Title: Message
Folks,
For
the sake of closure (and finality, one would hope :-) ), the relevant Apache
configuration parameter is "ServerTokens". There is also a spiffy module
available to do just about anything you might desire here:
modsecurity.
Works
for me...
rnd
-Origina
You are correct; I did miss Lutz's email.Lutz ... thank you. That is exactly the answer I was looking for, to all my questions.Thank you openssl list, and to all those who provided helpful feedback.
Sincerely, ScottOn 8/22/06, Bernhard Froehlich <[EMAIL PROTECTED]> wrote:
Scott Campbell wrot
Scott Campbell wrote:
[...]
My question is (rephrased), if possible, how can I hide the
headers in OpenSSL from being broadcast to software running
rudimentary security scans (e.g., Nessus)?
Is there a line I can add to a conf file?
Is preventing the broadcast of software, version,
Guys, While I appreciate the vibrant discussion, I was not asking for the pros and cons of hiding the header information, whether or not one feels it promotes security, and whether one believes meddling with this makes one a geek or not. In many people's desire to announce their opinion on the
On Mon, Aug 21, 2006 at 04:15:46PM -0500, Doug Nebeker wrote:
>
> The problem is that virtually no legit users will ever look, but the
> hackers
> definitely will. I'll admit (being a geek) that I checked once when
> logging
> into my banking site for the first time many years ago. So maybe I
On Mon, 2006-08-21 at 11:42 -0700, [EMAIL PROTECTED] wrote:
> plain text document attachment (RE:)
> > > The long version: We run security check software, which makes
> > > connections
> > > with various services, calls up the header, and then tells us that based
> > > upon the version it read in
The problem is that virtually no legit users will ever look, but the
hackers
definitely will. I'll admit (being a geek) that I checked once when
logging
into my banking site for the first time many years ago. So maybe I was
'benefitted' that one time (and my case is definitely not typical),
> [EMAIL PROTECTED] wrote:
> > Blocking the version number is worse than reporting stale version
> > information. At least they can determine a minimum security level.
> > Incorrect information cuts both ways, helping the hacker and legitimate
> > user at the same time. Better to prefer the legiti
Thomas J. Hruska wrote:
> Now compare that number to how many hackers know and care about the same
> information.
None. If an exploit exists, it will be exploited. You are a fool if you
expect that a hacker would rely on the reported version number to elect
one of the dozens of past exploits. T
[EMAIL PROTECTED] wrote:
Blocking the version number is worse than reporting stale version
information. At least they can determine a minimum security level.
Incorrect information cuts both ways, helping the hacker and legitimate
user at the same time. Better to prefer the legitimate user's int
Blocking the version number is worse
than reporting stale version information. At least they can determine a
minimum security level. Incorrect information cuts both ways, helping the
hacker and legitimate user at the same time. Better to prefer the legitimate
user's interest.
SP
[EMAIL PROTEC
> The OP, however, is right. Why report the version at all to the user of
> a website? There is no need to let them know you are even running
> OpenSSL let alone the version being run. I'm not talking about security
> through obscurity. I'm referring to common sense. Don't tell people
> what
Thomas J. Hruska wrote:
David Schwartz wrote:
The long version: We run security check software, which makes
connections
with various services, calls up the header, and then tells us that based
upon the version it read in the header, this service has certain
vulnerabilities.
You mean it m
David Schwartz wrote:
The long version: We run security check software, which makes connections
with various services, calls up the header, and then tells us that based
upon the version it read in the header, this service has certain
vulnerabilities.
You mean it might have certain vuln
Hello,
> The quick version: How can I disable or prevent OpenSSL headers
> from being viewable to outside traffic (similiar to when you disable
> Apache from allowing its header and version information from being
> viewable to the outside world)?
OpenSSL is realizing SSL3/TLS1 protocol and t
> > The long version: We run security check software, which makes
> > connections
> > with various services, calls up the header, and then tells us that based
> > upon the version it read in the header, this service has certain
> > vulnerabilities.
I just have to say one more thing:
> The long version: We run security check software, which makes connections
> with various services, calls up the header, and then tells us that based
> upon the version it read in the header, this service has certain
vulnerabilities.
You mean it might have certain vulnerabilities. You c
Scott Campbell wrote:
The long version: We run security check software, which makes
connections with various services, calls up the header, and then tells
us that based upon the version it read in the header, this service has
certain vulnerabilities. For security purposes, we would like
Dear All, The quick version: How can I disable or prevent OpenSSL headers from being viewable to outside traffic (similiar to when you disable Apache from allowing its header and version information from being viewable to the outside world)?
The long version: We run security check softwa
19 matches
Mail list logo
