Thousands short-changed by EV certificates that don’t display correctly in Chrome

Certificate authorities have sold thousands of Extended Validation (EV) certificates that do not display correctly in Google Chrome. Over 10,000 EV certificates (5% of all EV certificates) fail to receive the green EV indicator in the latest desktop version of Google Chrome.

Certificate authorities market EV, and justify its cost, by highlighting the increased trust instilled by the green bar containing the company's name. Without the green EV bar, visitors will struggle to distinguish a $1,000 EV certificate from a $10 domain-validated certificate.

The lack of EV indicator for these certificates reflects Google's policy requiring EV certificates to be delivered with Certificate Transparency information. Up to half of an affected site's visitors may be affected, given Chrome's significant market share. Most CAs have sold this type of flawed EV certificate; however, the extent to which each CA's certificates are affected varies significantly.

chrome-vs-firefox

The Lloyds Bank login page, as viewed in Chrome 44 (above) and Firefox (below). The SSL certificate, issued by Symantec in June 2015, fails to receive the green EV indicator in Chrome.

Advertising

Certificate marketing page advertising the "green bar" indication.

Certificate marketing page advertising the "green bar" indication.

Almost universally, CAs advertise their EV products as (unconditionally) triggering browsers' green bars:

Such advertising underlines one of the primary reasons to purchase an EV certificate over a cheaper option — the green bar that is visible in the address bar.

This additional assurance comes at a price: EV certificates command a significant premium over the cheapest type of certificate. For example, Symantec's EV certificates cost $995 per year, almost $600 more than its cheapest directly advertised option. If you include its other brands, a Symantec DV certificate can be had for $10.95 per year.

Extended Validation

PayPal's EV certificate in Google Chrome

PayPal's EV certificate in Google Chrome. The address bar features a green indicator, and also displays the company name and location (highlighted in red). The presence of valid Certificate Transparency information is indicated (highlighted in blue).

The guidelines for issuing Extended Validation certificates were first published by the CA/Browser Forum in June 2007, motivated by the lack of a well-defined standard for high-assurance identity verification. As well as validating control over the requested domain names, CAs identify the requesting organisation. Major browsers typically display the validated organisation's name in a green box in the address bar. The cheapest type of certificate, domain-validated, does not include this additional information and does not trigger the green box.

Merely issuing a certificate following the EV guidelines is not sufficient for the certificate to trigger the browser's special treatment: the CA's root certificate must be embedded in the browser; the CA must be specifically approved to issue EV certificates; and the certificate must conform to any additional policies set by the browser. Certificate authorities are periodically audited against these requirements, and are required to publish audit statements, though many audited CAs still issue non-compliant certificates.

All major browser vendors are members of the CA/Browser Forum that defines the EV guidelines, and most maintain an independent CA inclusion policy that can be more or less strict than the published minimum requirements. For example, Mozilla, Google, Microsoft, and Apple maintain separate EV policies and CAs must apply to each individually to obtain EV treatment in their browser.

Certificate Transparency

Google has recently added the additional condition that in order to be treated as EV in Chrome, the certificate must be present in a Certificate Transparency log and be bundled with a timestamp (an SCT) signed by the log. This policy for EV certificates is intended to be a trial run for requiring Certificate Transparency for all certificates.

Certificate Transparency is motivated by incidents like DigiNotar, mis-issuance from CNNIC, TURKTRUST, ANSSI, and TrustWave's issuance of a MiTM certificate. By requiring newly issued certificates to be logged in publicly-auditable databases, Google hopes to make it easy to monitor domains for rogue certificates, and to enable regular and post-incident analysis of CA issuance practices.

The signed timestamps (SCTs) can be delivered to the browser in three ways: embedded in the certificate itself, delivered via a stapled OCSP response, or included in a custom TLS extension by the web server. Only the first option is currently practical according to Google as it does not require the certificate holder to update their server software. The second option requires support from the CA in its OCSP responder software, and the client must enable OCSP stapling. Almost three-quarters of all SSL certificates were delivered without a stapled OCSP response in the August 2015 Netcraft SSL Server Survey. The TLS extension, on the other hand, does not require CA support at all, but server-side support is not yet widely available.

