[kwlug-disc] Security arguments

Paul Nijjar paul_nijjar at yahoo.ca
Tue Sep 22 14:38:04 EDT 2009


On Tue, Sep 22, 2009 at 11:10:21AM -0400, john at netdirect.ca wrote:

> 
> Most of the attack methods are common to both platforms and Apache
> scores worse because of its market share. This includes stolen
> passwords, man in the middle attacks and the many flaws in web
> applications. How is this Apache's fault?

I take a pretty different attitude to this. I think that Apache (or
the LAMP stack in general) can be a lot more proactive about making it
easier to program well. PHP is notorious for this, in my opinion -- it
makes it really easy to write insecure code that is prone to stupid
attacks like MySQL injections and cross-site scripting. There are ways
to avoid these attacks but you need to know what you are doing, and
those ways are not taught in beginner PHP tutorials until the final
chapters. That's stupid. The tools to program web applications more
securely should be part of the basic programmer's toolkit, and they
should be easy for newbies to understand and use. 

One way in which Apache could improve is to make privilege separation
easier. On a shared host, there is no reason why my insecure PHP
scripts and your fully-patched Drupal installation should be running
under the same user ID. But you see that sort of thing all the time. 

This reminds me a lot about the debate between C and programming
languages that are not insane. C and C++ have their place, but in
most situations the gains you get by having garbage collection and
buffer overflow protection exceed the efficiency gains. 

Man in the middle attacks are easy because the security infrastructure
for certificates is stupid, hard to deploy properly and inherently
flawed. That certainly is not the fault of Apache, but it does us no
good to shrug it off and say that it isn't our business. 

I don't give Windows XP a free pass for creating user accounts with
administrative privileges by default, even though it is possible for
an informed person to lower those privileges later. And I don't give
free software a free pass for making it so easy to deploy bad software
and then shrug it off because we're supposedly better than IIS. I
don't want to be better than IIS. I want to have sensible, secure
defaults that manage the tradeoff between convenience and security
well. 

Having said that, I would agree that these numerical comparisons
between Apache vs IIS are both flawed and irrelevant. We're not
competing against IIS. We're competing against the script kiddies and
Russian Mafia who delight in making our lives miserable. 

I'm not trying to spark a flamewar here. But I do see a lot of
arguments being bandied about that we would never accept from the
Windows apologists. 

- Paul





More information about the kwlug-disc mailing list