Fog Creek Software
Discussion Board




But, but... I thought Apache was secure?

I saw an ad for "Portola automated patch service for Apache" in a news article. Here's the first paragraph from their website:

"When a new vulnerability is reported for an Open Source application, there is a race between those who issue fixes and those who would exploit the vulnerability to break into your server. For many sys admins, the problem is compounded by the time it takes to receive notice of the vulnerability, and the time and skill required to compile the source into an RPM or Deb package."

?

If this is in an ad that someone paid to put on a news site, it must be a pain point for Apache admins. With all sincerity, if this is the case, then what's the beef with IIS? Is the ad just FUD for managers? (Like, would the sysadmin say "slow down, boss - this isn't that big a deal"?)

Philo

Philo
Sunday, May 30, 2004

Gawd I hate posts like this. You are arguing against some generalized mental imaginary oponent of yours.  Whos beef with IIS? And what did that person say about apache?

Not that I doubt people will respond in an equally over argumentative fashion.. but that only means you were successful in baiting them.

I agree that there is a point somewhere in there, but how about stating it like "I consider the fact that there are commercial patch managment systems available for apache to be an indication that apache security is no better then IIS security"
See, much more straight forward. Less flaimbait.

Eric Debois
Sunday, May 30, 2004

Like anyone selling a service, they slightly exagerate the difficulty of the problem for which their service is a solution.  For both Apache and IIS, the problem is less about getting the patch as it is about applying it smoothly and being confident that it doesn't break the existing setup.  Like a good IIS admin, a good Apache admin will have things arranged so that patches are easy to retrieve, test, and install.  For some, that may mean using a service like this.

In short, that ad says nothing about Apache's merit.

Justin Johnson
Sunday, May 30, 2004

Eric, I did not mean to troll - I was sincerely looking for a reply like Justin's. I'd be interested to hear from other Apache admins about their real experiences with patch management and vulnerabilities.

Part of it is competitive - true. But I believe in informed competition, since that should, in theory, provide better products across the board.

In addition, I'm honestly just curious - I've done Oracle and linux, but I've never run an Apache server.

Philo

Philo
Sunday, May 30, 2004

Man, I just read the topic title again. That's *really* whiny - I am so sorry about that. :-)

Philo

Philo
Sunday, May 30, 2004

Isn't it obvious that on the internet there is no "secure", there's only "less secure" and "more secure"?  Nobody in their right mind has ever suggested that there were no security problems at all with Apache.  Of course there is a need for patches.

It would be interesting to compare the time to response for Apache patches vs. Microsoft patches, after a security hole is identified.  Of course at that point it's a "race" to get the hole patched, whether it's an open-source product or a commercial one. 

Also interesting would be a comparison both of the number and the severity of security holes in IIS and Apache.  Anybody betting that IIS has fewer holes and/or that they're less severe than Apache's? 

As Eric said, your original post boils down to, "I consider the fact that there are commercial patch managment systems available for apache to be an indication that apache security is no better then IIS security."  But who ever thought that Apache needed no patches, anyway?  A web server could be a hell of a lot more secure than IIS and still have a need for patches.  I'm not saying that Apache is more secure.  Just suggesting that the existence of patch systems for Apache doesn't really suggest that IIS and Apache are "equally insecure".

(Also, in a post like this, wouldn't it be more honest if there were a disclaimer, "Note:  I work for MS.") 

Herbert Sitz
Sunday, May 30, 2004

Philo >
Ok, apology accepted.. I may have over reacted a bit too.

;-)

Eric Debois
Sunday, May 30, 2004



Bad bad Philo.

No Solitaire for you today.

;)

KC
Sunday, May 30, 2004

Obviously if you want a secure product, your best bet is to drop Apache and stick with Microsoft products.

Security Expert
Sunday, May 30, 2004

heh.

Im impressed that you genuinely believed that apache needed no patching philo.

If thats the incredibly favourable impression microsoft in general has of opensource software, no wonder its panicking....

FullNameRequired
Sunday, May 30, 2004

Apache is generally pretty secure.  My server hasn't needed security patches over the last couple of years. The updates have tended to be minor bugfixes that affect individual modules.  The IIS server that I use for VS.Net development need pretty regular updates (or did, updates seem fewer of late).

