Markus Fischer wrote: > Wolfgang Drews wrote: > >>>> I don't think it would reduce the number of attacks turning the >>>> version information off. But it would be more cumbersome to help >>>> people with php issues as the php version is not directly available. >>> >>> >>> Right, that was my point too. >> >> >> >> yes, but in the end it is more a problem of user-perception. "hej, if >> security-experts say it is more secure, then ofcourse i will turn it >> off - after all i don't care for netcraft-stats" (and don't know about >> it either). >> finally, if people turn it off because of security-reasons, one should >> consider a compromise between "security" and "statistics" ... or not? > > > I don't understand any of positions that it changes anything about > security when turning it off. This is the number one "security by > obscurity" example and is more worse than anything: it gives the users > the wrong feeling they made a step in securing their vulnerable service.
Displaying this value does NOTHING, browser does not care if it is there, neither does any proxy. So, why send it? As far as security goes, if you want to provide a map to hackable servers that's up to you, I personally would rather avoid it. > But as soon as the guys find out that people are turning it off (and I'm > sure they found out already) they don't care about the version anyway > and just go ahread and try brute force. Sure, and that means by hitting more servers their attack gets noticed and blocked sooner. And it also gives further incentive for people to upgrade before they are "hit" because they'll know someone is actively going after their old version. Ilia -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php