From: Nic Ferrier <[EMAIL PROTECTED]> Reply-To: "A mailing list for discussion about Sun Microsystem's Java Servlet API Technology." <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: Servlet Security Date: Fri, 1 Oct 2004 19:46:49 +0100
Henry Reardon <[EMAIL PROTECTED]> writes:
> Thanks to all who replied for their insights with respect to the security > differences between CGI and servlets. > > As best I can tell, they are very different in their architecture and > therefore have different security concerns but both can be made > satisfactorily secure. > > Therefore, our wiki could be both CGI-based or servlet-based and still be > satisfactory. > > Have I basically got that right?
I don't think so.
CGIs are inherantly insecure. There is a high level of risk in using CGIs,
Risk is the point though, you have to make a risk assessment and then make a judgment about what technology is appropriate.
Sorry, I should have qualified that: CGIs are OK *if* you take the appropriate safeguards like using mod_cgi.
Or have I got everything muddled up? I have a conceptual knowledge of CGI and what it does and have done a few programs using it, most of them Perl programs I wrote several years back. I don't have any real experience with security for CGI and only just heard of cgi_mod for the first time yesterday and don't really understand it yet, except that it is an implementation of CGI that is reputedly more secure than some other implementations. I'm still not quite clear if mod_cgi is anywhere near as secure as servlets.
Basically, I'm looking for an argument that a servlet-based wiki will be substantially more secure than a CGI-based wiki - or vice versa - so that I can make a case to the system administrator of a Linux server on which way he should go. I was getting the impression from the various responses I've had to my question (on this mailing list and another) that both were quite satisfactory from a security standpoint IF the appropriate steps were taken to tighten up security.
'Henry'
_________________________________________________________________ Take advantage of powerful junk e-mail filters built on patented Microsoft® SmartScreen Technology. http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines Start enjoying all the benefits of MSN® Premium right now and get the first two months FREE*.
___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
