Fair Use: Please note that use of the Netcraft Blog is subject to our Fair Use and Copyright policies. For more information, please visit http://news.netcraft.com/fair-use-copyright, or email info@netcraft.com.

  1. PayPal XSS Vulnerability Undermines EV SSL Security

    A security researcher in Finland has discovered a cross-site scripting vulnerability on paypal.com that would allow hackers to carry out highly plausible attacks, adding their own content to the site and stealing credentials from users.

    The vulnerability is made worse by the fact that the affected page uses an Extended Validation SSL certificate, which causes the browser's address bar to turn green, assuring visitors that the site – and its content – belongs to PayPal. Two years ago, a similar vulnerability was discovered on a different page of the PayPal site, which also used an SSL certificate.

    PayPal XSS EV SSL Certificate
    "Is it safe?" - a message injected on the PayPal website today

    Harry Sintonen discovered the vulnerability and announced it to other web application security specialists in an Internet Relay Chat (IRC) channel today. Sintonen told Netcraft that the issue was critical, adding that, "you could easily steal credentials," and, "PayPal says you can trust the URL if it begins with https://www.paypal.com," which is not true in this case.

    While SSL certificates do indeed provide a higher level of assurance when it comes to site ownership, they cannot guarantee that a site is free from other security problems – including cross-site scripting. There are concerns that hackers may exploit misunderstandings in the significance of the green address bar for their own benefit, piggybacking off the trust that is instilled by EV certificates. Users need to be aware that a green address bar does not guarantee the origin of a page's contents if there is a cross-site scripting vulnerability on that page.

    The vulnerability comes to light only a month after PayPal published a practical approach to managing phishing on their blog, which extols the use of Extended Validation certificates in preventing phishing. The document describes browsers that do not support EV certificates as "unsafe" and announces the company's plans to block customers from accessing their website from the most unsafe browsers.

    PayPal was one of the first companies to adopt EV certificates and the company says it has seen noticeably lower abandonment rates on signup flows for Internet Explorer 7 users versus other browsers. According to the document, PayPal believe this correlates closely to user interface changes triggered by their use of EV certificates.

    Posted by Paul Mutton on 16th May, 2008 in Security Share

  2. May 2008 Web Server Survey

    In the May 2008 survey we received responses from 168,408,112 sites.

    The total number of sites has increased by 2.7 million, with 554 thousand new sites being hosted by the Dutch company XL Internet Services. Similar growth is seen at Akamai, a web content and application delivery company, where 531 thousand new sites have appeared.

    The GNR web server climbs to 15th place after gaining 212 thousand sites this month. GNR is operated by Global Name Registry, which is the licence operator of the .name global top level domain that was launched in 2002. The .name gTLD is intended to be used by individuals, and most of the site addresses being served by the GNR web server use the format www.firstname.lastname.name.

    Nearly all of the .name sites being hosted by Global Name Registry are served from the same IP address, and many of them use a frameset to present content from Facebook's website, showing limited public profiles for Facebook users with the same name.

    Total Sites Across All Domains August 1995 - May 2008

    Total Sites Across All Domains, August 1995 - May 2008

    Market Share for Top Servers Across All Domains August 1995 - May 2008

    Graph of market share for top servers across all domains, August 1995 - May 2008

    Top Developers
    DeveloperApril 2008PercentMay 2008PercentChange
    Apache83,554,63850.42%83,746,83749.73%-0.69
    Microsoft58,547,35535.33%58,991,10635.03%-0.30
    Google10,079,3336.08%10,127,9566.01%-0.07
    lighttpd1,495,3080.90%1,523,1480.90%0.00
    Sun547,8730.33%545,6510.32%-0.01

    (more...)

    Posted by Netcraft on 6th May, 2008 in Web Server Survey Share

  3. NaviSite is the Most Reliable Hosting Company Site in April 2008

    Ranking by Failed Requests and Connection time,
    April 1st – 30th 2008

    performance_april2008.png

    NaviSite is the most reliable hosting company site for April 2008.

    NaviSite was incorporated in 1998 and provides application solutions and hosting services using its web infrastructure platforms in 18 data centers. The company recently announced an alliance with Intel Corporation to offer a suite of managed services through Intel's value added reseller community.

    NaviSite's performance is followed by DataPipe, which made 11 appearances in the top ten last year. Last month's most reliable hosting company site, INetU, appears in third place this month.

    Three of April's top ten hosting companies, including NaviSite, run Linux on their main sites, while another three use FreeBSD. One company uses Windows Server 2003.

    (more...)

    Posted by Paul Mutton on 2nd May, 2008 in Performance Share