Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
André,
On 4/16/13 2:37 PM, André Warnier wrote:
Say that it would be easy to implement this in Tomcat, and that we
do not collectively find good reasons not to do so, and that it
does get implemented.
Then I pledge that my next move would be to bring this similarly
onto the Apache httpd list (using the Tomcat precedent as an
introduction of course (à la "hey guys ? those smart Tomcat
developers have just had a great idea etc..")).
Aren't we just back to mod_security at that point?
No. mod_security is certainly a great tool, much more capable and flexible and effective
than what I am proposing.
But it suffers from the same issues as the one I mentioned earlier.
Have a look at :
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-Introduction
It requires a whole setup in Apache to even start to do something.
In the practice, that means that only a small percentage of all webservers on the www will
ever install and use it, which greatly reduces any impact it will have on the www at
large. It will totally protect the 10% of WWW servers on which it is installed, and do
nothing to protect the remaining 90%.
So the botnets will still have 90% of the WWW webservers to scan, and this will keep them
in business. Because for the exploiters of a botnet, the "quality" of the servers into
which they break does not really matter. A poorly-protected Linux server running only one
personal website, is just about as valuable as your high-powered 32 GB RAM 8-core monster,
when it comes to using it as a platform to attack other sites.
And most of these small, low-budget webservers will precisely be the ones which install
the standard Tomcat or Apache via apt-get or the Windows Installer, and never change a
standard setting.
So it should be a standard feature, and the option should be to turn it off.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
