LulzSec fuels growth at CloudFlare

Nine months after its launch, content distribution network CloudFlare is now used by more than 40 thousand sites in Netcraft's web server survey. The company announced its public beta at TechCrunch Disrupt in September 2010, where it came in as a close runner-up. Despite not winning, CEO Matthew Prince later described how Disrupt brought his team together and resulted in an increase in signups without having to carry out any additional PR or marketing.

CloudFlare also gained customers after recent praise from LulzSec, who use the service to run their website at lulzsecurity.com. LulzSec have accrued more than 200 thousand followers on Twitter as a result of their attacks against high-profile targets such as Sony, Fox, PBS and the X Factor.

When a website uses CloudFlare, client requests are made to a global network of edge nodes rather than to the website itself. This can increase performance, particularly when an edge node is located somewhere that can respond faster than the website's original hosting location.

By monitoring site traffic, CloudFlare can also offer some protection against denial of service attacks. When malicious traffic is detected, it can be automatically blocked at the edge nodes, before the traffic hits the website. Matthew Prince reported some DDoS attacks against CloudFlare yesterday, but noted that the service had not been impacted.

However, AnonNews used to be a prominent user of CloudFlare until the service was disabled after a DDoS attack affected the CloudFlare network. With traffic instead being routed directly to the server hosting anonnews.org, it has been seemingly unable to withstand the current series of attacks against it. The domain is registered to Sven Slootweg, who told Netcraft, "They had to turn it off on my domain for the past few days because of a really large DDoS attack." He added, "It apparently seriously affected their network. There is one or more Turkish patriot hacker groups constantly attacking AnonNews."

Nonetheless, CloudFlare's growth is continuing at a strong rate. The accessibility and cost of the service is undoubtedly playing a large part in this success – no contracts are required, and users can either sign up for free, or pay only $20 per month for a Pro account which offers better performance, advanced security protection and real-time stats. CloudFlare will also be offering an enterprise service soon.

AffirmTrust enters the SSL market with free certificates

A new SSL certificate authority may be set to shake up the market by offering free 3 year domain validated certificates. AffirmTrust announced its entry into the SSL market yesterday, with an interesting mission statement:

"To give away as many free certificates as possible because we can - also it is just a lot of fun. We want to move an industry forward making security more available to every legitimate merchant on the Internet. AffirmTrust is not just a business - it's a quest to make meaningful change that benefits both merchants and consumers."

Although the company is new to the market, AffirmTrust's management team already has several years of relevant experience behind it – they were responsible for co-founding SSL company GeoTrust, which was later acquired by VeriSign in 2006 for $125 million. Today, the GeoTrust brand is owned by Symantec, which acquired VeriSign's security business last year.

AffirmTrust is not alone in giving away free SSL certificates. Eddy Nigg's StartSSL also offers free domain validated certificates, although these are only valid for a period of 1 year. Both companies also sell Extended Validation certificates, which require a more costly vetting process to ensure they are only issued to legally established businesses or organisations.

Domain validated certificates are generally the cheapest type of certificate available. This is because the issuance process can be automated to a high degree, as the applicant does not have to prove their identity – all they have to do is prove that they own (or control) the domain in question. This has no doubt played a large part in the popularity of domain validated certificates compared with Extended Validation certificates, particularly amongst low-traffic, low-revenue websites.

Despite the free alternatives, the paid-for domain validated certificate market still looks extremely healthy today: Netcraft's latest SSL Survey shows Go Daddy having the largest net growth in domain validated certificates during each of the past 4 months. With that in mind, it will be interesting to see the impact that AffirmTrust will have on the market, and whether any other companies will follow suit by offering free domain validated certificates.

PayPal.com and payment APIs hit by performance issues

www.paypal.com was unavailable to most customers for more than an hour today, with no estimated time for resolution during the outage. PayPal uses scheduled maintenance windows every Thursday and Friday from 11pm to 1am PST, but this rarely results in any noticeable downtime, and today's outage extended beyond that window.

