Forgot your password?
typodupeerror
Security Stats The Internet

Apache Now the Leader in SSL Servers? 160

Posted by Zonk
from the moving-on-up dept.
miller60 writes "Apache has overtaken Microsoft as the leading developer of secure web servers, according to Netcraft's monthly SSL survey. Apache now runs on 44.0% of secure web sites, compared to 43.8% for Microsoft. Apache's recent gains are attributed to the inclusion of mod_ssl in version 2, and strong growth of SSL-enabled sites in non-US markets where Apache has stronger market share."
This discussion has been archived. No new comments can be posted.

Apache Now the Leader in SSL Servers?

Comments Filter:
  • Congratulations (Score:5, Interesting)

    by EraserMouseMan (847479) on Thursday April 27, 2006 @04:37PM (#15215691)
    to a quality open source product! Whatever Apache is doing development and management-wise, don't change a thing!
    • Re:Congratulations (Score:4, Interesting)

      by Homology (639438) on Thursday April 27, 2006 @04:45PM (#15215769)
      to a quality open source product! Whatever Apache is doing development and management-wise, don't change a thing!

      They rejected many security patches from OpenBSD for httpd 1.3.29, and even before OpenBSD forked httpd 1.3 (the infamous license change) the in-tree diff was over 4000 lines of code.

      • I was going to mention how easy setting up SSL Apache was but then your post reminded me it was OpenBSD's install :

        man ssl

        GENERATING RSA SERVER CERTIFICATES FOR WEB SERVERS
        To support https transactions in httpd(8) you will need to generate an
        RSA certificate.

        # openssl genrsa -out /etc/ssl/private/server.key 1024

        Or, if you wis
    • Wait a minute, isn't this all the work of OpenSourceParking...?
  • Shows what I know (Score:5, Interesting)

    by Illbay (700081) on Thursday April 27, 2006 @04:38PM (#15215704) Journal
    I didn't even know that Apache had NOT been the leader in this category.
    • Re:Shows what I know (Score:4, Interesting)

      by PFI_Optix (936301) on Thursday April 27, 2006 @04:46PM (#15215781) Journal
      I'm not sure why this was modded redundant. I too am surprised that Apache wasn't the leading secure server. I'd find it interesting to know just how many people didn't realize that MS held as much share in this particular category as they do.
      • Re:Shows what I know (Score:4, Interesting)

        by DaHat (247651) on Thursday April 27, 2006 @04:59PM (#15215879) Homepage
        I agree... but for a different reason: I'm surprised that this was not mentioned previously by the Microsoft camp in response to the traditional OSS claim of Apache and Linux running more web servers than Windows and IIS.
        • Re:Shows what I know (Score:4, Informative)

          by gbjbaanb (229885) on Thursday April 27, 2006 @05:38PM (#15216174)
          It has been mentioned, just that the figures were not available for the SSL survey unless you coughed up cash for the report.

          Its the response that, despite Apache's strength in overall websites, IIS was used for more 'serious' sites. The OSS people who read these comments (usually in another Apache has more/is better/etc than IIS stories) just ignore them.
          • Re:Shows what I know (Score:3, Informative)

            by Secrity (742221)
            It was my understanding that for heavy duty "serious" sites that Netscape web server/Sun whatever web server had been the usual choice. news.bbc.co.uk (serios web site, number 8 behind Yahoo, Microsoft, and Google) is using Zeus/4.2 on most of it's sites. www.yahoo.com is running something under freebsd. cgi.ebay.com, #9, is mostly running WebSphere. #10, toolbar.netcraft.com (?) is running Apache The only Netcraft top 10 most visited site that is running IIS is www.microsoft.com (#6). For reference, w
        • I suspect the MS camp did not want to mention the figures too often as it would draw attention to the survey which also showed Apache well ahead in market share.
    • Microsoft 'secure' server. That just seems wrong to me. Is that even possible? Maybe if you unplug it and bury it in concrete. In my experience that's the only way to keep a Windows machine secure.
    • I didn't even know that Apache had NOT been the leader in this category.

