Wolfgang Drews wrote:
I don't think it would reduce the number of attacks turning the
version information off. But it would be more cumbersome to help
people with php issues as the php version is not directly available.
Right, that was my point too.
yes, but in the end it is more a problem of user-perception. "hej, if
security-experts say it is more secure, then ofcourse i will turn it
off - after all i don't care for netcraft-stats" (and don't know about
it either).
finally, if people turn it off because of security-reasons, one should
consider a compromise between "security" and "statistics" ... or not?
I don't understand any of positions that it changes anything about
security when turning it off. This is the number one "security by
obscurity" example and is more worse than anything: it gives the users
the wrong feeling they made a step in securing their vulnerable service.
There are not many reasons why a check for a PHP version should be done.
The probably most interesting one is the minor version when the attack
can be carried to multiple versions with different offset for stack
smashing or whatever the current best practice is.
But as soon as the guys find out that people are turning it off (and I'm
sure they found out already) they don't care about the version anyway
and just go ahread and try brute force.
All in all it's a complete false perception of security.
- Markus
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
