[mapserver-dev] Dropping Version Output?

Wed Feb 16 07:21:11 PST 2022

I should never send an email and then go to bed... great discussion!
Anyway, I was thinking about this in terms of version obfuscation for
security purposes. I mean why advertise that specific information if you
don't have to - at least make it a little challenging (and check a box).
Obfuscating you're using mapserver altogether would be much more difficult,
if not impossible. I could see doing things like supporting customizable
error templates, suppressing function names in error messages, etc...
Certainly not fool proof of course.

I think the configuration file can really provide value here...

--Steve

On Wed, Feb 16, 2022 at 7:18 AM Michael Smith <michael.smith.erdc at gmail.com>
wrote:

> Agree with you that’s it’s a standard checklist item (in DoD for STIGs).
> But fundamentally useless. The security auditors agree but yeah, checklist
> folks are generally not persuadable. I can see a config option.
>
>
>
> Mike
>
>
>
>
>
> --
>
> Michael Smith
>
> US Army Corps of Engineers
>
> Remote Sensing/GIS Center
>
>
>
>
>
> *From: *MapServer-dev <mapserver-dev-bounces at lists.osgeo.org> on behalf
> of "Nash, Edward" <E.Nash at dvz-mv.de>
> *Date: *Wednesday, February 16, 2022 at 7:15 AM
> *To: *MapServer Dev Mailing List <mapserver-dev at lists.osgeo.org>
> *Subject: *Re: [mapserver-dev] Dropping Version Output?
>
>
>
> It may or may not be pure security theatre (personally, I’d tend to agree
> with you on that), but ‘round these parts then not publishing the versions
> of external software components used is pretty high up on standard
> checklists for securing systems (and is low-hanging fruit for anyone to
> check, so shows up pretty quickly), so being able to configure it out would
> save plenty of hassle.
>
>
>
> Ed
>
>
>
> *Von:* MapServer-dev [mailto:mapserver-dev-bounces at lists.osgeo.org] *Im
> Auftrag von *michael.smith.erdc at gmail.com
> *Gesendet:* Mittwoch, 16. Februar 2022 12:37
> *An:* Tom Kralidis <tomkralidis at gmail.com>
> *Cc:* MapServer Dev Mailing List <mapserver-dev at lists.osgeo.org>
> *Betreff:* Re: [mapserver-dev] Dropping Version Output?
>
>
>
> Also, I’d say that any perceived extra security by not having this info in
> the response is not really security, just security theatre.
>
>
>
> Keep it in.
>
> Michael Smith
>
> US Army Corps
>
>
>
> On Feb 16, 2022, at 6:34 AM, Tom Kralidis <tomkralidis at gmail.com> wrote:
>
> 
>
> I would suggest keeping at least the version somewhere in the responses
> (i.e. current behaviour, or
>
> move to an HTTP header).  For scenarios where users do not have access to
> the deployment environment,
>
> this information is critical.
>
>
>
> ..Tom
>
>
>
> On Tue, Feb 15, 2022 at 8:49 PM Steve Lime <sdlime at gmail.com> wrote:
>
> What do folks think about dropping the version output from MapServer? That
> is, output like:
>
>
>
> <!-- MapServer version 7.6.4 OUTPUT=PNG OUTPUT=JPEG SUPPORTS=PROJ
> SUPPORTS=AGG SUPPORTS=FREETYPE SUPPORTS=CAIRO SUPPORTS=ICONV
> SUPPORTS=WMS_SERVER SUPPORTS=WMS_CLIENT SUPPORTS=WFS_SERVER
> SUPPORTS=WCS_SERVER SUPPORTS=GEOS SUPPORTS=POINT_Z_M SUPPORTS=PBF
> INPUT=JPEG INPUT=POSTGIS INPUT=OGR INPUT=GDAL INPUT=SHAPEFILE -->
>
> I'm not sure that advertising version and supported components makes sense
> anymore. Might be able to make it tunable via the config file but I'm not
> sure that's even necessary.
>
>
>
> --Steve
>
> _______________________________________________
> MapServer-dev mailing list
> MapServer-dev at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/mapserver-dev
>
> _______________________________________________
> MapServer-dev mailing list
> MapServer-dev at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/mapserver-dev
>
> _______________________________________________ MapServer-dev mailing list
> MapServer-dev at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/mapserver-dev
> _______________________________________________
> MapServer-dev mailing list
> MapServer-dev at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/mapserver-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapserver-dev/attachments/20220216/d58f0491/attachment-0001.html>