PayPal's payments API was also unavailable, which will have affected many online retailers, including PayPal's owner, eBay. A statement from eBay at 12:52am PST said: "EBay [sic] is currently experiencing checkout problems. Community members may see errors or timeouts when attempting to pay for an item. We are working on the problem and apologize for the inconvenience."

A live status update on the PayPal X Developer Network stated that there was no alternative work-around to the problem:

The problems with the PayPal website and payment APIs were resolved at 1:23am.

Egypt back online, but some sites kept offline

Renesys earlier confirmed that Egyptian internet providers had returned to the internet just before 09:30 UTC; however, a few important sites mysteriously went back offline a short while later. www.mcit.gov.eg came online for a brief period, but then went offline again less than an hour later:

Before Egypt shut down internet access, the online collective Anonymous had been carrying out a distributed denial of service attack against this site; however, that attack did not appear to succeed at the time. Meanwhile, www.egypt.gov.eg has been online solidly since Egypt returned to the internet, whereas www.moiegypt.gov.eg has been coming and going:

This site was also attacked as part of an online protest by Anonymous, which resulted in some short outages on 26th January. A tweet from AnonymousIRC suggests that this site may be being kept offline by a second DDoS attack:

We are continuing to monitor the performance of several Egyptian sites at http://uptime.netcraft.com/perf/reports/performance/wikileaks

is.gd URL shortener suffers downtime

The popular is.gd URL shortening service was reportedly unavailable for a few hours this morning, effectively breaking thousands of shortlinks posted to Twitter and other social networking sites. During the outage, the site's public-facing load balancer responded to PING requests, but was refusing HTTP connections to port 80.

is.gd is one of the most popular URL shortening services in current use – it has shortened 334 million URLs to date, which have been accessed more than 11 billion times. The service is wholly owned by UK hosting company Memset, which hosts the site on their own servers. Since December, Memset has also provided a shorter v.gd service, but this has only attracted 61 thousand URLs so far.

Memset told Netcraft that today's fault was caused by the failure of some virtual machines in the frontend cloud, which is responsible for accepting HTTP requests from the load balancer. These have been restored and the site is now back up and running with improved monitoring processes.

is.gd is primarily maintained by its creator, Richard West, a freelance developer and technologist. Memset proudly describe it as an "ethical" URL shortener; in particular, they have pledged to support is.gd as a free service indefinitely, will never place third-party adverts on the site and claim to be one of the most proactive URL shorteners in preventing spam and misuse.

Other sites hosted by Memset, including its own main presence at memset.com, were unaffected during the is.gd outage.

Police.uk fails to cope with public demand

A new local crime and policing website for England and Wales was launched late last night at police.uk. The revamped site provides instant access to street-level crime maps and data – or at least, it did until curious members of the public woke up this morning.

In what could arguably be described as a media-driven DDoS, the new site has received a lot of publicity on the internet, radio and television today. As a result, a huge number of visitors appears to have swamped the police.uk site with traffic, causing it to break. Search results are currently returning error messages, or a blank page with a 503 Service Unavailable response header.

One response worryingly suggests there are no police in London:

The new police.uk site has been developed by advertising agency Rock Kitchen Harris, who also developed the original CrimeMapper site for all 43 English and Welsh police forces in 2009. The launch was announced today on their website, where they said:

"We not only designed, built and manage the site we also arranged the hosting using a mix of servers, with the public website using scaleable cloud hosting."

Despite the use of scaleable cloud hosting (in this case, Amazon EC2), the site does not appear to be holding out too well. Amazon's EC2 hosting service does provide a facility called Auto Scaling, which deals with traffic spikes by automatically increasing capacity, but it is not clear whether RKH have enabled this feature. WikiLeaks notably used Amazon EC2 when the Iraq War Logs and Cablegate sites went live, both of which coped well with the initial large volume of traffic.

Netcraft was unable to speak to anyone in the web team at RKH, as they are, understandably, "a bit tied up at the moment", but it was confirmed that the current problem is a result of too much traffic.