Most Reliable Hosting Company Sites in May 2013

Rank Performance Graph OS Outage
hh:mm:ss
Failed
Req%
DNS Connect First
byte
Total
1 Qube Managed Services Linux 0:00:00 0.006 0.099 0.045 0.091 0.091
2 Datapipe FreeBSD 0:00:00 0.009 0.073 0.016 0.033 0.051
3 ServerStack Linux 0:00:00 0.009 0.077 0.066 0.134 0.134
4 Bigstep Linux 0:00:00 0.009 0.269 0.071 0.143 0.143
5 iWeb Linux 0:00:00 0.009 0.121 0.073 0.144 0.144
6 www.dinahosting.com Linux 0:00:00 0.012 0.178 0.098 0.198 0.198
7 XILO Communications Ltd. Linux 0:00:00 0.015 0.218 0.076 0.361 0.517
8 Swishmail FreeBSD 0:00:00 0.018 0.110 0.062 0.124 0.226
9 INetU Windows Server 2008 0:00:00 0.018 0.130 0.072 0.236 0.456
10 Virtual Internet Linux 0:00:00 0.018 0.165 0.074 0.324 0.453

See full table

Qube Managed Services had the most reliable hosting company site in May, with only 2 failed requests. Qube specialises in providing managed hosting from three data centres in London, New York and Zurich. Qube was founded in 2001 and provides services to a number of notable clients, including Betfair (a large betting exchange) and blinkbox (a video streaming service from Tesco in the UK). Qube has appeared in the top 10 over twenty times since Netcraft began monitoring it in March 2010 and has now ranked in 1st place four times.

Datapipe and ServerStack placed 2nd and 3rd, both narrowly missing the top spot by a single failed request. Datapipe had the lowest average connection time out of all the top 10 sites, which breaks the tie with ServerStack in its favour. Datapipe has continued to maintain its 100% uptime record having recently passed the 100% uptime over 7 years milestone despite some of its nine data centres being in the path of hurricanes, typhoons, and a snowstorm. Serverstack has now been monitored by Netcraft for seven months and has already appeared in the top 10 four times. The company's 100% uptime SLA offers 5% credit for every half hour of sustained unscheduled downtime.

All but three of May's top 10 most reliable hosting companies hosted their own sites on Linux, including Qube in 1st place, ServerStack in 3rd place and Bigstep in 4th place, which made its debut entry in the table last month. FreeBSD is used by 2nd place Datapipe and last month's winner Swishmail (this month in 8th place). INetU was the only hosting company in the top 10 to host its site on Windows Server 2008.

Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.

OCSP Server Performance in April 2013

Rank Performance Graph OS Outage
hh:mm:ss
Failed
Req%
DNS Connect First
byte
Total
1 ocsp.starfieldtech.com Linux  0:00:00  0.013  0.111 0.023 0.043 0.043
2 ocsp.trendmicro.com/tmca Citrix Netscaler  0:00:00  0.019  0.043 0.099 0.200 0.200
3 ocsp.entrust.net Linux  0:00:00  0.022  0.251 0.014 0.249 0.249
4 ocsp.godaddy.com Linux  0:00:00  0.022  0.164 0.021 0.041 0.041
5 ocsp.digicert.com Linux  0:00:00  0.022  0.027 0.026 0.051 0.051
6 ocsp.quovadisglobal.com Windows Server 2003  0:00:00  0.032  0.021 0.116 0.222 0.222
7 ocsp.verisign.com Citrix Netscaler  0:00:00  0.038  0.050 0.084 0.168 0.168
8 evsecure-ocsp.verisign.com Citrix Netscaler  0:00:00  0.041  0.239 0.085 0.168 0.168
9 ocsp.thawte.com Citrix Netscaler  0:00:00  0.044  0.041 0.083 0.165 0.165
10 ocsp.startssl.com/sub/class4/server/ca Linux  0:00:00  0.047  0.086 0.011 0.041 0.041

See full table

Starfield Technologies had the most reliable OCSP responder during April, failing to respond to only 4 of Netcraft's OCSP requests. Starfield also had the most reliable responder in March, but showed a slight improvement to its average connection times in April. Starfield was founded as the technology and research branch of Go Daddy in 2003, and Go Daddy customers can choose to have their SSL certificates issued by either Starfield or Go Daddy.

