On 9/21/21 2:40 PM, Piotr Sionkowski wrote:
> Hi Guys,
>
>
>
> First of all I would like to thank you for picking up the issue I brought.
>
>
>
> I conducted a quick experiment and checked how apache.org headers look like
> and got:
>
>
>
> $ curl -I apache.org | grep Server
>
> Server: Apache
>
>
>
> I did also a deeper dive and checked a bigger sample of n=86 webpages of ASF
> sponsors.
>
>
>
> ===BEGIN OF EXPERIMENT===
>
> STEP 1: we grab the list of ASF sponsors
>
>
>
> $ curl --url https://www.apache.org/foundation/thanks.html -v | grep
> sponsored | cut -f 2 -d\" > sponsors
>
>
>
> result:
>
> https://aws.amazon.com/
>
> http://facebook.com/
>
> http://google.com/
>
> < Removed 80 lines >
>
> https://www.sonic.com/
>
> http://www.surfnet.nl/
>
> https://www.virtru.com/
>
>
>
> STEP 2: we grab Server headers for results from STEP 1. Any missing are
> replaced with 'SERVER OBSCURED'
>
>
>
> $ for subject in $(cat sponsors); do echo -n "${subject}: " >> servers; curl
> --connect-timeout 3 -I -k $subject 2> /dev/null |
> grep Server >> servers || echo 'SERVER OBSCURED' >> servers; done
>
>
>
> result:
>
> https://aws.amazon.com/: Server: Server
>
> http://facebook.com/: SERVER OBSCURED
>
> http://google.com/: Server: gws
>
> < Removed 80 lines >
>
> https://www.sonic.com/: Server: nginx/1.12.1
>
> http://www.surfnet.nl/: Server: nginx
>
> https://www.virtru.com/: Server: cloudflare
>
>
>
> STEP 3: We organize the data and print histogram-like summary
>
>
>
> $ cut -f 3 -d' ' servers | sort |uniq -c > histogram
>
>
>
> result:
>
> 2 ATS
>
> 3 AkamaiGHost
>
> 2 AmazonS3
>
> 7 Apache
>
> 1 Apache/2.4.18
>
> 1 Apache/2.4.48
>
> 9 Cisco
>
> 2 GitHub.com
>
> 2 Kestrel
>
> 1 LiteSpeed
>
> 13 OBSCURED
>
> 1 PAAS-WEB
>
> 1 SE-1.15.12
>
> 2 Server
>
> 1 Tengine
>
> 1 Varnish
>
> 1 awselb/2.0
>
> 1 bfe/1.0.8.18
>
> 15 cloudflare
>
> 1 globaledge-envoy
>
> 2 gws
>
> 1 ias/1.4.2.3_1.17.3
>
> 14 nginx
>
> 1 nginx/1.12.1
>
> 1 nginx/1.14.0
>
> ===END OF EXPERIMENT===
>
>
>
> Observations from data:
>
> Observation 1: 15 out of 86 (17.5%) are not willing to share ANYTHING about
> their servers
>
> Observation 2: another 15 are hidden behind cloudflare, summing up to 35%
>
> Observation 3: 8/86 (9%) show any version numbers
>
> Observation 4: out of 9 servers who claim to be Apache 2 (22%) show varsions
>
>
>
> Conclusions:
>
> Only a tiny percentage of this sample is willing to show any version of their
> web server (not confirmed if what they show is what
> they actually run).
>
>
>
> In view of above, would ASF consider changing its reccommendation[1] from
> 'Minimal' to 'Product Only'?
Thanks for the data, but in my opinion it actually tells you not much. From my
experience in a lot of big companies people are
forced to stick to the owasp recommendations whether they make sense in peoples
eyes or not. I for myself got tired with this
topic in professional life. If people demand me to remove that stuff I do, not
because I think it makes sense, but because I do
not want to waste time any longer like in the past to discuss with people why I
think it does not make sense and in the end the
only argument I get is: But owasp recommends it.
Just because people apply them does not tell you that the arguments we
mentioned are wrong and what owasp recommends is right.
Regards
Rüdiger
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org
For additional commands, e-mail: docs-h...@httpd.apache.org
