Re: [good] Re: [Mono-list] ASP.NET - usability/robustness/safety

Sun, 25 Jul 2004 18:07:11 -0700

Based on the exploits i have seen on MS-SQL of recent, etc, nothing is going to be safe really,
if you really want safe, submit the CC# through a Java App. (or Flash) that will encrypt them, and therefore they
never sit anywhere in the "publicly accesable" side of your system in readable form.
Since Mono isn't likely as much of a "target" ? it might even be safer.
For the part of your site that accepts CC#, you could always just do that part SSL to Perl/C cgi script (if that is more "proven" to you)...
I have made a site with primarily Mono but through a bit of Perl in (both having Postgres access).

-tl


Ron Afloh wrote:

How would you feel though about running a site  w/
mono/apache/linux/aspx though that takes credit card
transactions and stores credit card #'s in a backend
mySQL database?

Because the mono mod plugin for Apache is fairly new
code (as is the entire mono code base), would people
consider this to be too risky?  Would there be too
many discovered holes that could compromise my system
and the credit card #'s on the backend?

This is not to knock the plugin or mono by saying its
immature, obviously there has been an incredible
amount of progress that has been made very very
quickly and lots of blood/sweat/tears, but i wonder if
using it for commercial backend that holds
confidential personal financial information would be
unwise at this point.

Thanks for all feedback -
Ron


--- ted leslie <[EMAIL PROTECTED]> wrote:


Ron Afloh wrote:



I had a few questions about ASP.NET as supported by
mono and apache. In short, i'm considering using


it


to write a commercial webpage and wanted to get
feedback from you guys on how good/bad of an idea


this


is.

1) Is the ASP.NET mono sections + apache plugin


"ready


for primetime" -- i.e., has this stuff been "load"
tested, is the security there, can it scale to


handle


a fairly large website?


2) Are any other non-hobby sites using mono's


asp.net


implementation?





I used it for the Toronto NXNE music festival web
site (the venue schedule and music listing part),
it got hit at a pace of about 50,000 page hits (in
its busiest period) / day. About 2000 unique vistors per day.
Infrequently, the mod_mono process would constantly
take some cpu time (even when no hits) and the pages would not serve
up,
a early-morning cron to restart mod_mono/apache kept
it reiable, but I am also using a 4+ month old version on Mono.
No other problems except above have been noticed. Id
hope the new version doesn't have this issue.



3) If the asp.net stuff is not ready for full blown
commercial websites.... any ideas on when that


level


of robustness/security/load-handling will be there?




4) From what i've read, ASP.NET is not covered


under


ECMA specs and therefore is not as legally safe


from


lawsuit from MS as the compiler/JIT/corelibs are.

So


would it be stupid to risk using mono's ASP.NET
implementation for a commercial venture -- i.e.,


too


risky legally?




In our projects, some of the programmers develop in
the MS .Net Visual Studio
and test on their IIS and with a Postgres DB
running on a Linux box,
then they simply load it on to the Linux server as
they finish it, so it works on the MS environment
to begin with then dropped into Linux. If MS flexs
some muscles at a later time, worst case, it gets hosted on a MS box,
but I think thats unlikely, and if it got to that
point, MS would probably have a .NET product for Linux.
So to be safe, you might want to make sure what you
create runs on both systems (as you create it).
There is no IDE for Mono yet (monodevelop doesn't
have a html layout - integrate components to DB fields - etc), so
you probably will end up using MS Visual studio
anyways, so you know it will work on MS, you'll just deploy
on Linux to save on the OS cost (perhaps the DB
cost), and of course reduce all the time wasted in installing virus defs,
service patches,
and fighting blue screens ......
At this time we have had to avoid (to be functional
on both platforms), Server.Transfer (use Response.Redirect), and
turning off components,
and thus setting Validation for them to "false" also
is buggy, other then these two issues, so far, all we create works
between the two environments.



I did read the FAQ and searched the last few months


of


postings and didn't really see anything that


answered


all of these -- hopefully i didn't miss anything to
obvious :) I'm also aware that some of these
questions are not black and white and may not have


an


answer at all -- regardless, i appreciate everyones
input and suggestions.

Cheers -
Ron







__________________________________
Do you Yahoo!?
Vote for the stars of Yahoo!'s next ad campaign!


http://advision.webevents.yahoo.com/yahoo/votelifeengine/


_______________________________________________
Mono-list maillist  -  [EMAIL PROTECTED]
http://lists.ximian.com/mailman/listinfo/mono-list







_______________________________________________
Mono-list maillist  -  [EMAIL PROTECTED]
http://lists.ximian.com/mailman/listinfo/mono-list






            
__________________________________
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.
http://promotions.yahoo.com/new_mail
_______________________________________________
Mono-list maillist  -  [EMAIL PROTECTED]
http://lists.ximian.com/mailman/listinfo/mono-list






_______________________________________________
Mono-list maillist  -  [EMAIL PROTECTED]
http://lists.ximian.com/mailman/listinfo/mono-list

Reply via email to