[Info-vax] Using VMS for a web server

[lists at openmailbox.org]

On Mon, 08 Jun 2015 15:59:43 +0200
Dirk Munk via Info-vax <info-vax at rbnsn.com> wrote:

> Jan-Erik Soderholm wrote:
> 
> >>
> >> What happened to "the right tool for the job".  Just what is it about
> >> VMS that makes it a better choice for running a webserver than one of
> >> the existing Unix options?
> >
> > It is "better" if the source data already is on VMS.
> > In no other case is VMS "better" as an web server.
> > Noone would get a VMS system *only* to run a web server...
> 
> Depends on your needs and wishes. I still remember the competition where 
> hackers were invited to hack a VMS system, and they didn't succeed.
> 
> VMS web servers are unknown, and that in itself is a safety advantage.

It is an unknown on VAX, Alpha, and Itanium. As soon as VMS runs on Intel
and uses an Apache port it's essentially no longer VMS.

Running on a less common architecture is in itself a fairly effective means
of security by obscurity. But since most of the attacks now focus on open
source vulnerabilities and AlL YoUR OS bELoNg 2US with everybody running
parts of a small subset of crapware (Apache/PHP/MYSQL/BrokenSSL) on the
same crapware hardware platform, using VMS as a webserver in the future is
probably not going to add any value except as you say if you have the data
there already (and don't care about it that much.)

Most exploits start out in C code that has buffer overruns or does other
stupid programming tricks. A lot of (most?) exploits are in web-facing
stuff like PHP, bash CGI scripts, and various SQL servers. It remains to be
seen how far you could get on VMS with all that junk ported to VMS running
on Intel but even if you could only get as far as the database you could
still do a lot of damage without having any VMS-specific exploit code at
all.

-- 
Please DO NOT COPY ME on mailing list replies. I read the mailing list.
RSA 4096 fingerprint 7940 3F02 16D3 AFEE F2F8  ACAA 557C 4B36 98E4 4D49