@risottobias I'm still under the impression that the "best practice" to hide versions comes from companies that need to hide their version numbers. The whole (be it problematic) "if you have nothing to hide..." mantra.
@risottobias Think about some poor souls editing out WordPress version info to avoid being attacked.
And yet literally the whole internet is constantly attacked assuming it's WordPress. WordPress? Attacked. Ruby on Rails? Attacked. Static freaking JS?Check for wp-admin.php!.
When you're a a rando with an exploit, apparently the whole world looks like WordPress.
It stops neither competent attackers (other ways to fingerprint) nor incompetent ones (just use the hammer you have on everything.)
@codefolio@risottobias Scripted attacks, coming from compromised servers, growing botnets, etc: "I will scan random IPs and try these canned common explouts". Like a typical user, they'll neither care nor notice that you've removed server headers.
Actual human attacker, targeting your server: Doing recon, will absolutely do basic recon like checking headers, portscanning, etc, etc. Removing headers will slow them down, force them to try attacks that won't work, greater chance of triggering your IDS or creating weird messages in your logs, etc.
@risottobias@codefolio Oh, I didn't know that! I was just responding to the idea that it might just be security theatre - people get really religious about this stuff 😉
@risottobias it could go either way.
Removing the version does make it a little harder to find vulnerable servers but there are usually other ways to fingerprint a version, as well as automated vulnerability scanners.
The protocol aims to either send the format #Gemtext, which provides a simpler #markdown format, else what is refers to as a 'binary', which would be a file which has no (direct) syntax assumptions.
@indieterminacy
> there was a recent conversation in this matrix room that touches upon that topic
I'm a bit embarrassed to see this linked here, since was my tone in this exchange was... less than exemplary. But...
... the true disagreement isn't really about server version data. It's about whether the social value of the NodeInfo and stats site infrastructure, outweighs any security downsides it involves. I think it does. @quilnux is not convinced ; )
@strypey@indieterminacy@risottobias I don't even look at it as a social value issue. When I see these databases, I look at it from the perspective of, what, exactly is this doing to benefit the network? The risk-to-benefit ratio is just not there in my opinion. How do these databases create better infrastructure, or how do they add new capabilities and features, or build better security to the infrastructure (because we all know AP has crappy security) or even, how do they add the the value proposition of ActivityPub? When you weigh it against the risks, I have yet to find any value in them.
It should also be acknowledged that inherently to federation-based technologies, any attack to any part of the network can (and usually will) harm the network as a whole. So if the risks from these stat databases causes more harm then benefit... You get my point.
I'll put this question out there.. (other then accolades) what technological advancements to AP technology will be born from these stat databases that would make the risks worth it? Social benefit is not an accepted answer (because social benefits do not advance the technology).
@strypey@quilnux I liked the conversation, I wouldnt worry. Happy to purge the message if needs be (and apologies if cross referencing like that is uncouth) @risottobias
Not at all. It's a public chat room and it's perfectly fine to link to it IMHO.
I'm just trying to hold myself to the highest possible standard of friendly and respectful behavior, and for me that includes openly acknowledging when I've fallen short of that standard.
Add comment