Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:19946
Return-Path: <drews@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 56292 invoked by uid 1010); 10 Nov 2005 15:13:42 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 56276 invoked from network); 10 Nov 2005 15:13:42 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 10 Nov 2005 15:13:42 -0000
X-Host-Fingerprint: 213.133.110.76 dynamicwebpages.de Linux 2.5 (sometimes 2.4) (4)
Received: from ([213.133.110.76:9248] helo=mail.dynamicwebpages.de)
	by pb1.pair.com (ecelerity 2.0 beta r(6323M)) with SMTP
	id B9/E6-08337-4A363734 for <internals@lists.php.net>; Thu, 10 Nov 2005 10:13:40 -0500
Received: from localhost (localhost [127.0.0.1])
	by mail.dynamicwebpages.de (Postfix) with ESMTP id DCB0044BCB
	for <internals@lists.php.net>; Thu, 10 Nov 2005 15:06:41 +0100 (CET)
Received: from mail.dynamicwebpages.de ([127.0.0.1])
	by localhost (linux [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
	id 32059-05 for <internals@lists.php.net>;
	Thu, 10 Nov 2005 15:06:40 +0100 (CET)
Received: from excellence (dslb-084-058-010-007.pools.arcor-ip.net [84.58.10.7])
	by mail.dynamicwebpages.de (Postfix) with ESMTP id 0FCF444B92
	for <internals@lists.php.net>; Thu, 10 Nov 2005 15:06:40 +0100 (CET)
To: <internals@lists.php.net>
Date: Thu, 10 Nov 2005 16:13:34 +0100
MIME-Version: 1.0
Content-Type: text/plain;
	charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Thread-Index: AcXmCVFc+3wZLpNeTe2CgZntghskZg==
Message-ID: <20051110140640.0FCF444B92@mail.dynamicwebpages.de>
X-Virus-Scanned: by amavisd-new at dynamicwebpages.de
Subject: Expose php: on or off
From: drews@php.net ("Wolfgang Drews")

hi list,

i just came back from phpconference in frankfurt and had some nice
talks there with Ilia and Derick. They told me to send my following
thoughts to internals, so that you maybe can find a wise solution for
it.

as security gets more and more recognized by many people, they do
follow all the security-experts suggestions to turn of the exposure
of php to OFF, as otherwise this would help hackers to find=20
vulnerabilities on their server (i.e. if you are running an old=20
php-version, which has security-holes).=20
I was told to do so, too, but actually i have a very good reason to
let it turned on: Netcraft. as far as i can see it, Netcraft is
collecting its numbers from exactly this exposure. Further i think
to remember, that in former times everybody told to turn it on - so
that Netcraft can count the server as php-server and in result the
statistics are doing well for php.=20
Now have a short look at the statistics, and you will see, that we
had a degree in domains of about 1.3 million domains last month . i
can imagine that a reason for this may be, that a huge provider=20
turned expose_php to off (but who knows). In any case, this makes
me aware of a problem: a decision between security and php's spread?

my suggestion would be, to simply shorten the string that gets
exposed to "php" - and not show any version numbers (or maybe leave
it to the user, say 0 for "no exposure", 1 for "only php" and 2 for=20
"php with version number".=20

what do you think?


best regards,

-Wolfgang=20

--
PHP-Knotenpunkt Dynamic Web Pages: http://www.dynamicwebpages.de/
Deutschsprachige PHP-Zertifizierungen: http://www.phpzertifizierung.de/
Professionelle L=C3=B6sungen f=C3=BCr dynamisches Webpublishing: =
http://php-buch.de/