💾 Archived View for rawtext.club › ~sloum › geminilist › 006819.gmi captured on 2023-09-08 at 16:49:40. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2021-11-30)
-=-=-=-=-=-=-
Stephane Bortzmeyer stephane at sources.org
Tue Jun 29 16:06:08 BST 2021
- - - - - - - - - - - - - - - - - - -
On Tue, Jun 29, 2021 at 08:43:25AM -0400, Jason McBrayer <jmcbray at carcosa.net> wrote a message of 20 lines which said:
I know it's considered good practice not to leak any information you
don't need to. But as you also suggest, I'm not sure if
fingerprinting server implementations is really that sensitive
information.
My experience with HTTP is that the vast majority of attacks areblind, just testing various exploits without any regard to the serversoftware (I see a lot of IIS exploits used against my Apache serverand of course a lot of Wordpress exploits against a static site). Itmakes sense (from the point of view of the attacker) since it isfaster to just try the exploit rather than finding out if the exploitmay work. Also, it avoids false positives (Debian packagessecurity-patched but with an old version number).
Like many simple security advices, this one is useless.