      Patents on some SSL algorithms kept Apache from distributing the SSL code freely. Now the patents have expired and secure commerce is finally free. Just one example example of how patents harm society, in this case they helped support the inveterate monopolist Microsoft.
  • by LWATCDR (28044) on Thursday April 27, 2006 @04:40PM (#15215722) Homepage Journal
    Sure Apache may have more installs than Microsoft but if you go by dollar value of product shipped I am sure that Microsoft is still way out in front of Apache!
    • Umm, No.

      If you go in dollars collected, then yes, I'd have to agree that Microsoft is way out in front. Dollar value on the other hand, is most certainly up for debate.

      And of course the obligatory:

      I for one, welcome our new open source overlords!!
    • It does all depend on how you count it, but using the amount of revenue each product generates as your method of counting is the kind of thinking that leads to open source software being considered worthless. Yes the products that Microsoft's shipped have generated far more revenue, but Apache isn't even trying to compete on that level. If you must compare the two, compare them by actual quality of product, usually as determined by market share. If one program costs $10 and another costs $100 and you measur
    • How about we sum the value of the transactions shipped via the 44.0% of secure web sites, compared to 43.8% for Microsoft.

    • That's certainly true, because Microsoft don't consider webservices a basic part of servers in the internet age, so the mugs that use insecure windows OS's have to pay extra (often for a limited number of clients). Meanwhile, real IT professionals (read: unix people) know exactly what a webserver is, and can build their own if it comes right down to it. Except, we don't; instead, we cooperate and share technology, like mature professionals do.
      • What on earth are you talking about? Windows *server* OS's have IIS included and ready to run. The cost of Windows Server is MINIMAL when compared to the cost of admin staff, and even the cost of the HVAC system that cools whatever computer you buy! For many businesses (not all of course - this is not a black and white world) using a Windows Server platform saves them time and money. This quite simply because many companies don't have "real IT professionals" as you put it, and instead have a team of win
  • Just now? (Score:3, Interesting)

    by TimmyDee (713324) on Thursday April 27, 2006 @04:42PM (#15215739) Homepage Journal
    With IIS's myriad of security issues, you'd think this would have happened a long time ago. I guess we just have to chalk it up to the slow movements of corporations (or the death of those who used IIS ;).
    • Re:Just now? (Score:1, Informative)

      by bod1988 (925911)
      IIS: http://secunia.com/product/1438/ [secunia.com]

      Apache: http://secunia.com/product/72/ [secunia.com]

      What were you saying again?
    • by ad0gg (594412)
      You should probably check your facts first. IIS is a lot more secure than Apache.

      IIS 6 [secunia.com] 2 exploits all patched
      Apache 2.0 [secunia.com]28 exploits 3 unpatched

      I bet i get modded down for posting these two links.

    • Security issues? Sounds like somebody just likes to spew anti-ms propgrada without knowing the facts. IIS 6 has had NO critical security vulnerabilities since its release with Windows 2003 Server. IIS 6 is WAY more secure than Apache.
      • Note that I didn't say which version of IIS. I can't speak to IIS 6, but previous versions weren't exactly Fort Knox. Plus, many businesses don't upgrade to whichever is the latest version of X to come out of Redmond (or any software firm, really).
        • So compare IIS5.0 to later version of apache. IIS5.0 is what came out with windows2000, IIS6 comes with 2003 server. IIS 5.0 is still has half the number of security problems that apache has. And just think IIS, isn't just web, its also does SMTP, FTP and NNTP and still has less security problems than apache which is really quite sad. Kinda makes you wonder why anyone would choose apache over IIS, maybe its because of all the disinformation on the net that fan boys spread.
    • Re:Just now? (Score:3, Interesting)

      by Not_Wiggins (686627)
      It is more likely attributable to corporations setting up separate web/app servers. It is fairly common to have the front-end content served up by Apache and requests for dynamic content forwarded from the front-end webservers back through firewalls to application servers. Those backend appservers may still be anything... Websphere, IIS, WebLogic, etc.

      The stats listed might simply be reflecting this trend towards a split/more secure setup.
    • With IIS's myriad of security issues

      Frankly, this kind of crap needs to stop.

