Half a million widely trusted websites vulnerable to Heartbleed bug

A serious overrun vulnerability in the OpenSSL cryptographic library affects around 17% of SSL web servers which use certificates issued by trusted certificate authorities. Already commonly known as the Heartbleed bug, a missing bounds check in the handling of the TLS heartbeat extension can allow remote attackers to view up to 64 kilobytes of memory on an affected server. This could allow attackers to retrieve private keys and ultimately decrypt the server's encrypted traffic or even impersonate the server.

The Heartbleed bug write-up mentions Apache and nginx as being the most notable software using OpenSSL, and also points out that these have a combined active site market share of over 66% according to our April 2014 Web Server Survey. However, not all of these servers are running an HTTPS service, nor are they all running vulnerable versions of OpenSSL with heartbeats enabled.

Our most recent SSL Survey found that the heartbeat extension was enabled on 17.5% of SSL sites, accounting for around half a million certificates issued by trusted certificate authorities. These certificates are consequently vulnerable to being spoofed (through private key disclosure), allowing an attacker to impersonate the affected websites without raising any browser warnings.


Most vulnerable servers are using Apache.

Note that a small percentage of Microsoft web servers also appear to support the TLS heartbeat extension; these are actually likely to be vulnerable Linux machines acting as reverse proxy frontends to Windows servers.

Support for heartbeats was added to OpenSSL 1.0.1 (released in 2012) by Robin Seggelmann, who also coauthored the Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension RFC. The new code was committed to OpenSSL's git repository just before midnight on new year's eve 2011.

OpenSSL's security advisory states that only versions 1.0.1 and 1.0.2-beta are affected, including 1.0.1f and 1.0.2-beta1. The vulnerability has been fixed in OpenSSL 1.0.1g, and users who are unable to upgrade immediately can disable heartbeat support by recompiling OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag.

Popular sites which exhibit support for the TLS heartbeat extension include Twitter, GitHub, Yahoo, Tumblr, Steam, DropBox, HypoVereinsbank, PostFinance, Regents Bank, Commonwealth Bank of Australia, and the anonymous search engine DuckDuckGo.

Certificates and keys at risk of compromise should be revoked and replaced, particularly if they are used to protect sensitive data. Certificate Authorities, hosting companies and other interested parties can contact us for assistance in identifying affected certificates.

You can check whether your own HTTPS website might be vulnerable using the form below, and looking for the RFC6520 heartbeat TLS extension.

Netcraft site report
URL:

April 2014 Web Server Survey

In the April 2014 survey we received responses from 958,919,789 sites — 39 million more than last month.

Microsoft made the largest gain this month, with nearly 31 million additional sites boosting its market share by 1.9 percentage points. IIS is now used by a third of the world's websites. Although this is not Microsoft's largest ever market share (it reached 37% in October 2007), this is the closest it has ever been to Apache's leading market share, leaving Apache only 4.7 points ahead. Although Apache gained 6.9 million sites, this was not enough to prevent its market share falling by 0.87 to 37.7%. nginx, which gained 3.1 million sites, also lost some of its market share.

More than 70% of this month's new IIS-powered websites are hosted in the US, followed by 22% in China. Nearly 20 million of the new IIS sites in the US are hosted by a single company, Nobis Technology Group, which was also responsible for much of Microsoft's growth in February. A smaller amount of Microsoft IIS growth was also seen on the Windows Azure platform (which will be renamed to Microsoft Azure on April 3), where the total number of active sites has grown by 25% since February, when we compared the platform against Amazon AWS. 84% of all active sites hosted on the Azure platform are running Microsoft web server software.

Many of the new IIS sites hosted by Nobis Technology Group feature similar content and form part of a Chinese link farm. Link farming is often an attempt to influence search engine results, and each individual site within a link farm is typically of little interest to a human. Netcraft's active sites metric therefore provides a better idea of how many websites are actively managed rather than being automatically generated en mass, such as link farm content and domain holding pages. Of the 114 million sites hosted by Nobis, only a fifth are counted as active sites.

In terms of active sites, Apache remains in a much stronger position with a 52% share of the market, compared with Microsoft's 11%. A significantly higher proportion of Apache sites are active: 26% of all Apache sites were deemed to be active, whereas only 6% of Microsoft's were. nginx takes a 14% share of the active sites market, putting it 3 points ahead of Microsoft.

Apache also fares well amongst the million busiest sites, where there is intrinsically very little interference from domain holding pages, link farms and other web spam. Here Apache takes a 53% share of the market, while nginx has 18% and Microsoft has 12%. Although only 3% of the top million sites use Google web server software, Google's dominance amongst the very busiest sites give it a presence on 8 of the top 10 sites.

Both Apache and nginx were affected by security vulnerabilities which were resolved during March, whereas Microsoft IIS has yet to be affected by publicly-known security issues this year.

