On Thu, 10 Nov 2005 14:08:29 -0500, in php.internals [EMAIL PROTECTED] (Ilia Alshanetsky) wrote:
>> I don't think it would reduce the number of attacks turning the >> version information off. But it would be more cumbersome to help >> people with php issues as the php version is not directly available. >This is simply not true, when a bug comes in we ask the user to specify >the version, we don't go looking for their server and checking their >version. I wasn't thinking of php development but more general when people have trouble with their PHP code (posting in newsgroups, forums, irc, ...). .. and from another post: >Displaying this value does NOTHING, browser does not care if it is >there, neither does any proxy. So, why send it? The information could help users helping each other. Furthermore the information could give a hint on the progress of migrating to newer versions of php for the rest of the world. I think this information could be pretty valuable for the php community, though I don't think this information has been used that much so far. Furthermore, this discussion has been taken for a bunch of different projects. Apache, mod_ssl, mod_perl and so on. I can't recall they seriously would encourage people to disable version information so much that they would change their default settings to reflect this. I would agree with Markus. This is security by obscurity. The automated attacks do happen anyway. -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
