Software version in nodeinfo

julian

I've noticed that the software version is shown in the NodeInfo endpoint:

I've always believed that displaying the software version allowed malicious users to determine which vulnerabilities affect your software.

For example, NodeBB sends x-powered-by header, but only ever sets the value to NodeBB, this has been the case for many years.

The other line of thinking is that relying on security by obscurity is fallacious, but since it's only one facet of a broader security posture (the rest of it being keeping up with updates, writing as secure code as you can, reporting/bounty systems, audits, etc.), I honestly don't see a problem with transmitting as little information as I can.

The downside of hiding that information is that sites that gather statistics on fediverse software use wouldn't be able to discern software versions for NodeBB in their charts, but I don't think that's necessarily a problem.

josef

@julian said in Software version in nodeinfo:

The other line of thinking is that relying on security by obscurity is fallacious, but since it's only one facet of a broader security posture (the rest of it being keeping up with updates, writing as secure code as you can, reporting/bounty systems, audits, etc.), I honestly don't see a problem with transmitting as little information as I can.

The only thing in all of this that is relevant to the software operator (i.e. not nodebb developers but those using it as self-hosting) is tracking updates and applying them quickly, so I'm against exposing the version number in a way that would allow bots to easily identify which nodebb installations around the world are still vulnerable