Man, I got a ton of email from all over the place about my last blog entry, and it seemed to fall into four groups:
Let me answer each in turn.
First, item (3) Apache 1.3.x.
I wasn’t interested in looking at 1.3 because 2.0 has been out for but some time now (http://www.apacheweek.com/features/ap2) but some think I should, so here are the IIS6 and Apache 1.3.x stats, side by side:
While we're at it, here are the IIS5 figures in the same time period:
Now that’s out of the way, let’s look at item (4) the SSL story.
Microsoft issued a security update, MS04-011 (http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx) in Feb04 for Windows, which included a bug fix for Private Comms Technology (PCT). PCT was released just after SSL2 to fix a number of defects in the protocol, these were then fixed in SSL3. PCT also support strong crypto for finanical orgs and was enabled by default on all platforms except Windows Server 2003 and Windows XP SP2. So chances are very good if you’re running a new Windows Server 2003 box, you’re not vulnerable because the code path is not exposed by default. So it’s a low pri bug. That said, let’s call it three security bugs related to IIS6.
Now let’s look at Apache2, plus OpenSSL 0.9.x (will there be an OpenSSL 1.0? It's been 0.9.x since 23-Dec-1998!) because mod_ssl uses OpenSSL:
Remember, these are NOT my figures, these are from third party security company, Secunia.