Deceptive domain and SSL certificate issued by Network Solutions

Network Solutions allowed a fraudster to register a deceptive domain name earlier this week: Network Solutions also issued a valid SSL certificate for the domain, which was used for a phishing attack which targeted customers of Chase Bank.

Phishing attack targeting Chase bank on

The phishing site added further credibility to the attack by using an encrypted HTTPS connection. The fraudster obtained a domain-validated SSL certificate from Network Solutions, and, as with the domain, it was valid for one year from 3rd September 2013.

The SSL certificate used on

Although opportunities were missed to prevent the suspicious domain name being registered and the corresponding SSL certificate being issued, the certificate used by the site does at least support OCSP, which can allow the issuer to instantly revoke the certificate. However, the efficacy of this mechanism largely depends on which browser the victim is using, and how it has been configured. For example, Firefox — which does performs OCSP checks by default — will only display content from if the certificate has not been revoked. Google Chrome, on the other hand, does not perform such checks by default (for non-EV certificates).

However, as Network Solutions was also the registrar of the domain, it would have been more effective to simply suspend the domain, which is what appears to have happened yesterday:

>>> Last update of whois database: Thu, 05 Sep 2013 12:56:58 UTC <<<

The fraudulent SSL certificate was later revoked — the certificate's serial number can be found on Network Solutions' certificate revocation list at

The CA/Browser Forum's Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates [PDF] says that certificate authorities SHALL subject high risk requests — which includes names at high risk of being used in a phishing attack — to further scrutiny prior to issuance. Netcraft's Domain Registration Risk service is ideal for both domain registrars and certificate authorities, as it judges the likelihood of a new domain being used for fraudulent activities. It identifies domains which are deceptively similar to legitimate websites run by banks and other institutions that are commonly targeted by phishing attackers.

While some phishing attacks can be identified prior to domain registration or SSL certificate issuance (such as the one described above), a significant proportion of phishing attacks make use of compromised web sites (often exploiting vulnerabilities in commonly deployed software platforms, such as WordPress). Netcraft can alert registries, SSL certificate authorities, or registrars and hosting companies of phishing sites discovered using their infrastructure to conduct a phishing attack.

Please get in touch ( if you would like to try out this service or for subscription information.

Free domains put Mali back on the map – for phishing

When the African nation of Mali announced that it was going to provide free .ml domains from July, their goal was to put Mali back on the map. It appears they have now succeeded, but perhaps not in the way they had intended — thanks to the free domains, Mali now has the most phishy top-level domain of any country in the world.

Nearly 6% of the .ml domains in Netcraft's survey are currently blocked for hosting phishing sites, making it by far the phishiest TLD. In comparison, the second most phishy TLD, .bt (Bhutan), has only 0.7% of its sites blocked for phishing.

.ml domains can be quickly and easily registered at Freenom, which is owned by the Netherlands-based Freedom Registry. Registrants are required to create an account with a valid email address, and a CAPTCHA is used to try and prevent automated registrations. Domains can be registered for between 1 and 12 months initially, with an unlimited number of renewals. Domains which contain more than 3 characters are free.

It is not surprising to see free domain names being used in phishing attacks, but some TLDs have managed to tackle such fraud with astounding efficacy. The .tk TLD was taken advantage of extensively by phishers in 2011, prompting its registrar, Dot TK (another subsidiary of Freedom Registry), to introduce an anti-abuse API to allow trusted partners to shut down sites that use the .tk ccTLD. This dramatically reduced the average uptime of phishing sites which used .tk domains, making it a less attractive platform for fraudsters. Indeed, .tk does not even appear within the top 50 phishiest TLDs today; however, considering .tk and .ml share the same owner, this makes it somewhat surprising to see .ml being so heavily abused already.

A Taobao (Chinese shopping site) phish using a .ml domain, hosted in the US.

Despite the obvious appeal of a free and easily registered domain name when orchestrating a phishing attack, the phishiest TLDs are not always free, nor easy to register. Back in June, Morocco had the phishiest TLD (.ma), although it has since fallen to 12th place. As well as not being free, the administrative contact for an .ma domain must be established in Morocco; however, people living outside Morocco can still register an .ma domain through third parties.

Netcraft provides services to help protect domain registries, brand owners and hosting companies. You can also protect yourself against the latest phishing attacks by installing Netcraft's Anti-Phishing Extension and help protect the internet community by reporting potential phishing sites to Netcraft by email to or at

September 2013 Web Server Survey

In the September 2013 survey we received responses from 739,032,236 sites, 22.2M more than last month.

nginx gained 7.4M hostnames this month, and the web server is now used by more than 15% of the web. Within the Million Busiest websites, however, nginx's market share dipped slightly but remains just under 15%. Seeking to capitalise on nginx's success (usage of nginx has almost doubled in the last two years), Nginx Inc. has launched nginx Plus, a commercial variant of the nginx web server. nginx Plus provides additional services not available in the open-source version including on-the-fly configuration which has drawn mixed feedback from the community.

