Something came up recently that prompted some discussion around the office. What constitutes obsolete software? Does it mean a version of software that is no longer shipping or is it simpley software that is no longer maintained? That only prompted further discussion around the term "maintained" and how it is defined. Is software maintained if the vendor ships an update every 2-3 years and doesn't include patches in the interim?

It started to make me wonder and think about my own usage habits. I like to know the people I'm doing business with are secure, so if I could require every website to perform a full audit before I visit it, I would. Since that isn't possible, I like to know that they've taken reasonable steps to ensure security. The latest versions of software with proper security patches applied in a timely manner is usually a pretty good start.

Then I started thinking about the software that had started this conversation (Apache httpd). There are three main branches of Apache available right now: 1.3, 2.0, and 2.2. Apache 2.2 is the latest branch; with the greatest number of updates... in fact Apache 1.3 and 2.0 haven't been updated in 21 months. So does that mean 1.3 and 2.0 are obsolete? I guess that depends on how you define obsolete.

I suppose it's possible to see another release from either branch (after all 2.0.64-dev has a fix for a vulnerability, which must mean 2.0.64 stable is coming eventually). So technically, I suppose it isn't obsolete. Now let's look at this from a security stand point. 1.3 and 2.0 are old software, they haven't been updated in quite some time, and they have known security issues. Why would you want to continue to use them? Would I as your customer feel comfortable if you were using them? Probably not. I might be able to justify 2.0, but 1.3 there's no way I'm going to feel comfortable with a web server running that. So in my mind, from a security stand point, these are obsolete.

So which standpoint is correct, the technical one or the security one? That's an easy answer... it's the technical one... after all, it's technically correct. Yet which one is right (which is very different from being correct). My opinion is that the security definition of obsolete would be right. So let's cast away 1.3 and 2.0 as obsolete and move on to the newer, more secure software.

I started to browse the Apache website and noticed they use the word 'legacy' a lot... it doesn't mean obsolete but it kind of reminds me of it. I also noticed some lines in the changelogs of the most recent versions of 1.3 and 2.0 that really made me wonder:

"Apache 1.3.41 is the current stable release of the Apache 1.3 family. We strongly
recommend that users of all earlier versions, including 1.3 family release, upgrade
to the current 2.2 version as soon as possible." -- http://www.apache.org/dist/httpd/Announcement1.3.html

"We consider Apache 2.2 to be the best available version at the time of this release.
We offer Apache 2.0.63 as the best legacy version of Apache 2.0 available. Users
should first consider upgrading to the current release of Apache 2.2 instead." --
http://www.apache.org/dist/httpd/Announcement2.0.html

Anyways, back to my point. Much like my point in my last post... this is about user confidence. The more confident your users are in your service offering, the more likely they are to be ok with using your website. A lot of people are still afraid of the internet and even more are afraid of online transactions. We could ease a lot of their fears if websites would maintain their software and install the latest security fixes.