Re: Interstitials for websites with outdated server software

[Eran Messeri]

Just a bystander opinion, I have no official stake or say on the matter:

There are a few problems with this proposal:

- Not actionable: The visitor to a website with outdated software can do nothing about the warning and does not even know what the risks a particular "outdated software" presents.

- Warning shown to the wrong person: It's the website owner that can do something about outdated software, not the visitor.

- Technically difficult: There are many HTTP servers out there, collecting a list of all of them and determining which versions are outdated, then keeping this list up-to-date, would be very time-consuming. And the major serving HTTP stacks are not necessarily open/versionable.

- Warning fatigue: My understanding is that Chrome tries to minimize the number of warnings shown to users to avoid training users to skip/ignore warnings.

In short, it would be a lot of technical work for dubious benefit (no guarantee that owners of websites running on outdated software would update just to avoid a skippable warning).

Eran

On Wed, Jan 24, 2018 at 3:48 AM, 93m4q...@gmail.com <93m4q...@gmail.com> wrote:

Chrome already promotes secure HTTPS connections and warns you with interstitial pages if you try to visit a site with invalid HTTPS, which is extremely important since HTTP connections are dangerously insecure. In addition to that, considering how there are a number of sites out there with outdated server software and outdated server software is loaded with known security vulnerabilities, I think it would also be good if Chrome displayed an interstitial page when you try to visit a website with outdated server software. Does Chromium have any opinions on whether or not this should be done?

[PhistucK]

In most cases, a server does not expose its version (I assume you are discussing the HTTP headers here, I do not know whether the TLS handshake or similar provides any version information). How many cases did you encounter where a server did expose its version?

☆PhistucK

--
You received this message because you are subscribed to the Google Groups "Security-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev+unsubscribe@chromium.org.

[Craig Francis]

Even if the server did report it's version number, most Linux distros (e.g. RedHat) will keep the version number the same after patching.

To unsubscribe from this group and stop receiving emails from it, send an email to security-dev...@chromium.org.