      Over the past three years, IIS 6 has had a grand total of 2 vulnerabilities [secunia.com] - neither one being particularly severe. If you can point out more, I'd like to hear it.

      Microsoft has a lot of problems with security, but IIS 6 isn't one of them. IIS 6 has proven to be a very secure webserver.
  • Terrorism! (Score:1, Funny)

    by jZnat (793348) *
    Everyone knows that if you have nothing to hide, you don't need to encrypt your communications traffic. This obviously means that terrorists are using open source software more often now! We need a law banning open source software now!
  • "Late Wednesday evening, Microsoft executive Steve Ballmer was found buried up to his honey-glazed, fire-ant covered head, apparently the result of a misunderstanding over his outspoken reaction to the news."
  • by imemyself (757318) on Thursday April 27, 2006 @04:46PM (#15215784)
    Out of curiosity, does anyone know why the stat's for SSL servers so much different for regular HTTP? Are more business or ecomm(shudder) sites running on IIS? Or am I missing something.
    • In the US the answer is yes because they want to standardize on Microsoft to lower support costs.

      I also just wrote a post mentioning that many eccommerce sites use java based http servers and run java based servlets where mission critical applications need to be robust. Most of these run neither apache nor IIS and run on Unix.

    • by tedhiltonhead (654502) on Thursday April 27, 2006 @05:01PM (#15215895)
      The vast majority of virtual hosting is done using Apache, and most domains don't have SSL support. The SSL stat may get us closer to counting the number of IP's using the two packages, rather than just the number of domains.
    • Out of curiosity, does anyone know why the stat's for SSL servers so much different for regular HTTP?

      Because it is ether impossible (or perhaps merely very difficult) to virtually host an SSL site -- the problem, is: when the client connects and requests a certificate, what certificate should be returned? The certificate needs to match the domain name of the request, but since the HTTP request has not yet been made (this happens after the certificate validation), the server does not know this name yet.

  • by gasmonso (929871) on Thursday April 27, 2006 @04:47PM (#15215791) Homepage

    Honestly, all MS bashing aside, why would anyone use MS over Apache? The support and knowledgebase surrounding Apache is second to none. Plus its free, but to me thats second to the quality and performance. Keep it up Apache!

    http://religiousfreaks.com/ [religiousfreaks.com]
    • Because IIS is easy, secure (no critical updates for IIS 6 ever!) and can run ASP.NET/Python/PHP/Perl and anything else you can throw at it with very little configuration. The application pool isolation is also a very nice feature for those who came from IIS 5, so one web site can't bring down an entire box. There are tons and tons of IIS resources on the Net, and while there may be more Apache information, that is only because there is less to know for IIS, it just works.
      • It's better phrased that IIS can *almost* run PHP, Perl or Python written for *nix, but more often than not there are tweaks required. I have yet to see anything written in these languages on *nix boxes of any reasonable size port without work to IIS.
      • if IIS is so freaking "secure", then why do I have rules in my apache configuration trying to detect URLS that include things like "/MSADC", "/c/...", "/_", "/uri-res", etc, so I can block all those infected machines that keep trying to infect ME?

        Less to know my arse - it's more like wilfull ignorance
    • by Thundersnatch (671481) on Thursday April 27, 2006 @06:28PM (#15216539) Journal

      It's all about the developers. People use IIS because it serves ASP and more importantly ASP.net. Say what you will about Microsoft, but Visual Stuido is a first-class development environment. Building scalable and functional web applications in ASP.net using the graphical tools in VS is easier than anything I've seen in the LAMP world, with the possible exception of Rails.

      Plus, Microsoft's near-suicidal devotion to backwards compatibility makes heavily mixed ASP/ASP.net sites like CDW [cdw.com] reasonably easy, probably easier than mixing different web frameworks on a LAMP or Java platform.

      • How is VS + ASP.NET + IIS any better then eclipse/netbeans/Idea + Java. If anything it's worse because java tools have always been better then VS. How long has it taken for VS to get refactoring and a decent build system for example? The java programmers were enjoying those features for years while the VS people plodded along thinking they were l33t because they could draw their guis.

