On Wed, 13 Jun 2007, Song Ma wrote:

> The FreeBSD patch is reasonable because cURL connection exposes much system
> libraries' information to remote site. Some of these libraries like OpenSSL
> is vital for web application security. If the remote site detects the local
> machine is not with the latest patch on these libraires, the local machine
> could be the victim of attack.

Well, it only exposes the libs that curl itself uses, it is not saying that
anything else in the system uses these versions. Even though most often they
do of course.

Still, this is a habbit we started 9 years ago and me knowingly it has not
bitten anyone yet. One of the upsides with this user-agent string is that it
has help us giving support since the actual curl request reveals this info
(and people seem to never understand that providing a full version string is
vital info to provide in the initial bug report/help request).

Of course it is never too late to change.

> By taking firefox on Linux as the example, its user-agent field exposed to
> remote only contains: "User-Agent: Mozilla/5.0 (X11; U; Linux i686; zh-CN;
> rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4\r\n"

Yeah, but isn't for example Firefox 2.0.0.4 telling exactly what NSS crypto
lib version it uses? Gecko/20070515 tells exactly what rendering engine(?) it
uses and thus we could use that to know what possible exploits it could have.

In fact, just telling that we're using 'curl' will also allow the remote
server to try known curl-defeating methods randomly. Getting the exact version
number for it and its submodules only makes picking the method more accurate
and faster. Hiding them don't make them impossible.

But of course, since curl may use quite a few libraries, there are quite a few
combinations to try out if no hints are given to what versions it uses...

There certainly are ups and downs.

Thanks for your feedback and thoughts!

-- 
  Commercial curl and libcurl Technical Support: http://haxx.se/curl.html