Chrome's policy only applies to EV certificates issued after 1st January 2015. At the start of 2015, Google produced a whitelist of existing EV certificates: certificates were included if they were present in at least one qualifying CT log and didn’t otherwise already comply. EV certificates that are not included in the whitelist must comply with the new policy. While it is possible for pre-2015 non-whitelisted certificates to comply — using a stapled OCSP response or in the TLS extension — it is not trivial to configure.

Netcraft's Site Report tool can be used to inspect the SCTs (if any) presented by a given website and whether or not the certificate is present in Google's whitelist.

Widespread failures

ev-ct-per-ca-2

DigiCert includes its recently acquired roots that previously belonged to Verizon Business.

Many CAs have issued EV certificates that do not meet Google's requirements, which has resulted in over 10,000 certificates not receiving the EV indicator in the current version of Chrome. Of these certificates, 42% were issued after 1st January 2015, whilst the remaining 58% were issued pre-2015 but are missing from the whitelist and do not otherwise qualify.

Chrome's Address Bar EV Notes
Yes Normal EV display in Google Chrome
No Normal non-EV display in Google Chrome

Expected behaviour for SSL certificate display in Google Chrome's address bar.

Certificate Authority Chrome's Address Bar EV Issued Notes
Symantec Yes Jun 29 2015 No SCTs received
DigiCert (Verizon) Yes Mar 16 2015 No SCTs received
DigiCert Yes Aug 22 2014 Not in Google's whitelist
GoDaddy Yes Jun 25 2015 Too few SCTs for validity period
Entrust Yes Apr 10 2015 Malformed signatures in SCTs
GlobalSign Yes Feb 24 2015 No SCTs received
StartCom Yes Jun 29 2015 No SCTs received
WoSign Yes Jul 6 2015 No SCTs received

Actual behaviour of SSL certificate display in Google Chrome's address bar.
†This certificate should have been included on the whitelist; however, a bug in Google's whitelist meant it was incorrectly excluded.

hhhh

A GlobalSign certificate that despite having undergone EV validation, fails to trigger the green bar in Chrome.

Whilst most CAs have issued at least some EV certificates with embedded SCTs, others have not embraced Certificate Transparency at all.

WoSign has never issued an EV certificate that contains embedded SCTs and it does not support the second-most-prevalent method for delivering SCTs — via its OCSP responses. This is also the case for StartCom, where almost 100% of EV certificates issued by StartCom so far in 2015 fail to receive EV treatment in Chrome. Some StartCom EV certificates are receiving the EV indicator as a result of Google's one-off whitelist, and a single post-2015 certificate is being used on a server that supports sending SCTs via the TLS extension. WoSign and StartCom are not alone, however, as several other CAs have issued EV certificates without embeddeding SCTs, including Certplus (OpenTrust/KEYNECTIS).

Although Google produced a whitelist of existing EV certificates at the start of 2015, a significant number of pre-2015 certificates lost their EV treatment after Google Chrome started enforcing its CT policy. CAs had the opportunity to inspect Google's draft whitelist; however, many certificates were not submitted to a CT log in time. As well as omissions by the CAs, there were also errors in the mechanism used by Google to generate the whitelist.

The second type of failure to be included in the whitelist, bugs in Google's implementation, can be demonstrated by examining a DigiCert certificate (serial number 0ae01c52bf4917b4527c20bae5e2cd82): it is present in at least one Google CT log with a timestamp indicating it was first logged on 28th August 2014:

Log: https://ct.googleapis.com/pilot
Entry ID: 4867084
Timestamp: 2014-08-28 11:56:54 GMT
Certificate Serial Number: 0ae01c52bf4917b4527c20bae5e2cd82

Despite being logged in accordance with Google's policies, it does not appear in Google's whitelist. In this case, a bug in Google's whitelisting code meant it was incorrectly excluded.

