erik
Is it common or desirable to display version information on instances of hosted things? I understand it is part of the API for at least Mastodon, but am I silly for thinking that it is something you might not want to advertise to the outside world? I guess vulns are gonna vuln, but would that make it easier to scrape together targets? #înfosec
Nov 16, 2022 at 5:39amWeb
Show threadGuthrie McAfee ArmstrongNov 16, 2022
@erkattak It also makes it easier for users to alert their admins—and each other—when a vulnerability still needs to be patched on their instance.
Show threaderikNov 16, 2022

@gmarmstrong that is a good point.

I know what I'm getting at is essentially security through obscurity and there are much better ways of hardening things.

I guess since I am used to being the responsible party for versions of things (libraries, tools, etc.) I'm being a bit protective. Like, I wouldn't want to expose that information to potential bad actors and cause more headaches for my users if simply not exposing it could save some time to implement a fix.

Show threadMike RockwellNov 16, 2022
@erkattak I believe WordPress stopped advertising it’s version number publicly for this very reason.