Apache contributed most to this month's growth, with a net gain of 9.7M hostnames; however, for the second consecutive month, Apache's market share remains below 50%. Apache's market share has been falling steadily since June 2012 (when it had a 64% share of the market) — despite its current downward trend, Apache is still the most commonly seen web server, its market share is greater than nginx, Microsoft, and Google combined. Microsoft, on the other hand, had the largest drop in hostnames this month, 2.4M, and lost market share across all sites and within the Million Busiest sites. Microsoft is getting closer to the official release of Windows Server 2012 R2 on the 18th October 2013. Even before the official release, IIS 8.5 is seemingly in use already — more than 300 sites reported using IIS/8.5 during this month's survey.

At the end of August, ICANN signed 13 new generic top level domain (gTLD) agreements with a number of private organizations. The agreements define new gTLDs including .estate, .guru, .voyage, .holdings. These agreements follow the first set, published in July, that have been signed since ICANN decided to drop a number of restrictions on top level domain name registrations. Netcraft has not yet seen any domains within the four TLDs agreed in July (all of which use non-latin characters encoded using the punycode representation).

In a study published earlier in August by ICANN assessing dotless domain security and stability a number of key risks have been identified that ICANN will need to mitigate before dotless gTLDs (e.g. accessing http://com/ directly) can be safely implemented. This puts on hold Google’s intentions to run .search as a dotless domain (http://search). The .home and .corp gTLD applications are also on hold, and identified as high risk after a study was published addressing the consequences of name collisions.

DeveloperAugust 2013PercentSeptember 2013PercentChange
Continue reading

Most Reliable Hosting Company Sites in August 2013

Rank Performance Graph OS Outage
DNS Connect First
1 Multacom FreeBSD 0:00:00 0.000 0.176 0.105 0.212 0.529
2 Hyve Managed Hosting Linux 0:00:00 0.007 0.272 0.069 0.138 0.140
3 Bigstep Linux 0:00:00 0.007 0.303 0.070 0.144 0.260
4 Linux 0:00:00 0.007 0.215 0.098 0.195 0.195
5 Netcetera Windows Server 2012 0:00:00 0.010 0.079 0.074 0.158 0.305
6 CWCS Linux 0:00:00 0.010 0.234 0.127 0.217 0.564
7 iWeb Linux 0:00:00 0.013 0.160 0.084 0.166 0.166
8 Swishmail FreeBSD 0:00:00 0.017 0.134 0.068 0.136 0.182
9 INetU Windows Server 2003 0:00:00 0.017 0.147 0.080 0.207 0.454
10 Server Intellect Windows Server 2008 0:00:00 0.027 0.095 0.096 0.193 0.480

See full table

Multacom had the most reliable hosting company site in August 2013, with no failed requests and an average connection time of 0.105s. Multacom operates out of two secure data centres in Los Angeles, and focuses on providing shared and dedicated hosting services.

In second and third place were Hyve Managed Hosting and Bigstep. Both sites had only two failed requests, but Hyve's slightly shorter time to connect gave it the edge over Bigstep. Hyve provides managed hosting options from data centres across America, as well as in Shangai, Hong Kong, and London. Hyve also handles hosting for several major international firms, including British Airways, Tesco and Nokia. Bigstep, which provides hosting services for "big data" companies, continues to maintain its impressive record since Netcraft started monitoring its performance, with a consistent 100% uptime over 5 months.

For the first time since May, hosting companies running Windows Server ranked in the top ten: Netcetera's website runs on Windows Server 2012, INetU use Windows Server 2003 and Server Intellect use Windows Server 2008. The most reliable hosting company site, Multacom, runs FreeBSD (as does last month's most reliable site, Swishmail). All other sites in the top ten run on Linux.

Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.

Estimating the value of hosting companies by counting computers

Is it possible to estimate the revenue of a hosting company based on its public presence — that is, is the number of websites it hosts directly proportional to its market value? By using the market capitalisation (or acquisition purchase price, where appropriate) as a valuation and examining the number of web-facing computers, a striking patterns emerges.

Valuation of a hosting company against the number of web-facing computers found in August 2013.
Blue = "pure" hosting company; Orange = significant other areas of business. The dashed line is based only on pure hosting companies.
†Go Daddy’s valuation is based on its 2011 buyout offer, adjusted for growth in web-facing computers and for inflation.

Amongst the hosting companies examined, there is a fairly strong correlation between the number of web-facing computers and the valuation of the hosting company: the more computers visible at a hosting company, the higher the valuation. Considering only pure hosting companies (without significant other business, marked in blue), the average value per web-facing computer is circa $43,000.

