Forum OpenACS Q&A: Re: aolServer security issues

Posted by Andrew Piskorski on
:) Well, I wouldn't necessarily make that statement either, although now that I re-read his post, I realize I may have been putting word's into Don's mouth. Oops.

Certainly, some part of the fact that no OpenACS sites are known to have been hacked due to an AOLserver security failure must be due simply to AOLserver's relative obscurity and thus unpopularity as a target. Heck, remember when that Apache OpenSSL worm was making the rounds? It was written to check for and attack only Apache, but AFAIK there was no inherent reason that it couldn't work on AOLserver too - it just never tried. That sort of accidental safety in anonymity isn't what I'd really call "safety" at all, but it doesn't hurt.

Better security auditing, etc., is always nice, but at least so far I haven't seen anything to indicate that AOLserver is in any dire need of it. I'm not really the person to comment on Apache vs. AOLserver security at all, neither empirically (reports of failures) nor based on design and code review (especially since I've never read any Apache code at all), but there are others here who probably are, and I haven't heard any serious complaints along those lines from them...