[good] Re: [Mono-list] ASP.NET - usability/robustness/safety
ted leslie
tleslie@tcn.net
Sun, 25 Jul 2004 22:02:03 -0400
Based on the exploits i have seen on MS-SQL of recent, etc, nothing is
going to be safe really,
if you really want safe, submit the CC# through a Java App. (or Flash)
that will encrypt them, and therefore they
never sit anywhere in the "publicly accesable" side of your system in
readable form.
Since Mono isn't likely as much of a "target" ? it might even be safer.
For the part of your site that accepts CC#, you could always just do
that part SSL to Perl/C cgi script (if that is more "proven" to you)...
I have made a site with primarily Mono but through a bit of Perl in
(both having Postgres access).
-tl
Ron Afloh wrote:
>How would you feel though about running a site w/
>mono/apache/linux/aspx though that takes credit card
>transactions and stores credit card #'s in a backend
>mySQL database?
>
>Because the mono mod plugin for Apache is fairly new
>code (as is the entire mono code base), would people
>consider this to be too risky? Would there be too
>many discovered holes that could compromise my system
>and the credit card #'s on the backend?
>
>This is not to knock the plugin or mono by saying its
>immature, obviously there has been an incredible
>amount of progress that has been made very very
>quickly and lots of blood/sweat/tears, but i wonder if
>using it for commercial backend that holds
>confidential personal financial information would be
>unwise at this point.
>
>Thanks for all feedback -
>Ron
>
>
>--- ted leslie <tleslie@tcn.net> wrote:
>
>
>>Ron Afloh wrote:
>>
>>
>>
>>>I had a few questions about ASP.NET as supported by
>>>mono and apache. In short, i'm considering using
>>>
>>>
>>it
>>
>>
>>>to write a commercial webpage and wanted to get
>>>feedback from you guys on how good/bad of an idea
>>>
>>>
>>this
>>
>>
>>>is.
>>>
>>>1) Is the ASP.NET mono sections + apache plugin
>>>
>>>
>>"ready
>>
>>
>>>for primetime" -- i.e., has this stuff been "load"
>>>tested, is the security there, can it scale to
>>>
>>>
>>handle
>>
>>
>>>a fairly large website?
>>>
>>>
>>>2) Are any other non-hobby sites using mono's
>>>
>>>
>>asp.net
>>
>>
>>>implementation?
>>>
>>>
>>>
>>>
>>>
>>I used it for the Toronto NXNE music festival web
>>site (the venue
>>schedule and music listing part),
>>it got hit at a pace of about 50,000 page hits (in
>>its busiest period) /
>>day. About 2000 unique vistors per day.
>>Infrequently, the mod_mono process would constantly
>>take some cpu time
>>(even when no hits) and the pages would not serve
>>up,
>>a early-morning cron to restart mod_mono/apache kept
>>it reiable, but I
>>am also using a 4+ month old version on Mono.
>>No other problems except above have been noticed. Id
>>hope the new
>>version doesn't have this issue.
>>
>>
>>
>>>3) If the asp.net stuff is not ready for full blown
>>>commercial websites.... any ideas on when that
>>>
>>>
>>level
>>
>>
>>>of robustness/security/load-handling will be there?
>>>
>>>
>>>
>>>
>>>4) From what i've read, ASP.NET is not covered
>>>
>>>
>>under
>>
>>
>>>ECMA specs and therefore is not as legally safe
>>>
>>>
>>from
>>
>>
>>>lawsuit from MS as the compiler/JIT/corelibs are.
>>>
>>>
>>So
>>
>>
>>>would it be stupid to risk using mono's ASP.NET
>>>implementation for a commercial venture -- i.e.,
>>>
>>>
>>too
>>
>>
>>>risky legally?
>>>
>>>
>>>
>>>
>>In our projects, some of the programmers develop in
>>the MS .Net Visual
>>Studio
>>and test on their IIS and with a Postgres DB
>>running on a Linux box,
>>then they simply load it on to the Linux server as
>>they finish it, so it
>>works on the MS environment
>>to begin with then dropped into Linux. If MS flexs
>>some muscles at a
>>later time, worst case, it gets hosted on a MS box,
>>but I think thats unlikely, and if it got to that
>>point, MS would
>>probably have a .NET product for Linux.
>>So to be safe, you might want to make sure what you
>>create runs on both
>>systems (as you create it).
>>There is no IDE for Mono yet (monodevelop doesn't
>>have a html layout -
>>integrate components to DB fields - etc), so
>>you probably will end up using MS Visual studio
>>anyways, so you know it
>>will work on MS, you'll just deploy
>>on Linux to save on the OS cost (perhaps the DB
>>cost), and of course
>>reduce all the time wasted in installing virus defs,
>>service patches,
>>and fighting blue screens ......
>>At this time we have had to avoid (to be functional
>>on both platforms),
>>Server.Transfer (use Response.Redirect), and
>>turning off components,
>>and thus setting Validation for them to "false" also
>>is buggy, other
>>then these two issues, so far, all we create works
>>between the two
>>environments.
>>
>>
>>
>>>I did read the FAQ and searched the last few months
>>>
>>>
>>of
>>
>>
>>>postings and didn't really see anything that
>>>
>>>
>>answered
>>
>>
>>>all of these -- hopefully i didn't miss anything to
>>>obvious :) I'm also aware that some of these
>>>questions are not black and white and may not have
>>>
>>>
>>an
>>
>>
>>>answer at all -- regardless, i appreciate everyones
>>>input and suggestions.
>>>
>>>Cheers -
>>>Ron
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>__________________________________
>>>Do you Yahoo!?
>>>Vote for the stars of Yahoo!'s next ad campaign!
>>>
>>>
>>http://advision.webevents.yahoo.com/yahoo/votelifeengine/
>>
>>
>>>_______________________________________________
>>>Mono-list maillist - Mono-list@lists.ximian.com
>>>http://lists.ximian.com/mailman/listinfo/mono-list
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>_______________________________________________
>>Mono-list maillist - Mono-list@lists.ximian.com
>>http://lists.ximian.com/mailman/listinfo/mono-list
>>
>>
>>
>
>
>
>
>__________________________________
>Do you Yahoo!?
>Yahoo! Mail - You care about security. So do we.
>http://promotions.yahoo.com/new_mail
>_______________________________________________
>Mono-list maillist - Mono-list@lists.ximian.com
>http://lists.ximian.com/mailman/listinfo/mono-list
>
>
>
>
>