An average company value per web-facing computer on the order of tens of thousands of dollars may seem surprisingly high, but there is, of course, more to it than the cost of a single computer. The number of web-facing computers does not take into account the potentially large number of computers used behind the scenes, which may vary from hosting company to hosting company depending on business model — there are likely to be fewer hidden computers at a shared hosting provider than at a cloud hosting provider.

Even with the same number of web-facing computers, the valuation of a hosting company can vary due to the quality of the physical hardware, the network infrastructure, and also sales and support staff. Most important is the current and future revenue, and hence profit, that each web-facing computer can generate.

This average value per web-facing computer masks a great deal of variation between hosting companies:

Hosting company Value per web-facing
computer (USD)
DADA $15.3k
Peer 1 $30.0k
SoftLayer $49.7k
iomart $52.3k
United Internet* $66.8k
Internap* $67.3k
Rackspace $68.1k
Go Daddy* $177.2k

Value (USD) per web-facing computer. Companies marked with a * have significant other areas of business.

Comparing two competitors in the managed hosting market, Rackspace and Peer1, highlights a significant difference in the valuation based on web-facing computers. Each web-facing computer at Rackspace is valued at twice as much as one at Peer1; perhaps this reflects the value of Fanatical Support and the flexibility of Rackspace's OpenStack-based cloud.

Go Daddy's valuation of $4.1bn is based on a deal in 2011 (adjusted for both inflation and computer growth), which reportedly amounted to $2.25bn for 65% of the company. This valuation is greater than expected from the number of computers at Go Daddy, but this difference could be explained by its equally prominent role as the largest ICANN-accredited domain name registrar.

SoftLayer is in the process of being acquired by IBM, who say the acquisition will strengthen their leadership position in cloud computing and help speed business adoption of public and private cloud solutions. Financial terms were not disclosed, but the deal is speculated to be worth more than $2bn.

The correlation between computers and market value can be used not only to estimate the value of private companies which have never been sold before, but also to estimate the value of the hosting divisions within much larger companies, such as Amazon.

Amazon's market capital stands at around $131bn today, but the majority of its revenue comes from online retailing. A valuation based on computer counting would suggest that its hosting division, Amazon Web Services, could be worth approximately $7.8bn, around 6% of Amazon's entire market value. Based on its Q2 2013 earnings report, Amazon's AWS division (within the Other category) accounted for 5.7% of its total revenue between 1st April and 30th June 2013.

Netcraft has developed a technique for identifying the number of computers (rather than IP addresses) acting as web servers on the Internet, providing an independent view with a consistent methodology on the number of web-facing computers at each hosting location worldwide. For more information, see our Hosting Provider Server Count.

August 2013 Web Server Survey

In the August 2013 survey we received responses from 716,822,317 sites, an increase of 18 million. Based on the trends over the last six months, Netcraft expects to see 1 billion responsive sites within the next 18 months.

Apache lost a significant amount of market share this month, tumbling by 5.23 percentage points. Its market share now stands at 46.96%, the lowest since March 2009. This large change was caused by the loss of 28 million Apache sites, a large gain of 26 million sites powered by Microsoft IIS, plus other reasonably significant gains by nginx and Google. Google's growth was primarily due to 3.1 million new sites using Google's App Engine ( infrastructure and 2.7 million new Blogger sites (

The bulk of the changes in Apache and Microsoft web server market share this month can be attributed to a single hosting company: Go Daddy was previously hosting 25 million sites using Apache Traffic Server on Linux, but these are now served by Microsoft IIS 7.5. The machines still exhibit the TCP/IP characteristics of Linux, and are likely reverse proxies, each of which is serving an average of about 150 thousand sites. Apache Traffic Server first appeared at Go Daddy during Netcraft's May survey. At the time, 75% of all sites hosted by Go Daddy were using ATS, which made Go Daddy responsible for hosting 99% of all ATS sites in the world.

Remarkably, this is the first time since December 2009 that Apache has not been used by more than half of the world's websites. During that period, Apache's market share peaked at 66% in July 2011, although its greatest ever market share was observed in November 2005, when it hit 71%.

Despite speculation that the recent PRISM revelations would result in a mass exodus from American data centers and web hosting companies, Netcraft has not yet seen any evidence of this. Within the most popular 10 thousand sites, Netcraft witnessed only 40 sites moving away from US-based hosting companies. Contrary to some people's expectations, 47 sites moved to the US, which actually resulted in a net migration to the US.

This trend is also reflected by the entire web server survey, where a net sum of 270 thousand sites moved to the US from other countries (in total, 3.9 million sites moved to the US, while 3.6 million moved from the US). Germany was the most popular departure country, with nearly 1.2 million sites moving from German hosting companies. This was followed by Canada, where 803 thousand sites hopped across the border to the US.

DeveloperJuly 2013PercentAugust 2013PercentChange
Continue reading