Detection of Gemini server software

1. Anna “CyberTailor” (cyber (a) sysrq.in)

The specification leaves error messages in response field "meta" to
servers' developers. So in response to malfored request servers may
send "59 invalid request", "59 Error parsing URL!", "59 Invalid URL"
or something else.

Is it a security issue or just "creepy"?

Potential attackers can't detect vulnerable software versions using
this method, only its name. Also there aren't any known security flaws
except that naughty ".."



Bonus: nmap can be learned to detect gemini servers:
https://nmap.org/book/vscan-community.html

If you are interested, post your server's fingerprint here:
https://nmap.org/cgi-bin/submit.cgi?new-service

Link to individual message.

2. Jason McBrayer (jmcbray (a) carcosa.net)


Anna “CyberTailor” writes:

> The specification leaves error messages in response field "meta" to
> servers' developers. So in response to malfored request servers may
> send "59 invalid request", "59 Error parsing URL!", "59 Invalid URL"
> or something else.
>
> Is it a security issue or just "creepy"?

That's a good question. I know it's considered good practice not to leak
any information you don't need to. But as you also suggest, I'm not sure
if fingerprinting server implementations is really that sensitive
information.

-- 
Jason McBrayer      | “Strange is the night where black stars rise,
jmcbray@carcosa.net | and strange moons circle through the skies,
                    | but stranger still is lost Carcosa.”
                    | ― Robert W. Chambers,The King in Yellow

Link to individual message.

3. Stephane Bortzmeyer (stephane (a) sources.org)

On Tue, Jun 29, 2021 at 08:43:25AM -0400,
 Jason McBrayer <jmcbray@carcosa.net> wrote 
 a message of 20 lines which said:

> I know it's considered good practice not to leak any information you
> don't need to. But as you also suggest, I'm not sure if
> fingerprinting server implementations is really that sensitive
> information.

My experience with HTTP is that the vast majority of attacks are
blind, just testing various exploits without any regard to the server
software (I see a lot of IIS exploits used against my Apache server
and of course a lot of Wordpress exploits against a static site). It
makes sense (from the point of view of the attacker) since it is
faster to just try the exploit rather than finding out if the exploit
may work. Also, it avoids false positives (Debian packages
security-patched but with an old version number).

Like many simple security advices, this one is useless.

Link to individual message.

---

Previous Thread: Re: Gemini Digest, Vol 23, Issue 48 - gemlog.blue

Next Thread: (f)eLinks, Gemini and The XML Bookmark Exchange Language (XBEL)