Nut upsuser - Mar 2022 - ISE review of I-D: deprecate command VER?

I received the following comment from the Independent Submissions Editor (ISE):

  The command VER is hazardous because it encourages exploiting of
  implementation peculiarities that are not well documented in a
  protocol.? The best example of such a failure is the browser version
  field in HTTP.? A complete disaster.? You should warn against use of
  this command, or even better, deprecate it.

I was not aware of the disaster in the browser version field, but I will warn 
against use of VER, and deprecate it, if you agree.

Roger

On March 20, 2022 5:02:36 PM GMT+02:00, Roger Price <roger at
rogerprice.org> wrote:
>I received the following comment from the Independent Submissions Editor
(ISE):
>
>  The command VER is hazardous because it encourages exploiting of
>  implementation peculiarities that are not well documented in a
>  protocol.? The best example of such a failure is the browser version
>  field in HTTP.? A complete disaster.? You should warn against use of
>  this command, or even better, deprecate it.
>
>I was not aware of the disaster in the browser version field, but I will
warn
>against use of VER, and deprecate it, if you agree.
>
>Roger
Hello

I do not know of anyone calling the situation of browsers  "a
disaster". It's true, the version field can be and is used - together
with other data that the browser sends (!!!) - to create an almost unique
signature of the user. But OTOH it is used to adapt the looks of the site to the
capabilities of the browser because , well, no two browsers behave 100% the same
and site developers try to make sites that look as bright and shiny as possible
in the eyes of the users . For a start, that's how the desktop and mobile
versions of dynamic/responsive sites differentiate the clients and adapt
themselves to present the best look and feel to clients.

Leaving that aside, I see no issues in warning users about the potential
nefarious uses of any command. In this particular case I'd also add a
reference to restricting the communication between nut servers and clients to
the smallest possible subset of devices (by using dedicated VLANs, firewalls
etc) and ask them to reread the security section.

wolfy

Roger Price <roger at rogerprice.org> writes:
> I received the following comment from the Independent Submissions Editor
(ISE):
>
>  The command VER is hazardous because it encourages exploiting of
>  implementation peculiarities that are not well documented in a
>  protocol.? The best example of such a failure is the browser version
>  field in HTTP.? A complete disaster.? You should warn against use of
>  this command, or even better, deprecate it.
>
> I was not aware of the disaster in the browser version field, but I
> will warn against use of VER, and deprecate it, if you agree.
I am quite aware of it, but I haven't seen it called out like this.  The
basic issue is that we now have a culture of web servers serving N
different versions of pages based on the User-Agent field, instead of
coding to standards and expecting clients to meet standards. 
"Disaster"
might be a slightly strong word, but it isn't at all confused.

So a good question is whether it's necessary.  Perhaps it's just a
management plane concept, but for SMTP the two sides don't specify
their software or protocol versions.

In general, a fair question is "What if we deleted this?  If we
wouldn't
have trouble, why are we keeping it?"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL:
<http://alioth-lists.debian.net/pipermail/nut-upsuser/attachments/20220320/82a952c4/attachment.sig>

On 20.03.22 16:02, Roger Price wrote:
>I received the following comment from the Independent Submissions Editor
(ISE):
>
> The command VER is hazardous because it encourages exploiting of
> implementation peculiarities that are not well documented in a
> protocol.? The best example of such a failure is the browser version
> field in HTTP.? A complete disaster.? You should warn against use of
> this command, or even better, deprecate it.
>
>I was not aware of the disaster in the browser version field, but I 
>will warn against use of VER, and deprecate it, if you agree.
Isn't this designed for announcing protocol version for compatibility?

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"To Boot or not to Boot, that's the question." [WD1270 Caviar]