Re: [squid-users] Via directive

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 25 Feb 2010 02:21:36 +1300

Developer wrote:
> El jue, 25-02-2010 a las 01:28 +1300, Amos Jeffries escribió:
>> Developer wrote:
>>> Hello,
>>> Via directive do not work in my version of squid:
>>> - parseOneConfigFile: squid.conf:110 unrecognized: 'via'
>>> I suppose that is not compiled with --enable-http-violations.
>>>
>>> I tried to remove squid signature with httpd_suppress_version_string
>>> (suppose for errors)
>> For anywhere where specific version string is highly useful but not
>> required.
>>
>>> But I can see it in Via header.I want remove squid signature.
>>>
>>> ¿Another solution that recompile with --enable-http-violations?
>>>
>> No. RFC 2616 defines how Via: headers are treated.
>>
>> Altering that is a violation and Squid needs to be built with HTTP
>> violations enabled to break the Internet standards.
>>
>> httpd_suppress_version_string should have been reducing
>> "(Squid/<version>)" down to just "(Squid)"
>>
>>
>> Why your obsession with the removal?
> Less information, a bit more secure (exploits).

It is fairly easy to detect which proxy is being used by sending a
handful of SYN packets to it's listening port and seeing how long each
takes to be accepted.

What you are doing is called "security by obscurity" and provides
negative amounts of security. You + users _feel_ safer and relax your
guard even though the security level has not actually changed.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24
   Current Beta Squid 3.1.0.16
Received on Wed Feb 24 2010 - 13:21:43 MST

This archive was generated by hypermail 2.2.0 : Wed Feb 24 2010 - 12:00:07 MST