cherokee at googlecode
Oct 27, 2010, 12:34 AM
Post #8 of 12
(446 views)
Permalink
|
|
Re: Issue 438 in cherokee: Feature Request: Server Tokens
[In reply to]
|
|
Comment #12 on issue 438 by Kissaki0: Feature Request: Server Tokens
http://code.google.com/p/cherokee/issues/detail?id=438
It’s not about security by obscurity being a bad security concept (which is
only if that’s the only action anyway).
Security is always about the ratio between investment / cost to benefit.
Changing a flag to not display the server name is a small cost, very
simple, and does add security.
It may not be much, and you may say Cherokee tries to be secure in other,
the more basic and more dangerous aspects,
but IF a security flaw is found that is unique to or does work on cherokee
attackers may profit from the info that cherokee is running more than from
no info at all.
Yes it is a small benefit and if you want real security you’ll just have to
stay up to date and use stable versions.
Still, that should be something users should be allowed to decide, just
like they should be allowed to decide on what infos they want to provide.
I can understand that cherokee devs and fans want to promote cherokee and
want themselves as well as others to be able to see that ppl. are using
cherokee,
but in my opinion allowing to not provide info on what webserver is running
to anyone should be something the hoster / admin decides and something that
would even further make cherokee better than webservers which don’t allow
you to decide.
_______________________________________________
Cherokee-dev mailing list
Cherokee-dev [at] lists
http://lists.octality.com/listinfo/cherokee-dev
|
