[Bug 764] fully remove product and version information

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat Jul 11 04:10:41 AEST 2015


ilf <ilf at zeromail.org> changed:

           What    |Removed                     |Added
            Version|3.7.1p1                     |-current
                 CC|                            |ilf at zeromail.org

--- Comment #20 from ilf <ilf at zeromail.org> ---
I'd like to reopen this. More than ten years after the initial debate,
the world is a different one. After Snowden, we know that nation-state
actors at the same time kill people based on metadata and targed Angry
Birds. So we should do all we can to minimize revealing metadata by
default, or at least have the option to do so.

Over in Debian, there's a similar Bug [0], which states that this
version string "is used as a selector in NSA's XKEYSCORE queries in
conjunction with the metadata database of potentially exploitable
services (BLEAKINQUIRY) by the NSA group 'S31176' for targeted exploit
and compromise [1][2]".

I respect the argument, that it might be "necessary to use the version
for protocol compatibility tweaks". So keep it in, and leave it enabled
by default.

But I see no reason why an operator if an SSHd should not be able to
disable it, if (s)he is confident that his/her own clients can or must
handle it.

(Afterall, there are many config options which can lock out lots of
clients - see Ciphers/MACs and mobile clients.)

So please reconsider an optional setting to disable (or edit) the
remote software version string.

0. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786987#50
2. http://www.spiegel.de/media/media-35515.pdf

You are receiving this mail because:
You are the assignee for the bug.
You are watching someone on the CC list of the bug.

More information about the openssh-bugs mailing list