Make WordPress Core

Changes between Version 2 and Version 3 of Ticket #23394, comment 14


Ignore:
Timestamp:
04/11/2016 04:24:07 PM (9 years ago)
Author:
RedSand
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #23394, comment 14

    v2 v3  
    165165> Hiding versions does not in any way, shape or form help make any site newer than 3.7 more secure than they already were.
    166166
    167 '''I'm sorry, but you are flat out incorrect when you say this.''' Statements like that demonstrate a complete lack of understanding of security principles. '''Just because ''__you__ don't understand the full security implications,'' __does not mean it is not a security issue.__''' When you hear me say that ''something is a security risk'', I think you think I'm saying that that revealing the version number is like giving someone a password to your site or key to your house. That's not what I mean at all. '''Revealing version number does not directly enable the act of penetrating a site.''' That's where you guys seem to be assuming that if something doesn't directly enable access to a site, that means everything is secure. Nothing could be farther from the truth. That's like saying, "Hey, if someone doesn't have the key to my house, then it's secure." Sure, '''if the only way in is a door, or they're polite enough to not kick your door in.''' But there are a million ways into a house (just like a website), thieves/hackers and the ilk are anything but polite. '''Security is complex scale of skill/motivation/resources vs difficulty.''' That's where you have to understand that some seemingly peripheral things like this are security risks. '''Security encompasses a lot more than just the single act of penetrating a site.'''
     167'''I'm sorry, but you are flat out incorrect when you say this.''' Statements like that demonstrate a complete lack of understanding of security principles. '''Just because ''__you__ don't understand the full security implications,'' __does not mean it is not a security issue.__''' When you hear me say that ''something is a security risk'', I think you think I'm saying that that revealing the version number is like giving someone a password to your site or key to your house. That's not what I mean at all. '''Revealing version number does not directly enable the act of penetrating a site.''' That's where you guys seem to be assuming that if something doesn't directly enable access to a site, that means everything is secure. Nothing could be farther from the truth. That's like saying, "Hey, if a thief doesn't have the key to my house, then it's secure." Sure, '''if the only way in is the door, or if they're "polite" enough to ''NOT kick your door in''.''' But there are a million ways into a house (just like a website), and thieves/hackers and the ilk are ''anything but polite''. '''Security is a complex scale of skill/motivation/resources vs difficulty.''' That's where you have to understand that some seemingly peripheral things like this are security risks. '''Security encompasses a lot more than just the single act of penetrating a site.'''
    168168
    169169'''Before a hacker breaks into a site, they gather data and pick their targets. Revealing site software versions makes it really easy for hackers to target sites with specific version/vulnerability combinations.'''