This issue has been discussed publicly several times, most notably in #79018: protect Drupal core .txt files where it was decided that there is no security benefit to hiding files such as CHANGELOG.txt.

For a more complete list of reasons please see the administration guide on Hide, obscure, or remove clues that a site runs on Drupal.

Comments

dalin’s picture

dalin
he/him
Primary language English
Location 🇲🇽, 🇨🇦, 🌍
commented

Mainly it comes down to this:
There are two types of attacks in the web world:
- automated bots that randomly surf the web looking for known exploits.
- someone who specifically wants to exploit your site.

For the first category they don't care what software your site is running or what version, they just wallop you with everything they've got. If you review your logs you'll see bots attempting exploits for everything from phpBB to Sharepoint to Plone. Removing the files will have no effect.

For the second category they won't even check for the existence of the file. There are automated fingerprinting tools that will tell you with greater certainty what the site is running. For example:
https://addons.mozilla.org/en-US/firefox/addon/10493/
But this class of attacker knows that they are unlikely to find an exploitable vulnerability in the core CMS. Code is more likely to be vulnerable the fewer people that use it (and hence the fewer people that have audited it). This means lesser-used contrib modules, custom modules and custom themes. Specifically theme code has been historically most vulnerable. That's where an attacker will try penetration testing, and of course text files mean nothing here.

________________________
Dave Hansen-Lange
Director of Technical Strategy, FourKitchens.com

naught101’s picture

naught101 commented

While obscurity is definitely not security, it may have some benefits. The mantra that it's a bad idea all together is fairly dogmatically repeated in most security circles, but there are definitely some good arguments for using obscurity ON TOP OF real security. See especially:
https://secure.wikimedia.org/wikipedia/en/wiki/Security_through_obscurit...
http://www.infoworld.com/d/security-central/security-obscurity-it-works-432

dalin’s picture

dalin
he/him
Primary language English
Location 🇲🇽, 🇨🇦, 🌍
commented

This argument would be valid if it were possible to obscure the fact that your site is built with Drupal. But it's really not possible to do at all. Certainly not by deleting a few text files.
See
https://www.drupal.org/node/766404

________________________
Dave Hansen-Lange
Director of Technical Strategy, FourKitchens.com

mgifford’s picture

mgifford
he/him
Primary language English
commented

Thanks Dave. Appreciate that feedback.

Wanted to just say that the automated Mozilla addon was "disabled by an administrator."

There are a few others though like http://builtwith.com
https://addons.mozilla.org/en-US/firefox/addon/builtwith/

And the W3Techs Website http://w3techs.com/sites
https://addons.mozilla.org/en-US/firefox/addon/w3techs-website-technolog...

That can help with some basic identification.