Hacker News new | past | comments | ask | show | jobs | submit login

"Since it's running on java, you probably don't want to expose this server to the internet"

Is latest versions from tomcat/jetty/etc. really known for having major security holes? More so than apache/nginx/etc.

Maybe you are confusing the recent Java applets security issue with Java in general. Java has got to be one of the most well funded and developed technology out there, due to peoples reliance to it in enterprise.

People also don't normally run their Java web server as root which adds a bit more security. If there is something about Java security that makes you so worried, I would love to hear about it. As it will probably be news to me.




Some of the exploits that target applets also affect running servers. Tomcat or Jetty or WebLogic from two years ago are likely compromisable pretty easily.

Any web server has the same issue, and most people are more than fine if they update somewhat regularly. Whether node or rails or whathaveyou, you need to keep updating.

My code on github from two years ago is as secure now as it was then, because someone else has taken on the onus of playing security-update wack-a-mole for me. That's all I meant; I didn't mean to imply java was less secure by default than any other thing listening for connections on the internet.


"Some of the exploits that target applets also affect running servers."

This would make sense. It's the same reason why php makes apache or ngnix insecure. They are front facing and have access to the OS filesystem and such.

"I didn't mean to imply java was less secure by default"

Okay gotcha. I work with Java quite a bit and was confused by your statement as I thought I missed some major security news.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: