The specification leaves error messages in response field "meta" to servers' developers. So in response to malfored request servers may send "59 invalid request", "59 Error parsing URL!", "59 Invalid URL" or something else. Is it a security issue or just "creepy"? Potential attackers can't detect vulnerable software versions using this method, only its name. Also there aren't any known security flaws except that naughty ".."
Anna “CyberTailor” writes: > The specification leaves error messages in response field "meta" to > servers' developers. So in response to malfored request servers may > send "59 invalid request", "59 Error parsing URL!", "59 Invalid URL" > or something else. > > Is it a security issue or just "creepy"? That's a good question. I know it's considered good practice not to leak any information you don't need to. But as you also suggest, I'm not sure if fingerprinting server implementations is really that sensitive information. -- Jason McBrayer | “Strange is the night where black stars rise, jmcbray@carcosa.net | and strange moons circle through the skies, | but stranger still is lost Carcosa.” | ― Robert W. Chambers,The King in Yellow
On Tue, Jun 29, 2021 at 08:43:25AM -0400, Jason McBrayer <jmcbray@carcosa.net> wrote a message of 20 lines which said: > I know it's considered good practice not to leak any information you > don't need to. But as you also suggest, I'm not sure if > fingerprinting server implementations is really that sensitive > information. My experience with HTTP is that the vast majority of attacks are blind, just testing various exploits without any regard to the server software (I see a lot of IIS exploits used against my Apache server and of course a lot of Wordpress exploits against a static site). It makes sense (from the point of view of the attacker) since it is faster to just try the exploit rather than finding out if the exploit may work. Also, it avoids false positives (Debian packages security-patched but with an old version number). Like many simple security advices, this one is useless.
---
Previous Thread: Re: Gemini Digest, Vol 23, Issue 48 - gemlog.blue
Next Thread: (f)eLinks, Gemini and The XML Bookmark Exchange Language (XBEL)