Trend Micro had the second most reliable OCSP responder, which failed to respond to only 6 requests. However, this could be one of the survey's least busy responders: Netcraft's April 2013 SSL Survey discovered only 113 valid SSL certificates issued by Trend Micro, all of which are organisation validated. 29 of these certificates are used by a single organisation, Florida Hospital.

StartCom (which operates StartSSL) once again exhibited the fastest connection times, taking only a hundredth of a second to establish a TCP connection for one of its OCSP URLs.  However, its reliability was only just good enough to make it into the top ten — in total, 15 requests to http://ocsp.startssl.com/sub/class4/server/ca failed during April.

Linux is the most popular choice of operating system on which to run an OCSP responder, and it certainly seems to perform well with regard to connection times: all of the top 25 fastest OCSP responders used Linux in April. In terms of failed requests, though, the distribution of Citrix Netscaler appliances is skewed towards the more reliable end of the spectrum — of the five responders that were using Netscaler, four of them feature in the top ten. QuoVadis's OCSP responder, which was sixth most reliable in April, is one of only two responders that ran on Windows.

On April 24, nginx 1.4.0 stable was released, incorporating several new features that had previously only been released in development branches of the web server. One of the most important performance features is that nginx now support OCSP stapling. This feature is designed to improve performance by allowing secure websites to "staple" a cached OCSP response to the TLS handshake, removing the need for the client browser to make a second, separate connection to the certificate authority's OCSP responder.

The Online Certificate Status Protocol (OCSP) is an alternative method to Certificate Revocation Lists (CRLs) for obtaining the revocation status of an individual SSL certificate. Fast and reliable OCSP responders are essential for both Certificate Authorities (CAs) and their customers — a slow OCSP response will introduce an additional delay before many browsers can start sending and receiving encrypted traffic over an HTTPS connection.

Most Reliable Hosting Company Sites in April 2013

Rank Performance Graph OS Outage hh:mm:ss Failed Req% DNS Connect First byte Total
1 Swishmail FreeBSD 0:00:00 0.000 0.106 0.062 0.124 0.267
2 INetU Windows Server 2008 0:00:00 0.000 0.125 0.073 0.236 0.454
3 iWeb Linux 0:00:00 0.003 0.127 0.071 0.142 0.142
4 Server Intellect Windows Server 2008 0:00:00 0.003 0.074 0.092 0.185 0.464
5 Midphase Linux 0:00:00 0.003 0.215 0.109 0.222 0.338
6 Qube Managed Services Linux 0:00:00 0.006 0.100 0.046 0.093 0.093
7 Bigstep Linux 0:00:00 0.006 0.266 0.071 0.143 0.143
8 Hyve Managed Hosting Linux 0:00:00 0.006 0.252 0.074 0.145 0.151
9 Datapipe FreeBSD 0:00:00 0.009 0.068 0.016 0.032 0.049
10 Pair Networks FreeBSD 0:00:00 0.016 0.231 0.077 0.157 0.486
See full table

Swishmail had the most reliable hosting company site in April 2013, with no failed requests. Swishmail has a presence in three New York data centres which proved to be resilient when Swishmail stayed online in October whilst being hit by Hurricane Sandy, despite New York being in the centre of much of the damage. Swishmail offers a variety of managed web hosting plans in addition to its core service of enterprise-grade email hosting. Swishmail has been monitored by Netcraft since April 2007.

In second place is INetU which also had no failed requests, but it missed the top spot by just 11ms due to using the average connect time as the tie-breaker. INetU offers dedicated managed hosting services and cloud hosting services from ten data centres in the US and Europe including a new data centre in Seattle. Netcraft has been monitoring INetU since June 2003.

iWeb is in third place again following last month's success, it narrowly missed second place by having a single failed request. iWeb is based in Montréal where it has four data centres.

Newcomers Bigstep and Midphase have made their debut top 10 entries, after being monitored for one month and six months respectively. Hyve placed 8th this month, its third appearance since Netcraft began monitoring it in November having maintained 100% uptime over 5 months.

Swishmail, April's most reliable hosting company, runs its site on FreeBSD. Two other sites in this month's top ten are running FreeBSD – Datapipe, which was top last month and has an impressive 100% uptime over 7 years, and Pair Networks. Both INetU in second place, and Server Intellect in fourth place, are running Windows Server 2008. The remaining five – including iWeb in third place – use Linux.

Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.

OCSP Server Performance in March 2013

Rank Company site OS Outage
hh:mm:ss
Failed
Req%
DNS Connect First
byte
Total
1 ocsp.starfieldtech.com Linux 0:00:00 0.003 0.076 0.024 0.043 0.043
2 ocsp.verisign.com Citrix Netscaler 0:00:00 0.006 0.051 0.081 0.162 0.162
3 ocsp.thawte.com Citrix Netscaler 0:00:00 0.006 0.041 0.083 0.164 0.164
4 ocsp.godaddy.com Linux 0:00:00 0.015 0.161 0.025 0.044 0.044
5 ocsp.startssl.com/sub/class4/server/ca Linux 0:00:00 0.018 0.068 0.011 0.056 0.056
6 evsecure-ocsp.verisign.com Citrix Netscaler 0:00:00 0.018 0.228 0.082 0.163 0.163
7 ocsp.trendmicro.com/tmca Citrix Netscaler 0:00:00 0.018 0.050 0.099 0.200 0.201
8 evintl-ocsp.verisign.com Citrix Netscaler 0:00:00 0.024 0.261 0.082 0.162 0.162
9 ocsp.startssl.com/sub/class2/server/ca Linux 0:00:00 0.027 0.049 0.011 0.057 0.057
10 ocsp.xi.tcclass2-ii.trustcenter.de Linux 0:00:00 0.027 0.199 0.090 0.197 0.197

See full table

The Online Certificate Status Protocol (OCSP) is an alternative method to Certificate Revocation Lists (CRLs) for obtaining the revocation status of an individual SSL certificate. Fast and reliable OCSP responders are essential for both Certificate Authorities (CAs) and their customers — a slow OCSP response will introduce an additional delay before many browsers can start sending and receiving encrypted traffic over an HTTPS connection.

Starfield Technologies, a Go Daddy brand, had the most reliable OCSP responder last month with only a single failed request and an average connection time of 24ms. Starfield Technologies was founded in 2003 as the technology research branch of Go Daddy. Go Daddy customers have the option to choose which issuing organization to use when buying an SSL certificate. Although both Go Daddy and Starfield appear to share the same OCSP responder infrastructure, ocsp.godaddy.com had five failed requests, however this was still fewer than StartCom, Symantec, and Trend Micro. Both Go Daddy and Starfield issue certificates in all three certificate assurance categories: Domain Validation (DV), Organisation Validation (OV), and Extended Validation (EV). Starfield is most prominent in the EV sector — more than 15% of all EV certificates issued within the group are issued by Starfield — but it remains only a small part of Go Daddy's SSL certificate business: Starfield accounts for just 10% of certificates issued.

StartCom had the shortest average connect time (11ms) of all monitored CAs last month after having moved its OCSP infrastructure at the end of February. StartCom, as well as Entrust, now delivers its OCSP responses via the Akamai CDN (Content Delivery Network), reducing the OCSP connection overhead to a minimum by serving content from as topologically close as possible to the client. GlobalSign is a CloudFlare evangelist, using CloudFlare's CDN platform for its OCSP and CRL infrastructure as well as their own corporate website.

Many of the monitored OCSP responders are served by Citrix Netscaler devices. Citrix Netscaler is a hardware appliance that provides, amongst other features, load balancing and firewall functions. The use of such load balancing technology is no surprise — a single certificate on a popular site that does not use OCSP stapling could generate a significant number of OCSP requests, causing a CA's responder to experience high volumes of traffic.

In many circumstances each connection to an HTTPS site could trigger multiple OCSP requests: a request for the server's certificate and one for each intermediate certificate. OCSP responses are typically valid for a week, so some caching is possible. Caching can reduce both the burden on OCSP responders and increase the perceived performance of HTTPS websites to users, but is limited to repeat visits. OCSP Stapling is designed to improve performance by allowing the web site's server to “staple” the OCSP response to the TLS handshake, removing the need for the client to connect to the CA's OCSP responder.

Netcraft measures and makes available the OCSP and CRL end point response times of all the major Certificate Authorities (CAs). The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

Certificate revocation and the performance of OCSP

Certificate revocation is a critical aspect of maintaining the security of the third-party Certificate Authority (CA) infrastructure which underpins secure communication on the internet using SSL/TLS. A certificate may be worth revoking when it has had its private key compromised, the owner of the certificate no longer controls the domain for which it was issued, or the certificate was mistakenly signed. Without the ability to revoke certificates, a CA has no direct means of marking a certificate as untrusted before the expiry of the certificate, which could be several years away. In particularly urgent cases a browser vendor may have the ability to block certain individual certificates, trusted roots, or intermediate certificates, but this is rarely performed and is not suitable for lower-risk issues where revocation is necessary but not urgent.

There are two main technologies for browsers to check the revocation status of a particular certificate: using the Online Certificate Status Protocol (OCSP) or looking up the certificate in a Certificate Revocation List (CRL). OCSP provides real-time revocation information about an individual certificate from an issuing CA, unlike CRLs which provide a list of revoked certificates and may be received by clients less frequently.

The graph below shows a comparison of the time taken for the TLS handshake, both with and without OCSP checking enabled. The data was collected using packet traces taken while using Firefox 20 on Linux from an IP address in the UK. Measurements were taken three times (each time with a fresh cache) after discarding an initial request.

The relationship between whether OCSP checking is enabled and the time taken to complete the TLS handshake is not straightforward. In order for the browser to display the "green bar" to distinguish an Extended Validation (EV) certificate, OCSP requests must be made for every certificate in the chain whereas in many browsers, if an OCSP request is made at all, intermediate certificates are not checked. The increased time taken for the TLS handshake when using an EV certificate can be attributed to Firefox's sequential OCSP checking behaviour. However, where an OCSP check can be performed within the round-trip time to the server — for example, if the OCSP responder is served via a content delivery network or CDN — the check does not dramatically affect the time taken for the TLS handshake. When both the web server and the OCSP responder are topologically close to the client, as is the case with www.globalsign.com, the short round-trip time to the server isn't sufficient to mask the the time taken to receive OCSP responses for both the web site's certificate and the intermediate certificate presented. The slight difference between Paypal and GlobalSign's performance can at least partially be attributed to the additional OCSP request made for GlobalSign: GlobalSign's certificate chain requires three OCSP requests whereas Paypal's requires just two.

Reliability of RapidSSL's OCSP responder — December 2012

Netcraft has extracted around 40 OCSP responder URLs from certificates seen in the Netcraft SSL server survey, and has been monitoring them since late November 2012. The performance and reliability of the services varies significantly: Symantec's VeriSign OCSP responder has had consistently solid reliability, only a handful of connections failed over a 4 month period; whereas, in the same period more than 6% of requests to one of StartCom's responders failed. The reliability and performance of StartCom's OCSP responders have improved significantly since the end of February 2013 when it switched to using Akamai. Geotrust, another Symantec brand, did not have as strong a performance as either Thawte or VeriSign — all three of GeoTrust’s OCSP servers were down for between 48 and 104 minutes in a single event. Performance and reliability is measured from 11 points spread around Europe and North America: outages require at least one failed response from all measurement nodes within the 15-minute measurement interval.

Shift in reliability and performance for StartCom — late February 2013

For those browsers performing a synchronous OCSP request during the TLS handshake, the performance of the OCSP responder is often crucial. Any delay in responding to the request may noticeably slow down the handshake. For example, comparing GlobalSign's CloudFlare-accelerated OCSP responder with Entrust's, you find that GlobalSign's responder is significantly faster than Entrust's which uses Akamai's CDN. However, despite GlobalSign's performance advantage, its reliability has been affected by a number of CloudFlare outages — since Netcraft began monitoring OCSP, GlobalSign's responders have had at least 45 minutes of downtime whereas Entrust has had none.

GlobalSign (blue) and Entrust (green) OCSP responder performance.

OCSP responses can be stapled to a response from a web server when negotiating the TLS handshake to avoid the need for the browser to make a secondary request to a third party server. CloudFlare has claimed that enabling OCSP stapling has led to a 30% speed improvement for HTTPS sites. OCSP stapling support is present in newer versions of nginx — an increasingly popular open source web server — as a result of a development project sponsored by GlobalSign, DigiCert, and Comodo. OCSP stapling is not supported in the most popular version of Apache, 2.2.x, nor is it supported in current versions of Firefox (although support is in the pipeline), so it must remain only part of the solution for the foreseeable future. Frustrated by some of the limitations of OCSP, some CAs have lent support to a proposed an alternative revocation method using short lived certificates.

Browser support for the both OCSP and CRLs is mixed: currently, Firefox does not automatically download the CRLs from trusted CAs, so Firefox users must rely on OCSP alone; Google uses a proprietary mechanism to distribute CRLs to users of Google Chrome which aggregates per-CA CRLs into a single update which is distributed using its automatic update channel. Many browsers default to a "soft-fail" approach, leaving users vulnerable to eavesdroppers able to block or tamper with OCSP traffic. For as long as the CAs running OCSP responders do not have a strong record for both the performance and the reliability of their OCSP responders, browsers will find it difficult to justify switching to synchronous "hard-fail" behaviour.

Updated 18/04/2013

Mt.Gox “victim of own success” as Bitcoins fall in value

After days of intense growth, Bitcoins peaked at an unprecedented value of $266 last night, shortly before a crash which saw some investors selling them for as little as $105.


Value of 1 Bitcoin (BTC) in USD, midday 10 April - midday 11 April 2013 BST. [Source: Mt.Gox]

The Bitcoin market showed signs of recovery the following morning, but started falling again during an outage at Mt.Gox, which handles the majority of all Bitcoin trade.

Mt.Gox announced on Facebook that last night's crash was not caused by a DDoS (distributed denial of service) attack, but rather as a result of increased trade and new users signing up. The increased trade caused the Mt.Gox trading system to lag, which caused panic amongst some investors who started "cashing out" their Bitcoins, further exacerbating the situation until the trade engine froze.

Mt.Gox also revealed that the number of trades had tripled in a 24 hour period, and the number of new accounts jumped from 60,000 in March to 75,000 in just the first few days of April. Around 20,000 accounts are now being created each day, which is not surprising, given the potential investment value that has become widely evident over the past few weeks.

One investor was fortunate enough to have sold nearly 70,000 Bitcoins ahead of the crash. These would have been worth more than $18 million if sold at the very peak of the market, which demonstrates just how remarkable the growth has been — less than 3 years ago, 10,000 Bitcoins were used to buy $25's worth of pizza.

Mt.Gox went down for a short period late this morning (Thursday) while it performed some system maintenance and added several new servers to its system; however, as soon as this maintenance was completed, Mt.Gox was subjected to another DDoS attack.

mtgox.com is hosted by Prolexic, a company specialising in DDoS protection and mitigation, whilst the read-only APIs on data.mtgox.com are served via CloudFlare's content delivery network.

Dynamically updating performance graphs of the most popular Bitcoin trading sites are available here.