Turning off expose_php is just security by obscurity; a determined hacker can still probe for problems even if that setting is turned off.
My vote is to leave it as-is; leave it to the administrator to decide if they want to turn it off. --Wez. On 11/10/05, Marcus Boerger <[EMAIL PROTECTED]> wrote: > Hello Andi, > > agreed, also we are doing very much work on security. Thus new and regular > updated systems shouldn#t have a problem with exposing this. And we cannot > do anything for unmaintained systems anyway. Therefore i think we or any > user should not be ashamed or fear having php being exposed. > > best regards > marcus > > Thursday, November 10, 2005, 11:47:22 PM, you wrote: > > > I personally think it can hurt the PHP project to have expose_php > > turned off by default. A lot of PHP's push has been thanks to the > > Netcraft numbers. > > > Andi > > > At 10:56 AM 11/10/2005, Wolfgang Drews wrote: > >> > > I don't think it would reduce the number of attacks turning the > >> > > version information off. But it would be more cumbersome to help > >> > > people with php issues as the php version is not directly available. > >> > > >> > Right, that was my point too. > >> > >>yes, but in the end it is more a problem of user-perception. "hej, if > >>security-experts say it is more secure, then ofcourse i will turn it > >>off - after all i don't care for netcraft-stats" (and don't know about > >>it either). > >> > >>finally, if people turn it off because of security-reasons, one should > >>consider a compromise between "security" and "statistics" ... or not? > >> > >>best regards > >> > >>-Wolfgang > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
