This release brings two interesting new security features:
- Ciphersuite selection based on protocol: A while ago, a vulnerability called BEAST was discovered in CBC ciphers in TLS1.0. Many experts advised to use RC4 instead. However, a vulnerability was recently also discovered in RC4. The best solution is to switch to TLS1.1 with CBC ciphers, but that will cause problems for many users because Firefox still doesn't support TLS1.1 and in Opera and Internet Explorer support for TLS1.1 is disabled by default.
What to do then? Many believe that using RC4 is still the best choice when using TLS1.0. However, using RC4 gives lower security to TLS1.1 and TLS1.2 users than while using CBC ciphers. But using CBC ciphers makes TLS1.0 users vulnerable for the BEAST attack. Hiawatha has the best answer thanks to PolarSSL. Hiawatha will use RC4 for SSL3.0 and TLS1.0, CBC ciphers for TLS1.1 and GCM or CBC ciphers for TLS1.2. As far as I know, no other SSL library and therefore no other webserver can offer this solution.
- Protection against uploaded malware: Via the new FileHashes option, you can specify a list of files and the hash of their contents. Before serving a file, Hiawatha checks the hash of that file with the one in the list. If the hash doesn't match or the file is not listed, access is denied. This prevents against unauthorized file changing or uploading.