The problem is that virtually no legit users will ever look, but the hackers definitely will. I'll admit (being a geek) that I checked once when logging into my banking site for the first time many years ago. So maybe I was 'benefitted' that one time (and my case is definitely not typical), but the hackers could be 'benefitting' over and over with internal knowledge.
The same arguments (showing that I'm trustworthy) could be made for posting company network diagrams, physical site security procedures, backup courier, etc, but nobody does that. The risk/reward ratio doesn't justify giving the information out in my opinion. [EMAIL PROTECTED] wrote on 08/21/2006 03:15:33 PM: > > > The OP, however, is right. Why report the version at all to the user of > > a website? There is no need to let them know you are even running > > OpenSSL let alone the version being run. I'm not talking about security > > through obscurity. I'm referring to common sense. Don't tell people > > what you are running unless it is absolutely necessary for proper > > operation. Since version information is "metadata", it is not necessary > > for the proper operation of OpenSSL. The only thing it does is waste a > > few bytes of bandwidth every time someone connects. Just a thought. > > We've come along way from the time when banks posted their reserve ratios > in the window. > > If you have fixed the latest vulnerabilities, why would you want to keep > this a secret from the people you are asking to trust you? And if you have > not, what right do you have to keep that secret? The main reason you run SSL > is because you are going to ask other people to trust you with their > personal data. > > It comes down to that fundamental question, "why should I trust you?" If > the answer is because you do things securely, fixing vulnerabilities and > choosing proven products, why should that need to be a secret? And if a new > vulnerability appears and you haven't had a chance to fix it yet, shouldn't > I at least have a chance to know that before I trust you with sensitive > information? > > Security through obscurity is wrong for more than just one reason. But a > big one is that it robs the people you interoperate with of the chance to > judge for themself whether you are trustworthy. They may just find someone > else who is more transparent. > > So here's my primary answer: suppose a new SSL bug is discovered. It's > fixed in version Y but not version X. I need to put a million dollar order > through to your server. What should I do? Should I not give you the order > until I can somehow confirm you have version Y? (Which, according to you, I > should never be able to do. So in this case you don't get the order.) Or > should I just assume you do, because you're typically on the ball? (Which > might not be what you want, depending on what the consequences are to *you* > if the data leaks to a competitor.) > > Why force the people you are asking to trust you into such craziness? Why > not reassure them, assuming you do things right. And if you do things wrong, > is it really in your interest to dupe people into trusting you. Think long > and hard about that -- it may not be. > > DS > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] To find out more about Reuters visit www.about.reuters.com Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
