I've noticed that the software version is shown in the NodeInfo endpoint: <li><a ...

npub1uq5…z8a5

2024-06-17 13:21:58

I've noticed that the software version is shown in the NodeInfo endpoint:

<li><a href="https://mastodon.online/nodeinfo/2.0">https://mastodon.online/nodeinfo/2.0</a></li>;
<li><a href="https://pixelfed.social/api/nodeinfo/2.0.json">https://pixelfed.social/api/nodeinfo/2.0.json</a></li>;

I've always believed that displaying the software version allowed malicious users to determine which vulnerabilities affect your software.

For example, NodeBB sends x-powered-by header, but only ever sets the value to NodeBB, this has been the case for many years.

The other line of thinking is that relying on security by obscurity is fallacious, but since it's only one *facet* of a broader security posture (the rest of it being keeping up with updates, writing as secure code as you can, reporting/bounty systems, audits, etc.), I honestly don't see a problem with transmitting as little information as I can.

The downside of hiding that information is that sites that gather statistics on fediverse software use wouldn't be able to discern software versions for NodeBB in their charts, but I don't think that's necessarily a problem.

Author Public Key

npub1uq5lznmk9ax9r07mhs0lrv4qaafyguepj2spfjlw54acwkxrds3sppz8a5

Show more details

Published at

2024-06-17 13:21:58

Kind type

1 Short Text Note

Event JSON

{ "id": "2d643fc3fd9ff3b8365b3a25617cd3c14fd5c87da042f2164c0fb6bb4456ba74", "pubkey": "e029f14f762f4c51bfdbbc1ff1b2a0ef5244732192a014cbeea57b8758c36c23", "created_at": 1718630518, "kind": 1, "tags": [ [ "t", "nodeinfo" ], [ "proxy", "https://community.nodebb.org/post/100035", "web" ], [ "t", "security" ], [ "proxy", "https://community.nodebb.org/post/100035", "activitypub" ], [ "L", "pink.momostr" ], [ "l", "pink.momostr.activitypub:https://community.nodebb.org/post/100035", "pink.momostr" ] ], "content": "I've noticed that the software version is shown in the NodeInfo endpoint:\n\n\n\n\u003cli\u003e\u003ca href=\"https://mastodon.online/nodeinfo/2.0\"\u003ehttps://mastodon.online/nodeinfo/2.0\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://pixelfed.social/api/nodeinfo/2.0.json\"\u003ehttps://pixelfed.social/api/nodeinfo/2.0.json\u003c/a\u003e\u003c/li\u003e\n\nI've always believed that displaying the software version allowed malicious users to determine which vulnerabilities affect your software.\n\n\nFor example, NodeBB sends x-powered-by header, but only ever sets the value to NodeBB, this has been the case for many years.\n\n\nThe other line of thinking is that relying on security by obscurity is fallacious, but since it's only one *facet* of a broader security posture (the rest of it being keeping up with updates, writing as secure code as you can, reporting/bounty systems, audits, etc.), I honestly don't see a problem with transmitting as little information as I can.\n\n\nThe downside of hiding that information is that sites that gather statistics on fediverse software use wouldn't be able to discern software versions for NodeBB in their charts, but I don't think that's necessarily a problem.\n\n\n", "sig": "20e335670231e68b5173cfeac21573d51b589fd13c49003b292368f103e7bede2ce67dae19f0f00282203fe2da182378959b45b9aa3e943053842bab4103e0a6" }