        I won't even go into how much more productive rails in then ASP.NET.

        Honestly the ASP.NET crowd thinks everybody else is work
        • How is VS + ASP.NET + IIS any better then eclipse/netbeans/Idea + Java

          The simple answer is: ASP.net requires less code, and less design-up-front to get something working.

          In my experience, J2EE is fine for huge project with lots of design resources and a bunch of proficient Java coders, but it is often a sledgehammer in search of something to hit. It's too big and clumsy for many smaller projcts, and offers little if you want to "start small and scale up". Granted, J2EE's requirements for separating logi

    • ASP.NET.

      Check out the job postings these days. C#/ASP.NET developers are in VERY HIGH demand. For a long time, ASP was pretty shitty and worse than PHP and other technologies. With the arrival of ASP.NET/C#, the tide is turning back towards MS technologies, although these changes occur over periods of years and so it's hard to judge sometimes.

      Apache/Linux/etc may be free, but the costs of the MS software is minimal compared to the cost of a developer. A decent developer will cost you anywhere from 7

  • I mention how bad Microsoft products are for mission critical servers and applications like websites. The response is always " .. but this is what everyone is using".

    So in other words it must not be that bad because everyone else is using it and everyone else is using it because everyone else is also using it. If that makes sense?

    Now it looks like the phb's are going to have to come up with a better excuse. :-)

    Also what is not mentioned here is that Java is the number one standard with big ecommerce sites
    • Re:funny (Score:4, Insightful)

      by Psiren (6145) on Thursday April 27, 2006 @05:34PM (#15216155)
      I mention how bad Microsoft products are for mission critical servers and applications like websites.

      On what information are you basing this statement? If you looked at the stats (several comments above have the links) you'll see that IIS 6 compares very well against Apache. When you're making these statements, do you mention these statistics? I'm guessing not. There are plenty of reasons to use Apache over IIS, but security is not top of the list.

      I'm all for advocating open source, but if you're going to do it, don't spout bullshit. You come across as nothing more than a MS basher, and frankly, I don't want people like you speaking on my behalf.

      • I am considered a Microsoftie to some here on slashdot.

        Windows/IIS is known to have over 1,000 security holes since it was introduced and the combination is not as reliable as Apache and Unix.

        Also .Net is still very new and Java has it beat in terms of robustness and age for dynamic content.

      • On what information are you basing this statement? If you looked at the stats (several comments above have the links) you'll see that IIS 6 compares very well against Apache. When you're making these statements, do you mention these statistics? I'm guessing not. There are plenty of reasons to use Apache over IIS, but security is not top of the list.

        I hate religous wars, but what the hell - it's been a while since I've been in a good jihad (kidding)

        Seriously - I have never used IIS, and never will. It h
        • System information for \\:
          Uptime: 380 days, 3 hours, 43 minutes, 28 seconds
          Kernel version: Microsoft Windows 2000, Uniprocessor Free
          Product type: Advanced Server
          Product version: 5.0
          Service pack: 4

          And it isn't even that decent a box. A skilled IT staff can keep any operating system running for long uptimes -- it isn't the uptime of the box that you should look at -- it is the uptime of the application - if you've had to restart it (for whatever reason - died/patched/etc.) the

          • I would really, REALLY like to know exactly how much work that machine is doing, or if it's just sitting there idle. No, I'm not trolling - it's a serious question.

            And yes, it DOES matter what the uptime for the box can be. Because if the box can't stay up, it doesn't matter how reliable the applications are (or are not). That was my point.
            • Two small websites and Exchange and pretending to be a file server. The mail traffic is from a few lists plus the household stuff - but then it's Exchange so go figure.
        • I have found W2K server to be just as reliable as my Linux boxes. I do apply security patches & reboot on the weekend every month or so, but that doesn't affect our business and really I don't need to apply them all. Our current file server has been great for 4 years now running W2K server. My intranet server has been great for 4 years running Linux. I like them both.
    • by msuzio (3104)
      I suspect most people are going to front-end Java servlet containers with Apache via something like mod_caucho or mod_jk (or, um, whatever the newest version of the Apache Server-to-Tomcat communications format is, those darn open source folks seem to change their minds a lot). Apache a lot more customizable options for controlling access, rewriting urls, and other things you usually end up needing in any realy production environment.
  • If it's SSL, then it's not Apache, it's Apache-which-includes-code-from-the-OpenSSL-projec t. All marketing material which references the SSL features of products that contain OpenSSL are required to include that text by the OpenSSL license.