Some CAs offer the option to their customers to not include SCTs in their EV certificates, where inclusion in a public log would leak DNS names the customer would rather keep private. However, all of the certificates in this analysis were found on public-facing HTTPS services by Netcraft's SSL survey, or were included in CT logs.

Google's latest policy update in May 2015 could mean that 7,000 more EV certificates will lose the green bar treatment in Chrome. Certificates must now be delivered with SCTs from independent logs — i.e. at least one Google log and one non-Google log. Certificates that do not meet this new requirement still receive the green bar in Chrome, but are anticipated to stop working when Chrome's code catches up with the new policy. It is not clear whether certificates issued before the policy update will be whitelisted or subjected to the new policy.

Comodo is the CA most affected by the May 2015 policy update, with almost 6,000 EV certificates at risk if Google's new policy is applied from 1st Jan 2015. Comodo has recently issued certificates with SCTs from too few independent logs: for example, Comodo issued a certificate on 3rd August 2015 that is missing a non-Google SCT.

Before they were eventually deployed in March 2015, CAs had known for over a year that the changes to Chrome's EV behaviour were coming. Google's intention was for CAs to ensure that all issued certificates were meeting the requirements before the effective date. This was not the case for most CAs, however, and many non-compliant certificates remain in existence now that Chrome is enforcing the requirements. Worse still, many CAs are continuing to sell EV certificates that will not receive the indicator in Chrome.

Identifying non-compliant certificates

Using data from its SSL Survey, Netcraft's certificate compliance checking service can promptly identify, and bring to the attention of CAs, all kinds of non-compliant certificates, including those that are not receiving the EV indicator in Chrome. The service also identifies certificates that will stop receiving the EV indicator as soon as Google's May 2015 policy update becomes effective. By using Netcraft's service to identify these certificates, CAs will be in a position to re-issue them such that they should once again receive the green EV indicator.

Netcraft's service can also be used by CAs to test their certificates for compliance issues before issuance, by submitting pre-certificates or certificates to Netcraft and only releasing to customers those that are found to be fully compliant. Non-compliant certificates can then be revoked without ever being deployed.

July 2015 Web Server Survey

In the July 2015 survey we received responses from 849,602,745 sites and 5,350,323 web-facing computers. This represents a net loss of 13.5 million websites, but a gain of 3,700 additional computers.

One of the most significant changes in July was the net loss of nearly 13,000 web-facing computers powered by Microsoft web server software, accompanied by a decline of more than 29 million hostnames. The loss was predominantly seen for servers running Microsoft IIS 6.0, 7.0 and 7.5. These versions of IIS are used by Windows Server 2003, which is no longer supported, and Windows Server 2008 (including 2008 R2), whose mainstream support ended in January. The latest stable release of IIS (version 8.5) is however continuing to grow, this month increasing by over 9,000 web facing computers.

This month's decline has brought Microsoft's market share of hostnames down by nearly 3 percentage points, increasing Apache's lead. However, Apache's own market share also fell slightly, largely due to gains made by nginx and Tengine.

nginx gained 8.5 million sites this month, but more remarkably, it gained over 14,000 web-facing computers, with the largest gains in the US, China, Germany and the UK. Compounding Microsoft's losses, nearly 1.8 million existing websites switched from using Microsoft IIS to nginx in July.

nginx also fared well amongst the top million websites, where it gained a further 3,771 sites, causing losses for Apache, Microsoft and Google. Nonetheless, Apache is still used by nearly half of the top million sites, with its market share being almost 26 percentage points ahead of nginx.

Tengine now powers more websites than Google's web server software, after the number of sites using it grew by 7 million to a total of more than 25 million this month. The open source Tengine web server is based on nginx, and used extensively by the online marketplace Taobao. It currently supports all features found in nginx 1.6.2, plus several other features required by Taobao that were not able to be implemented as nginx modules. Neither nginx nor Tengine support HTTP/2 yet, but they were both early supporters of Google's SPDY protocol, on which HTTP/2 is based. nginx plans to provide support for HTTP/2 by the end of this year, and so it is likely that Tengine may also follow suit at a later date.

