Sunday, June 03, 2012

Server Header - Security through obscurity

Security through obscurity is sometimes generalized to the extremes: "You are vulnerable unless you hide" OR "You are vulnerable anyway so do not bother hiding".

You should not assume hiding will save you, however be convinced that hiding is an addition to core best security practices that ultimately will help against some enemies (not all of course). You need to follow best practices like you will not reinvent a secure protocol to communicate your server and client just because you feel TLS as it is used by everybody is better understood by attackers and that is the reason you are vulnerable if you use it. At the same time you will not disclose a stack-trace of your backend application because it could reveal private information.

I stumble upon a question and a couple of answers. I believe it is not OK to give away all the information of your Web Server but let us face it, it takes less than a minute to figure out in most cases what the HTTP Connector is. On the other hand making the life easier to the unexperienced attacker who is after his first target does not make any sense either.

But if you ask me what I prefer whether send back "Apache" or "Thor" as my Server header I do prefer "Apache". There is after all a discipline called Psychology for a reason. Do you really think a real hacker likes easy stuff? Challenge is probably the highest incentive for the more creative (good or bad) ideas. I have hardened Servers for some Industries where by regulation the "Server" header must not be present. Interesting enough just Googling the company with the right keywords and options returns a query providing more information than what the headers would provide and then just testing SSL their websites exhibit serious TLS weakness.

So obscure to gain extra peace of mind but secure your system following best well known practices.

No comments: