Hiawatha 7.0 has been released! With this version, can you monitor multiple instances of the webserver from a central place. This makes Hiawatha more suitable for large scale deployments and enterprise solutions.
There are two features, for which I often recieve a request, which I would like to discuss with you. One is on-the-fly-gzip content encoding and the other is Server Name Indication, which makes it possible to use multiple SSL certificates on one binding.
First, on-the-fly gzip content encoding. The main problem with this one is that it requires Hiawatha to completly buffer the output of a HTTP request. Buffering the output in memory will cause memory problems for busy websites with large files or CGI's that generate large output. Buffering the output to disk will make it significantly slower. For me, both options are unacceptable.
Most users of Hiawatha, including me, use PHP. PHP has support for automaticly gzipping the output. Images are hard to compress and CSS files are mostly small and therefor not much is gained by compress those. For all these reasons, I have decided not to implement on-the-fly gzip content encoding support.
Second is Server Name Indication, or SNI. I really would like to implement this one, but the OpenSSL documentation is incomplete and horrible. I've tried to understand how SNI works in OpenSSL, but weren't able to figure it out. If any OpenSSL expert out there can explain it to me, I will try again. But until then, I'm not going to waste any more time on this one.
My guess is that IPv6, which will make SNI obsolete because every machine will have more than enough IP addresses, will become more mainstream before OpenSSL has some proper documentation.
Regarding the hashes you are wrong about that. Changing the file during simple ftp/httpdownloading might be easy. Changing the published Hash key during opening of your SSL encrypted homepage is very hard unless there is a security issue with your webserver :-)
About the hashes: you are wrong An SSL connection might prevent other people from changing the content, but what certainty do you have about the end-point. How do you know you are communicating with the webserver of the Hiawatha website and not with a man-in-the-middle?
Whether Hiawatha is safe and secure enough is totally up to you to decide. No PGP, hash or SSL connection can do that for you.