Christopher,
It seems like such a trivial measure that I don't think breaking the
spec is worth it. You seem to be concerned about the information
returned... well just return less. Don't 'break the spec' for
something so trivial.
Like the comments on your blog say, bandwidth is a silly reason; and
you can simply configure the server to not display the OS, or give a
fake OS if that makes you feel more comfortable.
Breaking the spec is a bad idea, IMO.
-- Michael
-----Original Message-----
From: christopher@baus.net [mailto:christopher@baus.net]
Sent: Wednesday, 2 March 2005 4:00 PM
To: webappsec@securityfocus.com
Subject: Dropping connection instead of returning 400
I have an application proxy "under my pillow" so to speak.
I've built it from the ground up over the past couple years
with security in mind. It has been a long and tedious task,
but I think my efforts are finally starting to pay off.
One thing that keeps coming back to me is 400 Bad Request
handling. It is now my opinion that security proxies should
just drop connection when faced with traffic they refuse to handle.
I put some thoughts on this on my blog here:
http://www.baus.net/400-bad-request
Which cause one client developer to call me a non-compliant
wanker here:
http://www.mackmo.com/nick/blog/java/?permalink=Please_send_40
0_Bad_Request_and_.txt
I then followed up with the general thought that I'm willing
to be non-compliant in the name of security:
http://www.baus.net/breaking-the-spec-in-the-name-of-security
So what do you think? Is security worth non-compliance with
the HTTP spec?
Christopher Baus
========
Implementing an HTTP proxy?
Consider a fast, secure alternative
http://www.baus.net/
