> [EMAIL PROTECTED] wrote:
> > Blocking the version number is worse than reporting stale version
> > information. At least they can determine a minimum security level.
> > Incorrect information cuts both ways, helping the hacker and legitimate
> > user at the same time. Better to prefer the legitimate user's interest.
> >
> > SP
> How many "legitimate users" even know of the existence of the OpenSSL
> version number? How many of those actually care?
How many legitimate users can perform an RSA operation? Obviously we
don't
mean human beings do it literally.
> Now compare that number to how many hackers know and care about the same
> information. Percentage-wise, users don't care.
We don't mean that humans will literally look at the data, we mean
automated processes will to assure that they have a certain level of
security. I don't know if you read the O.P. but that's why he cares -- a
security tool is reporting him as having vulnerabilities or possible
vulnerabilityes.
> Hackers do. As well
> as geeks. If you care, you are either a hacker or a geek. The average
> user doesn't even know about the existence of OpenSSL, let alone its
> version number, and they also don't care.
Right, that's why average users use automated tools that well may care
about such things.
> They implicitly trust that
> people are doing their jobs and keeping servers up-to-date. Hence geeks
> and hackers are the only people who will ever see an OpenSSL version
> number. And hackers are the only ones who will abuse it. The OP's
> point is still valid...users don't care. And most people spending a
> million dollars are not geeks.
And automated tools used by normal people and hackers. And auditors.
> My point is that 100% of the people here aren't qualified to discuss how
> users think because we're all geeks and assume the rest of the world
> is/should be too (anyone brilliant enough to join openssl-users is a
> geek - yes, I realize I'm calling myself that too). The OP wants to
> remove the Apache server header announcing that Apache is being used and
> what compiled modules are included (one of them being OpenSSL). That is
> doable. I'm pretty sure there is an option somewhere in the httpd.conf
> file. Edit that and restart the server. Just realize you are a geek
> and you'll be fine (or maybe you'll realize you don't want to be one and
> will decide to change careers).
If you really believed what you are saying, you would have to argue that
the worst people to design security systems are experts in security. That's
a complete load of crap.
He's trying to hide the version from automated auditing processes that
are
helping human beings audit security levels and be cautioned about
vulnerabilities.
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
