)
- Re: "security by obscurity" Georgi Guninski (Dec 09)
- Re: "security by obscurity" Roland Postle (Dec 09)
- "security by obscurity" Berend-Jan Wever (Dec 07)
- Re: UN support for "security by obscurity" Brian Hatch (Dec 06)
- <Possible follow-ups>
- RE: UN support for "security by obscurity" Schmehl, Paul L (Dec 07)