Tengine 2.1.0 is the latest development version of Taobao's nginx fork, but despite being released more than six months ago, only 25,000 websites currently claim to be using it. In contrast, Tengine 1.4.2 — which was released in 2012 and is also a development version — is used by nearly 10 million sites, making it by far the most commonly deployed version. The latest stable release, Tengine 1.5.2, is the second most commonly used version, but accounts for just under 200,000 sites.

But like Apache, more than half of the sites running Tengine do not reveal which version they are running, and so the true distribution of version numbers could vary greatly. For instance, 2.7 million of these version-less Tengine websites are used to host Taobao stores directly under the taobao.com domain (e.g. baobeiit.taobao.com). Given that Tengine was created by Taobao in order to provide the features they need, it is not unreasonable to assume that these sites might be using the latest release, or at least a relatively recent one.

Despite being used by a large number of sites, Tengine was found on only 4,240 web-facing computers in July 2015. Three-quarters of these computers are located in China, while nearly 10% are located in the US.

Total number of websites

Web server market share

DeveloperJune 2015PercentJuly 2015PercentChange
Apache334,731,03538.78%325,696,51438.34%-0.45
Microsoft254,408,17929.48%225,282,71326.52%-2.96
nginx122,965,52214.25%131,460,06315.47%1.23
Google20,130,7322.33%20,255,4242.38%0.05
Continue reading

DigitalOcean becomes the second largest hosting company in the world

DigitalOcean has grown to become the second-largest hosting company in the world in terms of web-facing computers, and shows no signs of slowing down.

The virtual private server provider has shown phenomenal growth over the past two-and-a-half years. First seen in our December 2012 survey, DigitalOcean today hosts more than 163,000 web-facing computers, according to Netcraft's May 2015 Hosting Provider Server Count. This gives it a small lead over French company OVH, which has been pushed down into third place.

Amazing growth at DigitalOcean

Amazing growth at DigitalOcean

DigitalOcean's only remaining challenge will be to usurp Amazon Web Services, which has been the largest hosting company since September 2012. However, it could be quite some time until we see DigitalOcean threatening to gain this ultimate victory: Although DigitalOcean started growing at a faster rate than Amazon towards the end of 2013, Amazon still has more than twice as many web-facing computers than DigitalOcean today.

Nonetheless, DigitalOcean seems committed to growing as fast as it can. Since October 2014, when we reported that DigitalOcean had become the fourth largest hosting company, DigitalOcean has introduced several new features to attract developers to its platform. Its metadata service enables Droplets (virtual private servers) to query information about themselves and bootstrap new servers, and a new DigitalOcean DNS service brought more scalability and reliability to creating and resolving DNS entries, allowing near-instantaneous propagation of domain names.

Other companies are also helping to fuel growth at DigitalOcean. Mesosphere created an automated provisioning tool which lets customers use DigitalOcean's resources to create self-healing environments that offer fault tolerance and scalability with minimal configuration. Mesosphere's API makes it possible to manage thousands of Droplets as if they were a single computer, and with DigitalOcean's low pricing models and SSD-only storage, it's understandable how this arrangement can appeal to particularly power-hungry developers.

In January, DigitalOcean introduced its first non-Linux operating system, FreeBSD. Although less commonly used these days, FreeBSD has garnered a reputation for reliability and it was not unusual to see web-facing FreeBSD servers with literally years of uptime in the past. In April, DigitalOcean launched the second version of its API, which lets developers programmatically control their Droplets and resources within the DigitalOcean cloud by sending simple HTTP requests.

DigitalOcean added a new Frankfurt region in April 2015.

DigitalOcean added a new Frankfurt region in April 2015.

