Wolfgang Drews wrote:
I don't think it would reduce the number of attacks turning the version information off. But it would be more cumbersome to help people with php issues as the php version is not directly available.

Right, that was my point too.


yes, but in the end it is more a problem of user-perception. "hej, if
security-experts say it is more secure, then ofcourse i will turn it
off - after all i don't care for netcraft-stats" (and don't know about
it either).
finally, if people turn it off because of security-reasons, one should
consider a compromise between "security" and "statistics" ... or not?

I don't understand any of positions that it changes anything about security when turning it off. This is the number one "security by obscurity" example and is more worse than anything: it gives the users the wrong feeling they made a step in securing their vulnerable service.

There are not many reasons why a check for a PHP version should be done. The probably most interesting one is the minor version when the attack can be carried to multiple versions with different offset for stack smashing or whatever the current best practice is.

But as soon as the guys find out that people are turning it off (and I'm sure they found out already) they don't care about the version anyway and just go ahread and try brute force.

All in all it's a complete false perception of security.

- Markus

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to