--
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/4bf5ec9c-ba28-4931-a327-e6ca395c2efb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to a topic in the Google Groups "Lucee" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/lucee/ps2ST5N4jFU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CAG1WijWt%2B6h-%2BpHPq%2BWr%3D5%3DBW5HGb12JG34GAakOyF3MCXOb4Q%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/99af2ba2-ef92-43e1-a9f5-6448b536af39%40googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/99af2ba2-ef92-43e1-a9f5-6448b536af39%40googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CC5AEA52-D13A-4011-B92E-79A4B290B120%40rasia.ch.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/B6768B3C-858C-469E-9872-74FEA3FDFD2D%40blueriver.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/B6768B3C-858C-469E-9872-74FEA3FDFD2D%40blueriver.com.
Hi
I think these are two separate things. I think we have responsibility to promote secure by default.
Many people do not spend the time to review admin settings and we all know best practice is security by obscurity. I'm working this week and next to launch a feature of the Lucee site to make it easier for people to submit their success stories to LAS.
I think we should encourage through documentation that our community is aware of ways to get the Lucee message out there and also more importantly let LAS know of their success too which is part of the problem.
But a credible platform is an opinionated one I think we need less config options and more baked in best practice.
Cheers
Alex
Sent from my phone
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/B6768B3C-858C-469E-9872-74FEA3FDFD2D%40blueriver.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CAFrbJ5X0H3WhwetyQLe-P7O9XEGq%2BfTJT58HUAkQeC3YEOnh9g%40mail.gmail.com.
But a credible platform is an opinionated one I think we need less config options and more baked in best practice.
my servers disclose nginx as the web server. does that make them less secure? I don't think so.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/551481ED.90503%40lucee.org.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CAG1WijVDsxfQNjHJ6CHid_gywYcUmWQSjhC-QQPLbsy-R%2BNO_g%40mail.gmail.com.
Any information disclosure, no matter how small will assist attackers.
My argument is that if best practice is to hide identifying platform information and it is considered a normal part of server hardening then for me that should be the default as it far outweighs any anecdotal benefit of some website being able to list which website is built with what.
Plus automated scripts which search for known vulnerable systems tend to rely on headers and known responses to work out platforms they then proceed using metasploit or other platforms to run known vulnerabilities.
Disclosure in itself makes you no less secure but there is some benefit of security by obscurity.
I have raised a feature request a few times about not setting cfid and CF token unless a session is actually created this would also help in not leaving an obvious fingerprint.
If as we do in some cases u strip cookies, offending headers, use rewrite rules and generally catch errors u make it quite difficult for someone to identify the tech which is helpful.
A
Sent from my phone
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/551497C4.4080406%40lucee.org.
I have raised a feature request a few times about not setting cfid and CF token unless a session is actually created this would also help in not leaving an obvious fingerprint.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CAFrbJ5WfaqZA-CcBPp9s7MtHFWsmGYpXtDhw7xYqUkXWzOPnAA%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/2757c33e-5081-42e0-ba86-81e5df679970%40googlegroups.com.
My argument is that if best practice is to hide identifying platform information and it is considered a normal part of server hardening then for me that should be the default as it far outweighs any anecdotal benefit of some website being able to list which website is built with what.
[...]
Disclosure in itself makes you no less secure but there is some benefit of security by obscurity.
--
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/aab16f1b-151d-45cf-ad2d-32f3d1995684%40googlegroups.com.
I'm not sure how best to phrase this properly, but the gist of it is that a determined, very skilled hacker will likely manage to penetrate any server.
So while this statement seems factually true, in practice, I don't think a disclosure identifying Lucee would matter in nearly all cases ... as a common sense perspective on the issue.
--
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CABPCP-1S574WWkLnz9RMKT%3Dnvj_fmZ3FXgeqfgJbV2%2BcJKY8Tg%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CAG-7QUvjzTFh6J2ueBjEZgVSgwj%2B1%3DQ%2BD_KvNUECE43yqqFMjQ%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/cad4b7b2-5bed-44e2-9473-ab738b757ebe%40googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/b3e54e0c-8cdb-42bd-8254-5098426450a7%40googlegroups.com.
--
You received this message because you are subscribed to a topic in the Google Groups "Lucee" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/lucee/ps2ST5N4jFU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CAADZ8V58x3Lj6EJrw5%3DAg3BP79VPyx_9PscThPnha1qbVt88xA%40mail.gmail.com.
Probably the easiest one would be make a request to /lucee/form.cfm if it contains "LuceeForms" you are running Lucee.
--
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CAADZ8V58x3Lj6EJrw5%3DAg3BP79VPyx_9PscThPnha1qbVt88xA%40mail.gmail.com.
--
You received this message because you are subscribed to a topic in the Google Groups "Lucee" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/lucee/ps2ST5N4jFU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/551ADAC0.8040703%40lucee.org.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CALbQ1omqjEVMDGeHYydy_BG60SbS%3DsMZvqbQaArQTaSYR27fZA%40mail.gmail.com.
given the fact that it's so simple to identify Lucee, I will reiterate my opinion that a Powered-By header, with an option to disable it, does not make Lucee less secure in any way.
I know that PHP does this. I guess there is no real purpose, other than marketing and making it easier for script kiddies to find suitable victims. For PHP it's better to disable the flag entirely since it shows the PHP version and therefore makes the server more vulnerable to attacks.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/551AE068.9040804%40lucee.org.