lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: nocmonkey at gmail.com (Danny)
Subject: IE is just as safe as FireFox

On Fri, 12 Nov 2004 22:15:31 +0100, nicolas vigier
<boklm@...s-attacks.org> wrote:
> On Thu, 11 Nov 2004, Danny wrote:
> 
> >
> > Yes, IE security needs work. Yes, Firefox is a great web browser.
> >
> > However, if Firefox or any other browser had the same market share as
> > IE, would it really be that much more secure? There sure would be a
> > lot more people trying to find holes in Firefox if it had the same
> > user base.
> 
> Yes, IIS security needs work. Yes, Apache is a great web server.

A properly setup IIS 6.0 server is no less secure than a properly
setup Apache server (with the latest patches).

Show me how/where a properly setup IIS 6.0 server needs security work?
If you can't hack it, find someone who can or has, and show me
evidence that it was setup properly.

When I say properly, I mean, based on the recommendations stated on
Microsoft's website for securing IIS 6.0. Likewise for setting up
Apache.

> However, if Apache or any other web server had the same market share as
> IIS, would it really be that much more secure ? There sure would be a
> lot more people trying to find holes in Apache if it had the same user
> base.

I didn't ask for a comparison for web SERVERS. We are talking about
clients; we are talking about Internet Exploiter and any other web
browser with more than 1000 users, say for example Firefox.

> Wooops. Netcraft tells us that 67% webservers are running Apache while 21%
> running IIS. Why are there so much worms targeting IIS and not so much
> for Apache ?

1) Because Microsoft did not have any useful security in-mind when
they put out IIS 4 & 5. IIS 6 is a much different story;
http://secunia.com/product/1438/

2) I would say over 3/4 of them were not setup properly. You know, if
you want your Microsoft product on the Internet, you do,
unfortunately, have to set it up properly. However, it's actually not
a lot of work. The problem is, most people don't do the work. They
just plug it into the network and say "Alright, we gots our fackin'
websiiite up dare boys. Cletus, upload that fantiastic websiite with
you shaggin' your mom's sisters goat that you made dare in FrontPage.
Riiiight on little buddy! Shes alive!"

3) Most MS admins are lazy and know very little about security. It's
catch 23... why bother securing a product that does not have security
built-in.

> The truth is that some programs have a bad design for security while
> some others have a better one.

I agree. Microsoft is obviously the worst for this. See my last few posts.

Believe it or not, I prefer Firefox over IE, Apache over IIS, FreeBSD
over Windows, etc. The difference is, I have an open mind and try to
keep all aspects of the debate in mind.

...D

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