The latest version of Apache (2.4.9) was released on March 17. The Apache Software Foundation describes this as representing fifteen years of innovation by the project, and this major release of the 2.4 stable branch is recommended over all previous releases. Nevertheless, it is still common for many websites to use the legacy 2.2 branch of releases, or even older versions. Apache 2.4.9 is primarily a security and bug fix release, although it also includes the changes introduced in 2.4.8, which was not actually released. A workaround for a bug in older versions of OpenSSL, which prevented the release of 2.4.8, has been included in 2.4.9.

Although Apache 2.4.8 was not released, the development version (Apache/2.4.8-dev) was found on 675 sites during this survey, which ran in March. Nearly all of these sites were running on FreeBSD servers which belonged to various Apache projects, mostly Apache HTTPD and Apache OpenOffice.

The stable branch of nginx was updated twice during March. Two bugs were resolved in nginx 1.4.6, which was released on March 4. nginx 1.4.7 was then released on March 18, addressing another bug and a heap buffer overflow vulnerability. This security vulnerability affected nginx's SPDY module, where a specially crafted request could allow a remote attacker to execute arbitrary code on a vulnerable web server. nginx is notable for its SPDY support, which is used extensively by CloudFlare and also by Automattic, which hosts millions of WordPress blogs and co-sponsored the development of the ngx_http_spdy_module. The same SPDY vulnerability also affected the mainline branch of nginx, which was resolved with the release of nginx 1.5.12.

Many of the new generic top level domains (gTLDs) are starting to appear in Netcraft's Web Server Survey in significant numbers. For example, the previous survey saw only one website using the .guru gTLD, whereas this month's survey (which ran during March) found 36 thousand. Other gTLDs which have shown significant growth since last month's survey include .photography, .today, .tips, .technology, .directory, .land, .gallery, .estate and .singles.

Amongst established TLDs, the number of sites using the .ga country code top level domain grew by 140% this month. The My GA website allows .ga domains to be registered for free from between 1 and 12 months, which has no doubt helped towards their goal of increasing the awareness of Gabon across the globe. The .ga ccTLD is administered by the Agence Nationale des Infrastructures Numériques et des Fréquences (ANINF) in Libreville, Gabon, while the registration process is provided by Freenom, who also provide free domain registrations for the more popular .tk ccTLD. Registered Freenom users are allowed an unlimited number of domain name renewals on both the .ga and .tk d domains, while paying customers can choose to register domains for as long as 10 years in one go and can automatically renew the registration.

Free and easily-registerable domain names are obviously attractive to fraudsters: During February, Netcraft blocked nearly 1,500 unique phishing sites hosted on .ga domains alone, and this figure jumped to more than 2,400 in March. The vast majority of these phishing attacks targeted Chinese companies, particularly the Taobao marketplace and the Alipay online payment escrow service.





DeveloperMarch 2014PercentApril 2014PercentChange
Apache354,956,66038.60%361,853,00337.74%-0.87
Microsoft286,014,56631.10%316,843,69533.04%1.94
nginx143,095,18115.56%146,204,06715.25%-0.31
Google20,960,4222.28%20,983,3102.19%-0.09
Continue reading

Chrome users oblivious to Heartbleed revocation tsunami

In the aftermath of Heartbleed, it has become clear that revoking potentially compromised certificates is essential. On Thursday, CloudFlare announced it was reissuing and revoking all of its SSL certificates. The effects of CloudFlare's mass revocation are evident in a single Certificate Revocation List (CRL) belonging to GlobalSign, which grew by almost 134,000 certificates.

The vast number of CloudFlare certificates is due, in part, to the way in which it serves content over SSL. In order to work around the lack of support for Server Name Indication (SNI) in some older operating systems and mobile devices CloudFlare uses GlobalSign's Cloud SSL product. CloudFlare's SSL certificates make use of the Subject Alternative Name (SAN) extension, which allows an edge node to use a single certificate for multiple domains. When a new CloudFlare customer enables SSL, CloudFlare reissues an existing certificate with the new customer's domain added to the existing list of other customers' domains.

The number of certificates revoked per hour since 7th April. GlobalSign's OV CRL at http://crl.globalsign.com/gs/gsorganizationvalg2.crl and other CRLs have been separated.

As a result of CloudFlare's revocations, GlobalSign's CRL at http://crl.globalsign.com/gs/gsorganizationvalg2.crl has ballooned in size and now weighs in at 4.5MB. The CRL is hosted at CloudFlare itself but has nonetheless experienced some performance problems. However, the CRL's performance problems will not have had a significant effect on internet users, as most major browsers use OCSP in preference to CRLs and GlobalSign's OCSP responder did not have any performance problems.

