bugzilla-daemon at mindrot.org
2015-Jul-10 18:10 UTC
[Bug 764] fully remove product and version information
https://bugzilla.mindrot.org/show_bug.cgi?id=764 ilf <ilf at zeromail.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Version|3.7.1p1 |-current CC| |ilf at zeromail.org --- Comment #20 from ilf <ilf at zeromail.org> --- I'd like to reopen this. More than ten years after the initial debate, the world is a different one. After Snowden, we know that nation-state actors at the same time kill people based on metadata and targed Angry Birds. So we should do all we can to minimize revealing metadata by default, or at least have the option to do so. Over in Debian, there's a similar Bug [0], which states that this version string "is used as a selector in NSA's XKEYSCORE queries in conjunction with the metadata database of potentially exploitable services (BLEAKINQUIRY) by the NSA group 'S31176' for targeted exploit and compromise [1][2]". I respect the argument, that it might be "necessary to use the version for protocol compatibility tweaks". So keep it in, and leave it enabled by default. But I see no reason why an operator if an SSHd should not be able to disable it, if (s)he is confident that his/her own clients can or must handle it. (Afterall, there are many config options which can lock out lots of clients - see Ciphers/MACs and mobile clients.) So please reconsider an optional setting to disable (or edit) the remote software version string. 0. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786987#50 1. http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361.html 2. http://www.spiegel.de/media/media-35515.pdf -- You are receiving this mail because: You are the assignee for the bug. You are watching someone on the CC list of the bug.