> The OP, however, is right. Why report the version at all to the user of
> a website? There is no need to let them know you are even running
> OpenSSL let alone the version being run. I'm not talking about security
> through obscurity. I'm referring to common sense. Don't tell people
> what you are running unless it is absolutely necessary for proper
> operation. Since version information is "metadata", it is not necessary
> for the proper operation of OpenSSL. The only thing it does is waste a
> few bytes of bandwidth every time someone connects. Just a thought.
We've come along way from the time when banks posted their reserve
ratios
in the window.
If you have fixed the latest vulnerabilities, why would you want to keep
this a secret from the people you are asking to trust you? And if you have
not, what right do you have to keep that secret? The main reason you run SSL
is because you are going to ask other people to trust you with their
personal data.
It comes down to that fundamental question, "why should I trust you?" If
the answer is because you do things securely, fixing vulnerabilities and
choosing proven products, why should that need to be a secret? And if a new
vulnerability appears and you haven't had a chance to fix it yet, shouldn't
I at least have a chance to know that before I trust you with sensitive
information?
Security through obscurity is wrong for more than just one reason. But a
big one is that it robs the people you interoperate with of the chance to
judge for themself whether you are trustworthy. They may just find someone
else who is more transparent.
So here's my primary answer: suppose a new SSL bug is discovered. It's
fixed in version Y but not version X. I need to put a million dollar order
through to your server. What should I do? Should I not give you the order
until I can somehow confirm you have version Y? (Which, according to you, I
should never be able to do. So in this case you don't get the order.) Or
should I just assume you do, because you're typically on the ball? (Which
might not be what you want, depending on what the consequences are to *you*
if the data leaks to a competitor.)
Why force the people you are asking to trust you into such craziness?
Why
not reassure them, assuming you do things right. And if you do things wrong,
is it really in your interest to dupe people into trusting you. Think long
and hard about that -- it may not be.
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