Time to connect to http://crl.globalsign.com/gs/gsorganizationvalg2.crl from Pennsylvania

Time to connect to http://ocsp2.globalsign.com/gsorganizationvalg2 from Pennsylvania

However, most Google Chrome users are left in the dark, as Chrome performs neither type of check for non-EV certificates by default. Instead of conventional revocation checks, Google Chrome relies on an aggregated list of revocations, dubbed CRLSets, which are compiled by Google. The revocations from GlobalSign's CRL have not yet appeared in Google's CRLSets and hence Chrome users will not be warned if presented with a potentially compromised, but revoked, CloudFlare certificate.

The CRLSets deliberately do not cover all CRLs in an attempt to reduce the total size of the aggregated list. In effect, Google has traded the completeness of their revocation checking for a speed advantage over rival browsers as downloading CRLs or making OCSP requests imposes a performance penalty.

Google Chrome setting to enable revocation checking.

However, it is possible to configure Google Chrome to check for revocation. There is a checkbox in the Advanced settings menu to "Check for server certificate revocation".

February 2014 Web Server Survey

In the February 2014 survey we received responses from 920,102,079 sites — over 58 million more than last month.

Microsoft gained a staggering 48 million sites this month, increasing its total by 19% — most of this growth is attributable to new sites hosted by Nobis Technology Group. Along with Microsoft, nginx also made a large gain of 14 million sites, whereas Apache fell by 7 million. Unsurprisingly, these changes have had a dramatic effect on the overall market share of each web server vendor, with Microsoft's share growing by 3.38 percentage points to 32.8% (302 million sites) while Apache's has fallen by 3.41 to 38.2% (352 million sites).

Microsoft's market share is now only 5.4 percentage points lower than Apache's, which is the closest it has ever been. If recent trends continue, Microsoft could overtake Apache within the next few months, ending Apache's 17+ year reign as the most common web server. Apache is faring much better in both the active sites and top million sites datasets, however, where it is still dominating with just over half of the market share in both metrics.

Nearly 2% of the top million websites are now being served by CloudFlare's customised version of nginx (cloudflare-nginx), which it uses to serve web content via its globally distributed CDN edge nodes. This month's survey saw more than a thousand of the top million sites migrate to cloudflare-nginx from other web server software, including pizzahut.co.uk, pet-supermarket.co.uk, the image server used by the popular Cheezburger network of blogs, and the official PRINCE2 website which switched from Microsoft IIS 6.0 running on Windows Server 2003.

Overall, nginx powers 17.5% of the top million sites, including popular overclocking forum www.overclock.net, despite its server headers declaring that it is now using Microsoft IIS 4.1. Responses from the server also include an X-Powered-By header which claims the application is running on Visual Basic 2.0 on Rails (Visual Basic 2.0 is a long-deprecated language which was released more than 20 years ago, while Microsoft IIS 4.1 never actually existed). The server claimed to be running nginx during Netcraft's previous survey, and indeed, it exhibits characteristics which suggest it is still using nginx.

The number of sites using the .pw country-code top-level domain (ccTLD) grew by more than half this month, reaching 10M sites in total. This ccTLD is assigned to Palau, but the .pw registry has branded the domain as the Professional Web and allows domains to be registered by the general public, regardless of which country they are in. 97% of this month's new .pw sites are hosted in the US (87% at Nobis Technology Group alone), and 2.7 million of them are running on Windows.

The busiest .pw domain is the single-letter u.pw, which is used by viral social media site Upworthy. Other than that, the ccTLD remains relatively obscure, with less than 0.02% of the top million sites using .pw domains, while other single-letter domains have been sold for the modest sums of $8,000 each. Only two single-letter .pw domains actually appear within the top million sites, and there are no two-letter domains at all. Last year, Symantec noted an increase in spam messages containing URLs with .pw TLDs, and .pw later became the first TLD to adopt the Uniform Rapid Suspension (URS) rights protection mechanism.

Version 1.0 of the URS Technical Requirements were published by ICANN in October 2013, and are intended to make it faster and cheaper for trademark holders to seek resolution when there are obvious cases of infringement. URS is intended to complement rather than replace the existing Uniform Domain-Name Dispute-Resolution Policy (UDRP).





DeveloperJanuary 2014PercentFebruary 2014PercentChange
Apache358,669,01241.64%351,700,57238.22%-3.41
Microsoft253,438,49329.42%301,781,99732.80%3.38
nginx124,052,99614.40%138,056,44415.00%0.60
Google21,280,6392.47%21,129,5092.30%-0.17
Continue reading

August 2013 Web Server Survey

In the August 2013 survey we received responses from 716,822,317 sites, an increase of 18 million. Based on the trends over the last six months, Netcraft expects to see 1 billion responsive sites within the next 18 months.

