Security of Linux versus Windows Web Servers

[Note - this is an archived version of the original posting from 05:00 PM EDT, Oct 05 2003]

This was a response to a message on the Cryptography mailing list, http://www.mail-archive.com/cryptography%40metzdowd.com/msg00936.html. In keeping with his recent policy, the moderator of that list, Perry Metzger, refused to publish this information, apparently because it came from an anonymous contributor.

Read the message below and see if it isn't the kind of useful, relevant information which subscribers to the list would benefit from seeing. If you agree, please ask Perry Metzger, perry@piermont.com, to stop censoring anonymous postings.

===

IanG writes:

> I haven't looked for a while, but last I looked, the #1,2,3 players > were Linux, Microsoft, FreeBSD, and only a percentage point or two > separated them. (I'm unsure of the relative orders. And this relates > to testable web server platforms, rather than all servers.) > > So, in the market for server platform OSs, is there any view as to which > are more secure, and whether that insecurity can be traced to the OS? > Or external factors such as a culture of laziness in installing patches, > or derivative vulnerability from being part of the monoculture? > > (I raise this as a research question, not expecting any answers!)

Well, you're going to get some. According to the Globe and Mail, http://www.globetechnology.com/servlet/story/RTGAM.20030911.gtlinuxsep11/BNStory /Technology/, "During August, 67 per cent of all successful and verifiable digital attacks against on-line servers targeted Linux, followed by Microsoft Windows at 23.2 per cent. A total of 12,892 Linux on-line servers running e-business and information sites were successfully breached in that month, followed by 4,626 Windows servers."

Even the Linux apologists on slashdot at http://slashdot.org/article.pl?sid=03/09/11/1951201 had a hard time making this one go away.