The other posters are right though. All servers do need updating from time to time. All of the major free UNIX variants have made it easy now, but it didn't used to be that way, and older servers might not have the mechanisms in place.  I would advise against purchasing a service like that advertised though, and instead update the operating system and use its mechanism.  All of these operating systems are built and supported by people with servers of their own to maintain, and they have better things to spend their time on too.

Clay Dowling
Sunday, May 30, 2004

Sure Apache needs patches just like any other application. Just check the Apache history. Upgrading it on any Linux distribution is a complex as using the Windows update though. If you are able to type up2date you are done. So yes bringing out a new service to do just this seems like FUD for managers to me.

It makes me think of expensive spam solutions offered in several advertisements. I checked out one or two and they just seem to route the customer's email through spamassassin. Using free software doing trivial stuff while billing $10 per month per email address for a 5000 seat company is a very lucrative business.

Jan Derk
Sunday, May 30, 2004

I'm surprised no one has mentioned where Apache got its name, which might be slightly relevant .

See http://httpd.apache.org/docs/misc/FAQ.html#name for the official version.

a cynic writes...
Sunday, May 30, 2004

FullName, it's not that I didn't think Apache needed patching at all - it was the parallelism of "patches come out, the crackers jump on it, and it's a race to get them installed." From the general attitude of many anti-MS types, it seemed that those weren't things most non-MS sysadmins had to worry about.
In particular I was thinking about the general /. reaction to "patch comes out, thirty days later worm runs wild" situations on MS platforms...

I guess it was a bit refreshing to see that we all face the same demons* no matter what the platform. :-)

And cynic, of course - I knew that, but didn't put two and two together...

Philo

*Daemons, on the other hand, are of course platform-specific...

Philo
Sunday, May 30, 2004

Philo

Since in truth any system can be made secure the real question is "which is easier to secure and maintain?".  From the comments above it would appear that Apache has the advantage. 

As an aside, in my experience the biggest issue with patching MS systems is that often a reboot is required, whereas UNIX-like systems you can get away with just starting & stopping the service / daemon. 

(caveat: my unix / linux experience is very limited.) 

a cynic writes...
Sunday, May 30, 2004

Philo -

There's a difference between Apache 1.3 and IIS 5 (last version I used) in that a default Apache install includes almost nothing -- you have to enable every service you intend to use -- and a default IIS install includes everything -- you have to disable anything you do not intend to use.

Most vulnerabilities, for both products, are not in the 'core', which is pretty simple - but rather in the "plugins"/"extensions"/"modules". Therefore, A default install of Apache is much more stable.

YMMV.

Ori Berger
Monday, May 31, 2004

Got a bit carried away there Philo? I know it must be frustrating having every IIS flaw smeared over the tech frontpages while the competition gets away with sneaking it through without anyone pointing a finger but still.
If you wanted an answer to the question you could always consult http://www.securityfocus.com/bid .

Just me (Sir to you)
Monday, May 31, 2004

I thought I'd point this out.

Cracks, and patches against cracks, demand immediate attention.

Features, and patches to enable features, demand secondary attention, actually on a need base attention.

There are a lot of patches for Apache of both kinds, I just thought that this adds a dimension to the situation. I am no sure how they will automate something that requires people to say go or no go unless they restrict it to cracks only.

Another problem, you can't go in there and muck around with the source code if you start using their system, otherwise their patch system will mess up when it stumbles on your custom code.

Apache, being free as in beer, is used by all kinds of people, some of these people won't be able to use the system.

Li-fan Chen
Monday, May 31, 2004

"No Solitaire for you today."


Probably BSOD'd anyway.

SNT the evolution of RMS
Monday, May 31, 2004

The difference is that with one you could, if you had the knowledge and skill, fix the problem whereas with the other you wait for someone else to fix it for you. It booogles my mind that supposedly intelligent people opt for the former.

me
Tuesday, June 01, 2004

"Man, I just read the topic title again. That's *really* whiny - I am so sorry about that. :-) "

AS IF WE BELIEVE YOUR SINCERITY HUH?

[Disclaimer: I don't work for Microsoft, Philo does]

Jason
Wednesday, June 02, 2004

*  Recent Topics

*  Fog Creek Home