More recently, DigitalOcean introduced a new European hosting region in Frankfurt, Germany. This is placed on the German Commercial Internet Exchange (DE-CIX), which is the largest internet exchange point worldwide by peak traffic, allowing Droplets hosted in this region to offer good connectivity to neighbouring countries. (An earlier announcement of an underwater Atlantis datacenter sadly turned out to be an April Fool's joke, despite the obvious benefits of free cooling).

Even so, Amazon still clearly dwarfs DigitalOcean in terms of variety of features and value-added services. Notably, Amazon offers a larger variety of operating systems on its EC2 cloud instances (including Microsoft Windows), and its global infrastructure is spread much wider. For example, EC2 instances can be hosted in America, Ireland, Germany, Singapore, Japan, Australia, Brazil, China or even within an isolated GloudGov US region, which allows US government agencies to move sensitive workloads into the cloud whilst fulfilling specific regulatory and compliance requirements. As well as these EC2 regions, Amazon also offers additional AWS Edge Locations to be used by its CloudFront content delivery network and its Route 53 DNS service.

Yet, as well as its low pricing, part of the appeal of using DigitalOcean could lie within its relative simplicity compared with Amazon's bewilderingly vast array of AWS services (AppStream, CloudFormation, ElastiCache, Glacier, Kinesis, Cognito, Simple Workflow Service, SimpleDB, SQS and Data Pipeline to name but a few). Signing up and provisioning a new Droplet on DigitalOcean is remarkably quick and easy, and likely fulfils the needs of many users. DigitalOcean's consistent and strong growth serves as testament to this, and will make the next year very interesting for the two at the top.

January 2015 Web Server Survey

In the January 2015 survey we received responses from 876,812,666 sites and 5,061,365 web-facing computers.

This is the lowest website count since last January, and the third month in a row which has seen a significant drop in the total number of websites. As was the case in the last two months, the loss was heavily concentrated at just a few hosting companies, and a single IP address that was previously hosting parked websites was responsible for over 50% of the drop.

Microsoft continues to be impacted most by the decline. Having overtaken Apache in the July 2014 survey their market share now stands at just 27.5%, giving Apache a lead of more than 12 percentage points.

Microsoft's decline seems far less dramatic when looking at the number of web-facing computers that use its server software. A net loss of 6,200 computers this month resulted in its computer share falling by only 0.28 percentage points, while Apache's went up by 0.18 to 47.5%.

These losses included many sites running on Microsoft IIS 6.0, which along with Windows Server 2003, will reach the end of its Extended Support period in July. Further abandonment of these platforms is therefore expected in the first half of this year, although Microsoft does offer custom support relationships which go beyond the Extended Support period.

Apache made an impressive gain of 22,000 web-facing computers this month. Half of this net growth can be attributed to the Russian social networking company V Kontakte, which hosts nearly 13,000 computers. Almost all of these were running nginx last month, but 11,000 have since defected to Apache, leaving less than 2,000 of V Kontakte's computers still using nginx.

OVH is still the second largest hosting company in terms of web-facing computers (although DigitalOcean is hot on its heels), but demand for its own relatively new .ovh top-level domain appears to be waning. Last month, we reported that the number of sites using the new .ovh TLD had shot up from 6,000 to 63,000. These sites were spread across just under 50,000 unique .ovh domains, and the number of domains grew by only 2,000 this month.

Only the first 50,000 .ovh domains were given away for free, while subsequent ones were charged at EUR 0.99. Despite being less than a third of the planned usual price of EUR 2.99, this shows how even a tiny cost can have a dramatic impact on slowing down the uptake in domain registrations.

Other new top-level domains which have shown early signs of strong hostname growth include .click, .restaurant, .help, .property, .top, .gifts, .quebec, .market and .ooo, each of which were almost non-existent last month but now number in their thousands.

The proliferation of new top level domains is evidently generating a lot of money for registrars and ICANN, but for some parties it has caused expenditure that was previously unnecessary. Take the new .hosting TLD for example: you would expect this domain to only be of interest to hosting companies, but US bank Wells Fargo has also registered some .hosting domains, including wellsfargo.hosting, wellsfargoadvisors.hosting and wellsfargohomemortgage.hosting. These domains are not used to serve any content, and instead redirect customers to Wells Fargo's main site at wellsfargo.com. The sole purpose of registering these domains appears to be to stop any other party from doing so, which protects the bank's brand and prevents the domains being used to host phishing sites.

