cbassett03 Posted September 21, 2014 Share Posted September 21, 2014 So far, my company has been using Apache (Linux)-based web hosts for our hosting needs. Ever since the Heartbleed bug was found in OpenSSL, which is common to open source software, including Apache HTTP Server, I was wondering if Microsoft's IIS was any more secure than Apache. Opinions? My arguement is that although IIS is a closed-source system, it is also a widely targeted platform (Windows) so that may be of concern. My argument for Apache is that it is open source, so exploits can be implemented using the source code as well, which is available for free download. So, the question really is which HTTP server platform is more secure? Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted September 21, 2014 Share Posted September 21, 2014 The question doesn't make a lot of sense. As you've already said, the bug was in OpenSSL, not in Apache. Nobody says that you need to use Apache in combination with OpenSSL. For example, there's also mod_gnutls for GnuTLS or mod_nss for the NSS library. If you generally question the security of open-source software, I think this is very naive and a case of security by obscurity. At first sight, it may make sense to keep the code as “secret” as possible so that attackers cannot see it. But in reality, this doesn't work at all. Attackers don't need the source code to find vulnerabilities, and at the same time you lose the benefit of getting feedback from people outside of your team. A lot of “secret” software is broken exactly because it's secret: If only a few people work on a project, and if there's nobody to tell them that they're doing it wrong, that doesn't end well. Good software doesn't come from hiding bugs, it comes from many good programmers working on it. Appearently OpenSSL had some issues with that in the past, but that doesn't mean the concept of open-source software is wrong. To the contrary, we need to embrace it and get a lot more competent programmers to work on OpenSSL. I also find it a bit silly to judge software by a single bug. Sure, “Heartbleed” got a lot of media attention, and now everybody thinks they can bash OpenSSL. But who knows how many bugs are still lurking in other TLS implementations? Quote Link to comment Share on other sites More sharing options...
QuickOldCar Posted September 21, 2014 Share Posted September 21, 2014 My response is nothing on the internet is safe, you can only try to make it safer. And at least with open source you have the option to change anything you desire yourself. As for heartbleed you should update OpenSSL and regenerate any keys, assess if anything else could have been compromised. Can also recompile OpenSSL using the OPENSSL_NO_HEARTBEATS flag Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.