Can I stop the Etag header from leaking inode numbers?
Yes. You can use Etag hashing. This concatenates the Etag that is normally generated with a secret key, hashes with the SHA1 algorithm, and uses the result as the Etag. OpenBSD made a similar change to httpd in version 3.2. They store the secret key in the file logs/etag-state but Antiweb stores it in the worker conf file which should of course be stored outside of the HTML root. Good secret keys include Antiweb session IDs: $ antiweb -repl * (aw-n-bit-session-id 128) “8odxf2wrq7tbehjkwvp0h7vqu” aw-n-bit-session-id will use /dev/arandom or /dev/urandom to seed the ISAAC random number generator and return a random n-bit value in base 36. 128 bits is fine. Now add the following to a handler in your worker conf file: :etags :etag-hash “8odxf2wrq7tbehjkwvp0h7vqu” Hoytech does not use Etag hashing on our servers so you can snoop on our inodes if you want. The only plausible attack seems to involve NFS (Network File System). If you use NFS on your webserver, enable Etag hashing. To avoid the