In a similar move, Microsoft has also registered several .hosting domains including xbox.hosting, bing.hosting, windows.hosting, skype.hosting, kinect.hosting and dynamics.hosting. Browsing to any of these domains causes the user to be redirected to bing.com, which displays search results for the second-level string (i.e. "xbox", "windows", etc.).

Of course, with many other new TLDs continually popping up, brand protection becomes an increasingly costly exercise. Microsoft has also recently registered hundreds of other nonsensical domains which are used to redirect browsers to bing.com, such as lumia.ninja, lync.lawyer, xboxone.guitars, windowsphone.futbol, microsoft.airforce, azure.luxury, yammer.singles, xboxlive.codes, halo.tattoo, internetexplorer.fishing, and so on.

However, the race to register domain names is not always won by Microsoft — bing.click is a prime example of a domain that someone else got to first. This domain is currently offered for sale, highlighting the fact that it's not just ICANN and the registrars that stand to gain money from the influx of new TLDs.

Total number of websites

Web server market share

DeveloperDecember 2014PercentJanuary 2015PercentChange
Apache358,159,40539.11%348,460,75339.74%0.63
Microsoft272,967,29429.81%241,276,34727.52%-2.29
nginx132,467,76314.47%128,083,92014.61%0.14
Google20,011,2602.19%20,209,6492.30%0.12
Continue reading

August 2015 Web Server Survey

In the August 2015 survey we received responses from 874,408,576 sites and 5,391,301 web-facing computers, representing a net gain of 25 million sites and 40,978 web-facing computers since last month.

Microsoft was responsible for much of the growth in web-facing computers this month, reversing the losses seen last month. This month there was an increase of 15,668 web-facing computers powered by Microsoft web server software, accompanied by a gain of 6.1 million sites. Microsoft has recovered some web-facing computer market share as a result of the increase; however, it remains on a gradual declining trend – it now stands at almost 2 percentage points below its share this time last year.

nginx performed well across all metrics again this month, gaining 3,421 sites in the top million sites, 6,491 web-facing computers, and 983,000 sites overall. nginx is the only vendor experiencing consistent increases in market share, and is now used by 22.61% of the top million sites, and 12.68% of web-facing computers.

Apache also made gains this month, with 1,243 additional web-facing computers and 2.3 million additional sites. However, it lost 4,775 sites in the top million sites, where its market share is now 47.78%. Despite the net gain in web-facing computers, Apache has again seen a small loss in its market share, which now stands at 46.26%.

LiteSpeed gained 486,000 sites this month, bringing the total number of sites using LiteSpeed's web server to just over 5 million. LiteSpeed uses the same configuration format as Apache and is designed to be a drop-in replacement.

LiteSpeed was the first major web server vendor to add support for the final version of HTTP/2 after it was standardised in May. HTTP/2, which is based on Google's SPDY protocol, aims to improve the performance of HTTP by changing how it is encoded on the wire. It does not change HTTP's semantics to ease compatibility with existing applications. While the standard defines a cleartext version of the protocol, all major browsers only support HTTP/2 over TLS. Out of the 45,819 SSL sites that negotiated the final version of HTTP/2 over TLS this month, 21,695 (47.35%) were served by LiteSpeed.

An initial patch was released by nginx this month for adding HTTP/2 support. The patch is still in development – full HTTP/2 support in nginx is expected by the end of 2015.

Microsoft IIS 10 is the first release of IIS that provides HTTP/2 support. IIS 10 is included in Windows 10, which was released in July, and Windows Server 2016, which is currently in public beta testing and expected to be released in early 2016.

mod_h2, an Apache module which provides HTTP/2 support, was donated to the Apache Foundation in June and merged into the development version of Apache. mod_h2 will be backported to Apache 2.4, the current stable release branch.

