On Mon, Aug 21, 2006 at 04:15:46PM -0500, Doug Nebeker wrote:
>
> The problem is that virtually no legit users will ever look, but the
> hackers
> definitely will. I'll admit (being a geek) that I checked once when
> logging
> into my banking site for the first time many years ago. So maybe I was
> 'benefitted' that one time (and my case is definitely not typical), but
> the
> hackers could be 'benefitting' over and over with internal knowledge.
>
> The same arguments (showing that I'm trustworthy) could be made for
> posting
> company network diagrams, physical site security procedures, backup
> courier,
> etc, but nobody does that.
>
> The risk/reward ratio doesn't justify giving the information out in my
> opinion.
This discussion is useless:
* OpenSSL does not disclose its version to attackers coming from the
network as the SSL/TLS protocol does not give any version information
of the software used (it does give protocol compatibility information
needed for interoperability wrt SSLv2, SSLv3 etc)
* It is the application using OpenSSL (in this case Apache) disclosing
the information.
-> Please complain to the Apache people.
* Both projects OpenSSL and Apache are Open Source projects. If you find
anything about it annoying please feel free to make any modification
you want.
* "Meta bullet point":
This discussion about version information and security through obscurity
has been seen often enough (have a look into the OpenSSH mailing list
archives) and it finally leads nowhere.
I will therefore not comment wrt my personal point of view.
Best regards,
Lutz
>
>
> [EMAIL PROTECTED] wrote on 08/21/2006 03:15:33 PM:
>
> >
> > > The OP, however, is right. Why report the version at all to the
> user of
> > > a website? There is no need to let them know you are even running
> > > OpenSSL let alone the version being run. I'm not talking about
> security
> > > through obscurity. I'm referring to common sense. Don't tell
> people
> > > what you are running unless it is absolutely necessary for proper
> > > operation. Since version information is "metadata", it is not
> necessary
> > > for the proper operation of OpenSSL. The only thing it does is
> waste a
> > > few bytes of bandwidth every time someone connects. Just a thought.
> >
> > We've come along way from the time when banks posted their reserve
> ratios
> > in the window.
> >
> > If you have fixed the latest vulnerabilities, why would you want to
> keep
> > this a secret from the people you are asking to trust you? And if you
> have
> > not, what right do you have to keep that secret? The main reason you
> run SSL
> > is because you are going to ask other people to trust you with their
> > personal data.
> >
> > It comes down to that fundamental question, "why should I trust
> you?" If
> > the answer is because you do things securely, fixing vulnerabilities
> and
> > choosing proven products, why should that need to be a secret? And if
> a new
> > vulnerability appears and you haven't had a chance to fix it yet,
> shouldn't
> > I at least have a chance to know that before I trust you with
> sensitive
> > information?
> >
> > Security through obscurity is wrong for more than just one reason.
> But a
> > big one is that it robs the people you interoperate with of the chance
> to
> > judge for themself whether you are trustworthy. They may just find
> someone
> > else who is more transparent.
> >
> > So here's my primary answer: suppose a new SSL bug is discovered.
> It's
> > fixed in version Y but not version X. I need to put a million dollar
> order
> > through to your server. What should I do? Should I not give you the
> order
> > until I can somehow confirm you have version Y? (Which, according to
> you, I
> > should never be able to do. So in this case you don't get the order.)
> Or
> > should I just assume you do, because you're typically on the ball?
> (Which
> > might not be what you want, depending on what the consequences are to
> *you*
> > if the data leaks to a competitor.)
> >
> > Why force the people you are asking to trust you into such
> craziness? Why
> > not reassure them, assuming you do things right. And if you do things
> wrong,
> > is it really in your interest to dupe people into trusting you. Think
> long
> > and hard about that -- it may not be.
> >
> > DS
> >
> >
> > ______________________________________________________________________
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List openssl-users@openssl.org
> > Automated List Manager [EMAIL PROTECTED]
>
>
>
> To find out more about Reuters visit www.about.reuters.com
>
> Any views expressed in this message are those of the individual sender,
> except where the sender specifically states them to be the views of Reuters
> Ltd.
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager [EMAIL PROTECTED]
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
