All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Hiawatha webserver to stop development
Everything that has a beginning, has an ending. In 2002, the Hiawatha webserver was born. It started as a small hobby project with no serious intentions. But in the years that followed, it grew to a mature webserver with unique and proven security features. Unfortunately, lack of interest in this project has always been a seamy side. Many times, I wondered whether I should keep going on with the project or not, but somehow I always found a reason to continue. But not this time. Recently, a serious issue was found in the Hiawatha webserver and the fact that I didn't care much, made me realize that it's time to stop.
Does this mean that the Hiawatha webserver will stop to exist? No. I still use it myself a lot and I will continue to do so in the future. I will make new releases available via this website and GitLab, but don't expect any more fancy. The most important change is that I will stop seeing and promoting it as an alternative webserver. For the time being, this website will remain online, but I will make the forum read-only. The contact form will be removed, I won't send any more newsletters (I will remove all e-mail addresses soon) and I will no long be available for support questions about the Hiawatha webserver. Security related issues can still be reported, of course.
The most important reason for this is that my spare time is only limited and I'd rather spend it doing other things than developing a webserver. I recently bought an electric guitar and many of my spare time now goes to playing music. And for quite some time, I found a more interesting challenge in organisational security-related subjects and privacy-related subjects than in technical security-related subjects. For the last 6 years, I developed a methodology for performing a risk analysis for information security (in Dutch) and for the last few months, that project is suddenly going very well. It's getting a lot of attention in the Netherlands. And with a friend, I started a weblog about privacy (also in Dutch). And that simply covers most of my spare time.
So, can you continue using the Hiawatha webserver? Well, that depends on what you want from a webserver. Clearly, Hiawatha will never support HTTP/2 or HTTP/3. If you're fine with that and Hiawatha serves your needs, you can continue using it. To be clear: I won't stop developing Hiawatha. But new features will be based on what I need, not on what is needed for a webserver in general.
I now come to the end of my, probably, final message at the Hiawatha weblog. While typing this message, I realize that it's still a serious step for me. But I think it's the right one. Thanks to all who have supported me and this project (you know who you are). Hopefully, Hiawatha will serve you well for as long as possible, but I won't blame you if you switch to another webserver. Thanks and stay safe!
Comments
Never heard of it, but seems a cool story.
All the best to the developer. Maybe someone can pickup from where he is leaving.
Sad. Hiawatha was one of the very few http servers who really cares about security. Unfortunately it completely overlooked http/2 and is also largely thread based.
But still: some final appreciation and a warm good-bye.
it was the safest webserver
Of course it has to go...
.
.
.
I don't remember there being any serious exploits or anything during Hiawatha's development until that security issue was found and not long after that Hugo decided to stop working on Hiawatha.
It really is/was an awesome webserver and I'm really sad to see that he has decided to stop working on it .
It was too good.
He got an offer he couldn't refuse.
It has always looked like an interesting web server.
Unfortunately, it's not officially packaged by many distributions, which probably has had the effect of limiting its adoption/popularity. For example, as far as I know, it has never been officially packaged by Debian or Ubuntu or Fedora. Am not sure why it hasn't been, but I suspect that the fact that it uses mbed TLS (as opposed to OpenSSL) may be part of the reason.
It's not exactly official but a guy named Chris kept a debian repo with Hiawatha debian packages and it was advertised through the Hiawatha forums (plus he had a great guide on setting Hiawatha up to serve Wordpress and all that). I used it for a couple of Wordpress sites and I really liked it and the configuration was easy along with performance being really good.
I used Hiawatha for years and always loved it. I was really sad when I heard the news... I understand Hugo and his decision. But I think that Hiawatha never got the recognition that it deserved. It's a pity.
Yeah, I know about the unofficial Debian package.
There's a list of unofficial packages, https://www.hiawatha-webserver.org/download , but for some reason Hiawatha hasn't really been officially picked up by major distributions (compare with Lighttpd, which has been much more so).
Yes, the absence of packages for many distros may have kept the click-click (apt-get/yum/pkg ...) crowd away but frankly, building hiawatha was an easy trouble-free no brainer, so I don't think that caused a lot of missed users.
mbedTLS has a quite good reputation, much better than OpenSSL anyway, so I don't think that was the cause either.
Wildly guessing I think the killer factor was http/s, that and a not that major issue, with the latter being more of a kind of trigger. When that came up and looking at the massive work to make hiawatha http/2 capable, Hugo probably saw that at this point in his life he wasn't ready to invest that amount of work and that he'd rather focussed his energy on something else (also security related). Also keep in mind that http/3 is around the corner ...
And, let's be honest: hiawatha wasn't a big success - as in "millions and millions using it" - for a reason: most people just don't care enough about security. Installing some "make your server more secure!" package (click-click) yes, but seriously scanning what's available, picking something outside the big 2 or 3, and learning something new and invest some work, nope.
The lack of support for HTTP/2 is very possibly Hugo's main reason for deciding to stop his work on Hiawatha, but I'm not sure that this would explain why the major distributions haven't officially packaged Hiawatha. If we take Lighttpd, which is packaged and is reasonably popular, note that it doesn't yet support HTTP/2.
For the distributions, I'm still inclined to think that the different SSL/TLS base plays a significant role, but it's probably not the whole story.