15 April 2013, 18:28

This release brings two interesting new security features:

  • Ciphersuite selection based on protocol: A while ago, a vulnerability called BEAST was discovered in CBC ciphers in TLS1.0. Many experts advised to use RC4 instead. However, a vulnerability was recently also discovered in RC4. The best solution is to switch to TLS1.1 with CBC ciphers, but that will cause problems for many users because Firefox still doesn't support TLS1.1 and in Opera and Internet Explorer support for TLS1.1 is disabled by default.

    What to do then? Many believe that using RC4 is still the best choice when using TLS1.0. However, using RC4 gives lower security to TLS1.1 and TLS1.2 users than while using CBC ciphers. But using CBC ciphers makes TLS1.0 users vulnerable for the BEAST attack. Hiawatha has the best answer thanks to PolarSSL. Hiawatha will use RC4 for SSL3.0 and TLS1.0, CBC ciphers for TLS1.1 and GCM or CBC ciphers for TLS1.2. As far as I know, no other SSL library and therefore no other webserver can offer this solution.
  • Protection against uploaded malware: Via the new FileHashes option, you can specify a list of files and the hash of their contents. Before serving a file, Hiawatha checks the hash of that file with the one in the list. If the hash doesn't match or the file is not listed, access is denied. This prevents against unauthorized file changing or uploading.
15 April 2013, 18:56
Yet I was thinking "what more can a weberver offer?"

You are competing against yourself Hugo, appreciated!
Hugo Leisink
15 April 2013, 19:05
I've had the same thought many times.
15 April 2013, 20:27

Please update the user manual as soon as possible for the usage of "FileHashes".

Hugo Leisink
15 April 2013, 20:45
16 April 2013, 03:23
Hi Hugo,

This is making me drool o.O well done with the CBC ciphers for 1.1+ and the FileHashes is confusing me but I will RT(F)M tonight though.

Good stuff Hugo!
18 April 2013, 09:12
Excellent stuff. Thanks and keep up the good work!
Kapageridis Stavros
6 June 2013, 11:53
Cmake-2.8.11 released , should we upgrade ?
Hugo Leisink
6 June 2013, 16:57
That's up to you. My advice is to stick to the version your OS is supplying.
11 June 2013, 23:30
The next version is delayed, I feel big changes in the next version
Hugo Leisink
11 June 2013, 23:33
No, just out of ideas
12 June 2013, 23:31
Is no wonder. Such a brilliant project like Hiawatha, there is not again.
While all the others have to fight it with bugs and finding solutions, Hugo bored what can he cram more into clean and perfect working Hiawatha. Because Hiawatha works like a Rolex
Thank you bro, this proves once again what a great programmer you are. I'm a big fan of your work
Hugo Leisink
12 June 2013, 23:33
Kapageridis Stavros
13 June 2013, 14:17
A GUI for administration of hiawatha should be great.
13 June 2013, 15:14
haha... and what about Hiawatha OS?
Hugo Leisink
13 June 2013, 15:22
A GUI? You mean like the one Cherokee has? No, sorry. That will cost a lot of work and won't improve anything.
13 June 2013, 21:33
Exactly Hugo, also I want to note that there is no webserver whose configuration is as simple as Hiawatha. It's so f... easy, there can not be easier
But you can write a shell script if you want to configure multiple vhosts. It's not so hard
26 June 2013, 20:23
Hi Hugo!
The internally stored hashes for to be downloaded files looks like a very nice extra layer of security.
Thanks a lot!