[Nut-upsuser] ISE review of I-D: deprecate command VER?

Manuel Wolfshant wolfy at nobugconsulting.ro
Sun Mar 20 19:10:00 GMT 2022

On March 20, 2022 5:02:36 PM GMT+02:00, Roger Price <roger at rogerprice.org> wrote:
>I received the following comment from the Independent Submissions Editor (ISE):
>  The command VER is hazardous because it encourages exploiting of
>  implementation peculiarities that are not well documented in a
>  protocol.  The best example of such a failure is the browser version
>  field in HTTP.  A complete disaster.  You should warn against use of
>  this command, or even better, deprecate it.
>I was not aware of the disaster in the browser version field, but I will warn 
>against use of VER, and deprecate it, if you agree.

I do not know of anyone calling the situation of browsers  "a disaster". It's true, the version field can be and is used - together with other data that the browser sends (!!!) - to create an almost unique signature of the user. But OTOH it is used to adapt the looks of the site to the capabilities of the browser because , well, no two browsers behave 100% the same and site developers try to make sites that look as bright and shiny as possible in the eyes of the users . For a start, that's how the desktop and mobile versions of dynamic/responsive sites differentiate the clients and adapt themselves to present the best look and feel to clients.

Leaving that aside, I see no issues in warning users about the potential nefarious uses of any command. In this particular case I'd also add a reference to restricting the communication between nut servers and clients to the smallest possible subset of devices (by using dedicated VLANs, firewalls etc) and ask them to reread the security section.


More information about the Nut-upsuser mailing list