tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Securing Tomcat Article for Review
Date Tue, 09 Jan 2007 19:52:57 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Markus,

Markus Schönhaber wrote:
> You defend it yourself in the next paragraph you've written.
> 
>> One could argue that more moving parts equals more complexity, and that
>> complexity is an enemy of security (and I agree). However, there must be
>> a balance. If good security requires layers, and each layer adds more
>> complexity, then there is a paradox.
> 
> Exactly.

I believe I raised a question, rather than defending a point. I'm
suggesting that things are more complicated than the sound bites that
some people like to drop.

I would appreciate my FUD to come with a side order of empirical
evidence. For instance, if Leon had said "I've had bad security
experiences with Apache httpd", well, then at least he would have
actually been making a statement.

As much as I think that MS IIS is a steaming pile of crap, it is not a
foregone conclusion that running MS IIS implies that you will be hacked
to bits by tomorrow morning. The same is true with Apache httpd, except
that I'm guessing that most members on this list are less likely to jump
all over Apache httpd than they are to do so with MS IIS.

I would just urge posters to the list to post something more than
"product X sucks" or "". I hate having wasted my time to read a message
that does not move the dialog forward (not that I'm saying that Leon's
message was a waste of time). Let's all endeavor to provide proper
context and be precise in what message we are trying to communicate.

Leon's message says flat out that adding Apache httpd reduces security,
and provides no basis for that statement. A more appropriate statement
might have been that Apache does not add any appreciable measure of
security as Tomcat provides the same kinds of protections against
unauthorized access, etc.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFo/KZ9CaO5/Lv0PARAuWEAJ46lQOQ91ln8VgHBTT42z5RM9HP1ACgg4BO
vchsGJ0tN6oSIw7CYq/MoVE=
=zkQ5
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message