Jump to content

Apache vs. IIS


cbassett03

Recommended Posts

So far, my company has been using Apache (Linux)-based web hosts for our hosting needs.  Ever since the Heartbleed bug was found in OpenSSL, which is common to open source software, including Apache HTTP Server, I was wondering if Microsoft's IIS was any more secure than Apache.  Opinions?

 

My arguement is that although IIS is a closed-source system, it is also a widely targeted platform (Windows) so that may be of concern.  My argument for Apache is that it is open source, so exploits can be implemented using the source code as well, which is available for free download.

 

So, the question really is which HTTP server platform is more secure?

Link to comment
Share on other sites

The question doesn't make a lot of sense. As you've already said, the bug was in OpenSSL, not in Apache. Nobody says that you need to use Apache in combination with OpenSSL. For example, there's also mod_gnutls for GnuTLS or mod_nss for the NSS library.

 

If you generally question the security of open-source software, I think this is very naive and a case of security by obscurity. At first sight, it may make sense to keep the code as “secret” as possible so that attackers cannot see it. But in reality, this doesn't work at all. Attackers don't need the source code to find vulnerabilities, and at the same time you lose the benefit of getting feedback from people outside of your team. A lot of “secret” software is broken exactly because it's secret: If only a few people work on a project, and if there's nobody to tell them that they're doing it wrong, that doesn't end well.

 

Good software doesn't come from hiding bugs, it comes from many good programmers working on it. Appearently OpenSSL had some issues with that in the past, but that doesn't mean the concept of open-source software is wrong. To the contrary, we need to embrace it and get a lot more competent programmers to work on OpenSSL.

 

I also find it a bit silly to judge software by a single bug. Sure, “Heartbleed” got a lot of media attention, and now everybody thinks they can bash OpenSSL. But who knows how many bugs are still lurking in other TLS implementations?

Link to comment
Share on other sites

My response is nothing on the internet is safe, you can only try to make it safer.

And at least with open source you have the option to change anything you desire yourself.

 

As for heartbleed you should update OpenSSL and regenerate any keys, assess if anything else could have been compromised.

Can also recompile OpenSSL using the OPENSSL_NO_HEARTBEATS flag

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.