Total number of websites

Web server market share

DeveloperJuly 2015PercentAugust 2015PercentChange
Apache325,696,51438.34%327,985,96837.51%-0.83
Microsoft225,282,71326.52%231,429,14626.47%-0.05
nginx131,460,06315.47%132,443,39115.15%-0.33
Google20,255,4242.38%19,933,0952.28%-0.10
Continue reading

Millions still running the risk with Windows Server 2003

More than 600,000 web-facing computers — which host millions of websites — are still running Windows Server 2003, despite it no longer being supported.

The number of web-facing computers running Windows Server 2003 has been on a gradual decline since its peak usage in 2011, but many servers are still using it. Mainstream support for Windows Server 2003 ended in July 2010.

The number of web-facing computers running Windows Server 2003 has been on a gradual decline since its peak usage in 2011, but many servers are still using it. Mainstream support for Windows Server 2003 ended in July 2010.

Extended support for Windows Server 2003 ended on July 14, 2015. Crucially, this means that Microsoft will no longer be issuing security updates for any version of Windows Server 2003. US-CERT warns that these unsupported installations of Windows Server 2003 are exposed to an elevated risk of cybersecurity dangers, such as malicious attacks or electronic data loss.

Windows Server 2003 was originally launched over 12 years ago, with the latest major update being released 8 years ago in the form of Service Pack 2. This update was particularly beneficial for web servers, as it added the Scalable Networking Pack (SNP), which allowed for hardware acceleration of network packet processing.

Fifth of the internet still running Windows Server 2003

Netcraft's July 2015 Web Server Survey found 175 million websites that are served directly from Windows Server 2003 computers. These account for more than a fifth of all websites in the survey, making the potential attack surface huge.

Most of these sites (73%) are served by Microsoft Internet Information Services 6.0, which is the version of IIS that shipped with Windows Server 2003 and the 64-bit edition of Windows XP Professional; however, it is rare to see the latter being used as a web server platform.

The remaining Windows Server 2003-powered sites use a variety of web server software, with GSHD 3.0, Safedog 4.0.0, Apache 2.2.8 (Win32), kangle 3.4.8, NetBox Version 2.8 Build 4128 and nginx/1.0.13-win32 being amongst the most commonly seen Server headers. While vulnerabilities in these software products can be addressed by applying patches or updates, future vulnerabilities in the underlying Windows Server 2003 operating system may never be fixed.

14 million of the sites did not send a Server header at all, so it was not apparent whether the web server software used by these sites could be updated, but the underlying computers could still be identified as running Windows Server 2003. Netcraft determines the operating system of a remote web server by analysing the low-level TCP/IP characteristics of response packets, and so it is independent of whichever server software the site claims to be running.

Backend servers might also be exploitable

In addition to the 175 million websites that are served directly from Windows Server 2003 computers, a further 1.7 million sites served from other operating systems sent the Microsoft-IIS/6.0 Server header. This indicates the presence of backend Windows Server 2003 machines behind load balances and similar devices that are not running Windows.

For example, if the TCP/IP characteristics of a web server's response indicate that it is running Linux, but the HTTP Server header reports it is using Microsoft-IIS/6.0, then the Linux machine is likely to be acting as a reverse proxy to a Windows Server 2003 machine running IIS 6.0. Although the Windows Server 2003 machine is not directly exposed to the internet, it may still be possible for a remote attacker to exploit certain Windows and IIS vulnerabilities.

How many Windows Server 2003 installations are exposed to the web?

Netcraft has developed a technique for identifying the number of unique computers that act as web servers on the internet. The 175 million sites that use Windows Server 2003 make use of 1.6 million distinct IP addresses. However, an individual computer running Windows Server 2003 may have multiple IP addresses, which makes this an unsuitable metric for determining how many installations there are.

