Do not display version number until *after* successful login

Submitted by - 2 weeks ago
Status: New Idea

I'd like to suggest the unifi controller (and really any other ubnt software such as the unifi video netvr) not display the software version number until after a user has successfully logged in. The idea being it is better to not disclose the version number to anyone who stumbles upon the login page as that information could be used to determine if a server is running the latest version which could then be used to determine what type of exploits might be successful against said server.

Comments
by
2 weeks ago

Security by obscurity.

 

99.999% of all hacking is done with automated processes. No human is reading that login page. If a human actually is reading that login page and wanting to break in, the version number is the least of your worries. Automated bots do not care what version you are running, they will try every exploit for all versions because that is way easier then being selective. Fingerprinting the server hosting that web page is what will generally be exploited and the controller version is moot at that point.

 

Now, with that said, I agree with you. The version/server used/etc should not be displayed like that.

 

-Black Viper

by
a week ago

@BlackViperCom You're not wrong. In retrospect I may have been playing up the security angle as somewhat of a justification for a feature request I figure wouldn't get much attention on it's own. Thanks for keeping me honest and for agreeing with me in the end.

by
a week ago

Displaying the version number could end up in a search engines - making it easier to find vulnerable servers (automatically or manually) without having to scan the whole Internet.