    Oh, how I wish they'd move to a proper 3-clause BSD license...

  • false readings (Score:4, Interesting)

    by Keruo (771880) on Thursday April 27, 2006 @04:56PM (#15215851)
    Netcraft statistics lie.
    I run several ssl www-servers with linux+apache configuration, and yet they show as windows 2003 on netcraft surveys because eNom reports them that way.
    The true amount of IIS-based ssl servers is much smaller.
    • by Anonymous Coward
      Can I ask one question -- why is this bullshit moderated up? Can anyone just post any piece of random crap and Slashdot will just believe it if it favors Apache or disfavors Microsoft?

      Is it too much to ask for this Bozo to actually, I don't know, PROVE his ridiculous statement? Would it be too much to ask that he explain exactly how ANY Apache server would show if his stupid accusation were true?

      Bah. I'm no Microsoft fan, but I hate stupidity more.

    • Re:false readings (Score:4, Insightful)

      by PsychicX (866028) on Thursday April 27, 2006 @06:20PM (#15216487)
      More importantly, the reported difference is 0.2%. You can't honestly expect me to believe that's a statistically significant difference; you'd need much more data to even get 1% margin of error.
    • So based on your knowledge that a few servers are registred in the wrong category you assume this is true also for lots of other Apache servers? Have you taken into consideration that the reverse could also be possible? Tested it? In significant numbers?

      I have no doubt that the Netcraft statistics aren't 100% correct but your statement has no proof.
  • Like the article mentioned, it's probably got something to do with mod_ssl being included as standard in Apache 2.0. Maybe it's just that those running websites these days are more paranoid than their 'forefathers'? Afterall, generally, Apache use has fallen recently [netcraft.com].
    • From that graph, I see that Apache has fallen by roughly the amount 'others' has increased. I moved my Apache server over to Lighttpd a while ago - it's faster, uses less memory, has a more permissive license, and is easier to configure. Apparently there are things that Apache can do that Lighttpd can't, but I strongly suspect that they are things that 90% of the web-server-running world doesn't need to do.
    • Take fluctuations like that, and the entire NetCraft survey, with a grain of salt. Apache lost 4.4 million installed sites with a single decision. GoDaddy moved it's domain parking to IIS. [geekpedia.com] These are not real sites in which you can do anything, they're pretty much just placeholders and ads for GoDaddy at this point. Can't really bitch about it, it has to be on somehting, and at one time those 4.4 million servers were counted for Apache. In fact, NetCraft said most domain parkers use Apache.
  • by Provocateur (133110) on Thursday April 27, 2006 @05:21PM (#15216058) Homepage
    Or did Slashdot use up all their !!!!! during the infamous OMG! Ponies!!! issue...
     
  • everyone just now finally figured out how to create and use self-signed certs with apache and openssl :-)
  • Things will get better over time.

    This is the first uyear that OpenSSL is certifed by the government cryptographers as usable. This allows, for the first time, official government use of openssl as a solution
    in many, many government contract situations, where IPSEC or hardware would formerly have been required.

    http://csrc.nist.gov/cryptval/140-1/1401val2006.ht m [nist.gov]
  • That's an odd statistic to run. I tmakes sense at first but then it feels like something MS did so it can make IIS first in something (no longer though I guess).

    Now MS can start a new stat: who's the leader in "commercial" (non-free) servers. That can go on forever...
  • No new versions since 2.0.55 and 2.2.0. Known vulnerabilities in 2.0.55 with no production version fix. 2.2.0 doesn't support Cold Fusion.

The person who's taking you to lunch has no intention of paying.

Working...