Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 90842 invoked from network); 9 Jan 2007 19:51:34 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 9 Jan 2007 19:51:34 -0000 Received: (qmail 27914 invoked by uid 500); 9 Jan 2007 19:51:29 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 27897 invoked by uid 500); 9 Jan 2007 19:51:29 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 27886 invoked by uid 99); 9 Jan 2007 19:51:29 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 09 Jan 2007 11:51:29 -0800 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: neutral (herse.apache.org: local policy) Received: from [204.127.200.82] (HELO sccrmhc12.comcast.net) (204.127.200.82) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 09 Jan 2007 11:51:19 -0800 Received: from [192.168.1.47] (c-69-143-26-154.hsd1.va.comcast.net[69.143.26.154]) by comcast.net (sccrmhc12) with ESMTP id <20070109195058012004ki9me>; Tue, 9 Jan 2007 19:50:58 +0000 Message-ID: <45A3F299.4060608@christopherschultz.net> Date: Tue, 09 Jan 2007 14:52:57 -0500 From: Christopher Schultz User-Agent: Thunderbird 2.0b1 (Windows/20061206) MIME-Version: 1.0 To: Tomcat Users List Subject: Re: Securing Tomcat Article for Review References: <327858f40701090340l2a4e205ax3bc53c82c62fdf93@mail.gmail.com> <45A3C0BC.8020908@christopherschultz.net> <200701091812.51956.mailing-tomcat-user@schoenhaber.de> In-Reply-To: <200701091812.51956.mailing-tomcat-user@schoenhaber.de> X-Enigmail-Version: 0.94.1.2.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Virus-Checked: Checked by ClamAV on apache.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Markus, Markus Schönhaber wrote: > You defend it yourself in the next paragraph you've written. > >> One could argue that more moving parts equals more complexity, and that >> complexity is an enemy of security (and I agree). However, there must be >> a balance. If good security requires layers, and each layer adds more >> complexity, then there is a paradox. > > Exactly. I believe I raised a question, rather than defending a point. I'm suggesting that things are more complicated than the sound bites that some people like to drop. I would appreciate my FUD to come with a side order of empirical evidence. For instance, if Leon had said "I've had bad security experiences with Apache httpd", well, then at least he would have actually been making a statement. As much as I think that MS IIS is a steaming pile of crap, it is not a foregone conclusion that running MS IIS implies that you will be hacked to bits by tomorrow morning. The same is true with Apache httpd, except that I'm guessing that most members on this list are less likely to jump all over Apache httpd than they are to do so with MS IIS. I would just urge posters to the list to post something more than "product X sucks" or "". I hate having wasted my time to read a message that does not move the dialog forward (not that I'm saying that Leon's message was a waste of time). Let's all endeavor to provide proper context and be precise in what message we are trying to communicate. Leon's message says flat out that adding Apache httpd reduces security, and provides no basis for that statement. A more appropriate statement might have been that Apache does not add any appreciable measure of security as Tomcat provides the same kinds of protections against unauthorized access, etc. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFo/KZ9CaO5/Lv0PARAuWEAJ46lQOQ91ln8VgHBTT42z5RM9HP1ACgg4BO vchsGJ0tN6oSIw7CYq/MoVE= =zkQ5 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org