Apache lost a significant amount of market share this month, tumbling by 5.23 percentage points. Its market share now stands at 46.96%, the lowest since March 2009. This large change was caused by the loss of 28 million Apache sites, a large gain of 26 million sites powered by Microsoft IIS, plus other reasonably significant gains by nginx and Google. Google's growth was primarily due to 3.1 million new sites using Google's App Engine (appspot.com) infrastructure and 2.7 million new Blogger sites (blogspot.com).

The bulk of the changes in Apache and Microsoft web server market share this month can be attributed to a single hosting company: Go Daddy was previously hosting 25 million sites using Apache Traffic Server on Linux, but these are now served by Microsoft IIS 7.5. The machines still exhibit the TCP/IP characteristics of Linux, and are likely reverse proxies, each of which is serving an average of about 150 thousand sites. Apache Traffic Server first appeared at Go Daddy during Netcraft's May survey. At the time, 75% of all sites hosted by Go Daddy were using ATS, which made Go Daddy responsible for hosting 99% of all ATS sites in the world.

Remarkably, this is the first time since December 2009 that Apache has not been used by more than half of the world's websites. During that period, Apache's market share peaked at 66% in July 2011, although its greatest ever market share was observed in November 2005, when it hit 71%.

Despite speculation that the recent PRISM revelations would result in a mass exodus from American data centers and web hosting companies, Netcraft has not yet seen any evidence of this. Within the most popular 10 thousand sites, Netcraft witnessed only 40 sites moving away from US-based hosting companies. Contrary to some people's expectations, 47 sites moved to the US, which actually resulted in a net migration to the US.

This trend is also reflected by the entire web server survey, where a net sum of 270 thousand sites moved to the US from other countries (in total, 3.9 million sites moved to the US, while 3.6 million moved from the US). Germany was the most popular departure country, with nearly 1.2 million sites moving from German hosting companies. This was followed by Canada, where 803 thousand sites hopped across the border to the US.





DeveloperJuly 2013PercentAugust 2013PercentChange
Apache364,696,79252.19%336,622,05046.96%-5.23
Microsoft137,351,21119.65%163,098,70322.75%3.10
nginx95,017,25513.60%104,311,56814.55%0.96
Google27,406,0593.92%30,550,9144.26%0.34
Continue reading

EA Games website hacked to steal Apple IDs

An EA Games server has been compromised by hackers and is now hosting a phishing site which targets Apple ID account holders.

The compromised server is used by two websites in the ea.com domain, and is ordinarily used to host a calendar based on WebCalendar 1.2.0. This version was released in September 2008 and contains several security vulnerabilities which have been addressed in subsequent releases. For example, CVE-2012-5385 details a vulnerability which allows an unauthenticated attacker to modify settings and possibly execute arbitrary code. It is likely that one of these vulnerabilities was used to compromise the server, as the phishing content is located in the same directory as the WebCalendar application.

The phishing site attempts to trick a victim into submitting his Apple ID and password. It then presents a second form which asks the victim to verify his full name, card number, expiration date, verification code, date of birth, phone number, mother's maiden name, plus other details that would be useful to a fraudster. After submitting these details, the victim is redirected to the legitimate Apple ID website at https://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa/

The compromised server is hosted within EA's own network. Compromised internet-visible servers are often used as "stepping stones" to attack internal servers and access data which would otherwise be invisible to the internet, although there is no obvious outward facing evidence to suggest that this has happened.

In this case, the hacker has managed to install and execute arbitrary PHP scripts on the EA server, so it is likely that he can at least also view the contents of the calendar and some of the source code and other data present on the server. The mere presence of old software can often provide sufficient incentive for a hacker to target one system over another, and to spend more time looking for additional vulnerabilities or trying to probe deeper into the internal network.

As well as hosting phishing sites, EA Games is also the target of phishing attacks which try to steal credentials from users of its Origin digital distribution platform. For example, the following site — which has been online for more than a week — is attempting to steal email addresses, passwords and security question answers.

EA's Origin servers also came under attack earlier this year, causing connectivity and login problems in various EA games. A tweet by @DerpTrolling appeared to claim responsibility for the outages, while also suggesting that it was a distributed denial of service attack which caused the problems.

("Gaben" is a reference to Gabe Newell, managing director of Valve Corporation, which owns the competing Steam digital distribution platform)

Netcraft has blocked access to all phishing sites mentioned in this article, and informed EA yesterday that their server has been compromised. However, the vulnerable server — and the phishing content — is still online at the time of publication.

The Audited by Netcraft service provides a means of regularly testing internet infrastructure for old and vulnerable software, faulty configurations, weak encryption and other issues which would fail to meet the PCI DSS standard. These automated scans can be run as frequently as every day, and can be augmented by Netcraft's Web Application Security Testing service, which provides a much deeper manual analysis of a web application by an experienced security professional.