Further analysis of the low-level TCP/IP characteristics reveals a total of 609,000 web-facing computers running Windows Server 2003. This is over 10% of all web-facing computers, and shows the true potential cost of migration, as software licensing is typically charged on a per-machine rather than per-IP address basis.

Who's still using Windows Server 2003?

China and the United States account for 55% of the world's Windows Server 2003 computers (169,000 in China and 166,000 in the US), yet only 43% of all other web facing computers.

Within China, more than 24,000 of these computers are hosted by Alibaba Group. Nearly half of these are hosted by HiChina, which was acquired by Alibaba in 2009, while 7,500 are hosted at its rapidly growing cloud hosting unit, Aliyun.

Aliyun still allows its customers to create Windows Server 2003 virtual machines.

Aliyun still allows its customers to create Windows Server 2003 virtual machines.

One of the most prominent companies still using Windows Server 2003 on the internet is LivePerson, which is best known for the live chat software that allows its customers to talk to their visitors in realtime. Its main site at www.liveperson.com uses Microsoft IIS 6.0 on Windows Server 2003, and several other sites related to its live chat functionality — such as sales.liveperson.net — also appear to use IIS 6.0 on Server 2003, but are served via F5 BIG IP web-facing devices.

Even some banks are still using Windows Server 2003 and IIS 6.0 on their main sites, with the most popular ones including Natwest, ANZ, and Grupo Bancolombia. These sites rank amongst the top 10,000 in the world, and hundreds of other banking sites also appear to be using Windows Server 2003.

ING Direct and Caisse d'Epargne are also using IIS 6.0, but these sites appear to be served through F5 BIG-IP or similar devices, rather than having Windows Server 2003 machines exposed directly to the internet. Even some security and antivirus software vendors are still running IIS 6.0 on public-facing sites, including Panda Security and eScan.

While Microsoft does not officially offer any support beyond the extended support period ("Once a product transitions out of support, no further support will be provided for the product"), reports suggest that some companies who have not migrated in time have arranged to pay millions of dollars for custom support deals.

PCI compliance: Automatic failure

Companies still using unsupported operating systems like Windows Server 2003 in a cardholder data environment should migrate immediately. All organisations and merchants who accept, transmit or store cardholder data must maintain a secure PCI compliant environment.

The Payment Card Industry Data Security Standard (PCI DSS) provides a baseline of technical and operational requirements designed to protect cardholder data and sensitive authentication data. PCI DSS Requirement 6.2 requires all system components and software to be protected from known vulnerabilities by installing vendor-supplied security patches. This will not be possible with Windows Server 2003, as no more security updates will be made available by Microsoft.

Additionally, merchants and service providers who handle a large enough volume of cardholder data must have quarterly security scans by a PCI SSC Approved Scanning Vendor (such as Netcraft) in order to maintain compliance. ASVs are required to record an automatic failure if the merchant's cardholder data environment uses an operating system that is no longer supported.

In some cases, the PCI SSC can allow for risks to be mitigated through the implementation of suitable compensating controls, but these are unlikely to be sufficient for an unsupported web-facing operating system – especially one which will become less secure as time goes by, as new vulnerabilities are discovered.

Consequently, many merchants still using Windows Server 2003 is likely to be noncompliant, and could face fines, increased transaction fees, reputational damage, or other potentially disastrous penalties such as cancelled accounts.

Microsoft advises that any datacenter still using Windows Server 2003 needs to protect its infrastructure by planning and executing a migration strategy. Some possible options suggested by Microsoft include switching to Windows Server 2012 R2, Microsoft Azure or Office 365. To help customers migrate, Microsoft has provided an interactive Windows Server 2003 Migration Planning Assistant, which, incidentally, is hosted on Microsoft Azure.

Finding out more

Netcraft's techniques provide an independent view with a consistent methodology on the number of web-facing computers at each hosting location worldwide. For more information, see our Hosting Provider Server Count, or contact us at sales@netcraft.com for bespoke datasets.

For more information about Netcraft's Automated Vulnerability Scanning for PCI Compliance, please contact us at security-sales@netcraft.com.