PWS--some operational questions

Bruce O'Neel beoneel at mindspring.com
Sun Jun 20 14:24:09 UTC 1999 

Hi,
  I've added the PWS mailing list because you may get more info there.

>If I were to run PWS as a webserver on the Internet, I would want the 
>following basic information:
>
>1. load-testing data--any available?

I think it's pretty good, though the GA Tech folks seem to have problems 
with it spinning in  a tight loop once in a while.  This problem, as I 
recall, is related to uploads to the server.

>
>2. major security liabilities--is there anything inherent in either 
>the PWS code, or any other Squeak code in the base system which would 
>provide hackers with opportunities for sabotage, either of the running 
>image or the underlying OS?

You aren't going to run a swiki, right? :-)

If you pick a mac and run no other services on it then it's probably 
pretty secure.  You probably can get similiar security on a unix or linux 
box (think OpenBSD here for better security), just don't run ANY other 
services, ie, no ftpd, telnetd, sendmail, etc.  I don't know enough about 
win9x/nt to say anything.  

PWS by itself is pretty clean.  It doesn't look like there would be many 
ways to break it, and, the code is quite simple so could fix ones you 
found.  Just by it's nature it skips most of the things which kill 
security on "normal" web servers.  Ie, no perl cgi script bugs where you 
aren't running in taint mode, no (few?) buffer overruns, etc.

>
>3. Support for security layer (SSL or other)?

I don't think there is any support.  I'd looked into writing this, but, 
US expat that I am, I run into legal hassles pretty quickly...  If 
someone living in a crypto friendly country wants to take a shot at this 
it would be nice.

>
>I bring these issues up because I assume that in offering PWS and 
>associated sw,  the development team wishes it to be used in the real 
>world. One aspect of the real world (i.e., the Internet), is the very 
>real danger of losing one's data and/or system to malicious 
>individuals. 

One advantage to PWS, beyond all of the built in ones, over other web 
servers is that someone breaking in has to be really interested in 
breaking YOUR server, since, by virtue of it being uncommon means that 
most of the ways they know to break in.  If they just want to break a 
site they'll move on to another one because this is so odd.

cheers

bruce

>
>Knowing a bit about the current status of PWS, I realize that (3) is 
>not yet a reality. Any plans?
>
>Thanks for any info/thoughts.
>
>dusty
>
>
>
>--
>Is your email secure? http://www.pop3now.com
>(c) 1998,1999 Cave Creations Corp. All rights reserved.
>

More information about the Squeak-dev mailing list