In the course of our work with websites, and higher education websites in particular, we have discovered that there is relatively little interest in housekeeping and general maintenance. As a result, we find plenty of examples of poor practices. One poor practice we run across repeatedly is disclosing too much web server installation information and likely revealing that the server is running on a dated software release.
Limiting the information disclosed by a server, doesn't reduce any vulnerabilities, but it does make the task of attacking the server slightly more difficult and may encourage a potential attacker to move on to an easier target elsewhere. What does reduce vulnerability is prompt installation of updates and patches.
To better understand the current state of higher education web servers we took a look at the servers being used by a group of just over 200 Canadian post-secondary education websites.
Our objectives were threefold:
We used our Site+Info service to read the server details for the home page url for each of the sites in the survey group. In practice, many sites run on multiple servers, as well as using external servers to deliver media files and other content. We are able to identify all of these, but we focused our study on a site's primary server. And to be clear, we only examined ‘outward facing data’: data visible to any browser sending an enquiry to the relevant page. We did not attempt to test or probe or evoke non-standard responses from these servers. A typical web server response looks like this [not from a server in our test group]:
You will note that on line three the server discloses which variant of Apache is installed, the current release level and the implementation of SSL being used to provide HTTPS connections.
Our first observation is that higher education websites mimic the software implementation practices of the wider Internet. Our results show that the servers are clustered into three main groups: versions of Apache, different releases of Microsoft IIS and versions of nginx. We placed the balance of the sites into a fourth group, sites that take great care to mask their server identify or sites that have made an idiosyncratic web server choice.
Furthermore, a high proportion of the servers we surveyed provide verbose HTTP header responses. In other words, an enquiry yields a response as shown above rather than a terse, Apache, Microsoft IIS or nginx.
Of slightly more concern is that the web servers providing prima facie details of their current installed release suggests that a high proportion of Apache servers need to be brought up to a more current software release. There are many reasons to explain why servers are on their current release levels, but as the caption to Graph 3 indicates, some reported releases are years behind the current stable Apache release.
Graph 1: Proportion of Web Servers by Type for Canadian Post-Secondary Education Institutions
We surveyed the servers hosting the main websites for 206 Canadian post-secondary education institutions. Not surprisingly, the majority of the sites use a version of Apache for website hosting. About one quarter use Microsoft's IIS platform and the balance a mix of nginx or other open-source platforms. A very small number of sites have taken considerable care to mask their server identity: a prudent precaution.
Graph 2: Ratio of Servers Disclosing Too Much Information to Those Disclosing the Minimum.
We also examined the details each Apache server disclosed in a standard HTTP header. We defined TERSE servers as those returning only "Apache" in the header. VERBOSE servers were defined as those supplying more information, for example: "Apache/2.4.6 (Red Hat) OpenSSL/1.0.1e-fips mod_fcgid/2.3.9 PHP/5.4.16. On balance, it is better to not disclose operating system and current release level data.
Graph 3: Ratio of Apache Servers on 2.2 Version versus 2.4 Version.
We checked the versions of Apache reported for the servers in the 'verbose' sub-group. Just over 70% of the servers run on Apache 2.2, with installed releases from 2.2.11 to 2.2.31 being reported. We note that the 2.2.11 release went live on 2008-12-14, while the current stable release 2.2.31 became available on 2015-07-17. The balance of the Apache servers run on Apache 2.4, with release levels 2.4.6 to 2.4.16 being reported as installed. Release 2.4.6 was made available on 2013-07-09 with the current stable release 2.4.18 becoming effective 2015-12-15.