[OpenWrt-Devel] OpenWRT www version banner a security risk

Joshua Judson Rosen jrosen at harvestai.com
Mon Sep 14 10:52:01 EDT 2015

On 2015-09-13 15:30, Daniel Dickinson wrote:
> Oh and 1 has the benefit of actually securing the device against wan access
> to LuCI even in the case of firewall not blocking such access, whereas the
> robots.txt and hiding banner are classic 'security through obscurity' which
> is the > security pundit's favourite target for good reason.

On 2015-09-13 15:42, Daniel Dickinson wrote:
> I just remembered that robots.txt is just a text file to stick in /www, so it is
> certainly is not high cost, although now that I remember that is also less
> useful than I was thinking because it really only prevents indexing by
> cooperative robots that obey robots.txt

Indeed: robots.txt is exactly the opposite of `security through _obscurity_':
it's a listing that explicitly tells clients what they're not supposed to look at.

Trying to use robots.txt as a security measure is actually worse than nothing:
you protect yourself from your friends at the expense marking yourself
for the bad guys :)

"Don't be afraid to ask (λf.((λx.xx) (λr.f(rr))))."
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list