October 2015 Web Server Survey

In the October 2015 survey we received responses from 878,269,546 sites and 5,491,917 web-facing computers. This reflects a drop of 14.5 million sites since last month, while the number of computers rose by 53,800.

nginx grew in all metrics this month – websites, active sites, web-facing computers, and its share of the top million sites. With a gain of 866,000 active sites, nginx has increased its market share in this metric beyond 15% for the first time.

nginx also made an impressive gain of 21,480 web-facing computers, outpacing Apache's increase of 12,629 and Microsoft's 4,606. nginx is now used by 727,000 web-facing computers around the world, but it still has a fair way to go before it encroaches on the dominance of Microsoft and Apache. More than twice as many computers are running Microsoft server software, while Apache is even further ahead with its 2.5 million computers giving it a 46% share of the market.

Increasing native support for HTTP/2

The latest mainline version of nginx (1.9.5) has ditched support for SPDY, replacing it with HTTP/2 via an experimental ngx_http_v2_module. The latest major release in the 2.4 stable branch of Apache also now supports HTTP/2 natively. Apache 2.4.17 was released on 13 October 2015, and includes a donated HTTP/2 implementation in the mod_http2 core module, which has similar configuration options to the existing mod_ssl module. HTTP/2 support was previously available since Apache 2.4.12 via the mod_h2 module, although this required the server source code to be patched.

HTTP/2 is the standardised successor of SPDY, on which it was based. The primary motivation for using either of these protocols is performance – compared with HTTP 1.1, both of the newer protocols offer reduced latency through methods like header compression, prioritisation, and allowing webpage elements to be requested in parallel over a single TCP connection.

However, widespread use of HTTP 1.1 is likely to continue for several more years at least, as most browser vendors only support HTTP/2 over encrypted TLS connections. This means the significantly greater number of non-HTTPS sites currently in existence will carry on using HTTP 1.1, even though the HTTP/2 standard is also defined for HTTP URLs.

Despite the potential performance benefits, less than 5% of all SSL certificates in Netcraft's October SSL Survey were found on web servers that supported SPDY or HTTP/2. However, 29% of SSL sites within the thousand most popular sites currently support SPDY or HTTP/2, while 8% of those within the top million sites do. The busiest sites have the most to gain by optimising their connections, so this distribution is not too surprising.

HTTP/2 is also supported by the latest version of Microsoft Internet Information Services, although with the production version of Windows Server 2016 yet to be released, it is not too surprising that IIS 10.0 was found being used by only 2,200 sites in this month's survey. Several of these sites are hosted by Microsoft, and although publicly accessible, the hostnames suggest they are test servers that mirror the functionality of existing Microsoft sites still running IIS 7.0 and IIS 7.5.

While Windows Server 2016 is likely to become the primary platform for IIS 10.0 on the internet, IIS 10.0 is also included in Windows 10, which is already available and has been offered as a free upgrade to many Windows users. Technical Preview versions of Windows Server 2016 are also currently available for evaluation. Some earlier versions of Windows, including Windows 7 Service Pack 1, can also run IIS 10.0 Express. This is a self-contained version that has all of the core capabilities of IIS 10.0, as well as some additional features to make it easier to develop and test websites.

Total number of websites

Web server market share

DeveloperSeptember 2015PercentOctober 2015PercentChange
Continue reading

Fraudsters use paypal-office.com OV certificate for phishing

In June 2015, Trustwave issued an organisation-validated certificate for paypal-office.com, myaccount-paypal.com and paypal-sign.com that was used on a PayPal phishing site. The certificate was issued to an individual in India, Asha Shaikh, who may be the fraudster behind the phishing site, or perhaps one of the fraudster's victims. The phishing attack is now offline, but the certificate has yet to be revoked by Trustwave at the time of writing.

Rendered contents of phishing site found on www.paypal-office.com. The error message visible at the top of the page is a giveaway: the geo-location of the visitor's IP address failed, and it reveals the location of the files used to power the phishing site.

Certificate authorities typically sell certificates in three broad categories of assurance: domain-validated certificates simply validate control over a domain name; organisation-validated certificates include the identity of the organisation; and Extended Validation certificates increase the level of identity checking done to meet a recognised industry standard.

The difference between DV, OV, and EV certificates is sometimes subtle — many sources of consumer advice do not make the distinction between certificates that provide further identity information and those that only validate domain name ownership. For example, Google Chrome's help page states: "You can tell if a site is real if it has a valid TLS/SSL certificate".

Most certificates with deceptive domain names are domain-validated, though some appear to be organisation-validated. Many of the SSL certificates associated with CloudFlare's "Universal SSL" programme are ostensibly organisation-validated; however, the organisation being validated in this case is CloudFlare itself and not each individual customer.

paypal-office.com certificate

An organisation-validated certificate for paypal-office.com shown in the Windows certificate viewer.

Rather than be processed automatically, as is possible with domain-validated certificates, most higher-assurance certificate requests will be reviewed by a human prior to issuance. This additional level of validation makes it all the more surprising that a request for a certificate containing "paypal" wasn't considered a high risk request, and consequently rejected after being subjected to increased scrutiny.

Trustwave offers a Relying Party warranty with its certificates, covering fraudulent credit card charges made by a Trustwave certificate holder. However, the warranty does not cover other types of fraud, meaning phishing for credentials or fraudulent payments using other payment methods are not covered. As a result, victims of this phishing attack will not be able to claim on this warranty, despite having their PayPal credentials stolen by a fraudster using a Trustwave certificate.

Certificate authorities issue SSL certificates to fraudsters

In just one month, certificate authorities have issued hundreds of SSL certificates for deceptive domain names used in phishing attacks. SSL certificates lend an additional air of authenticity to phishing sites, causing the victims' browsers to display a padlock icon to indicate a secure connection. Despite industry requirements for increased vetting of high-risk requests, many fraudsters slip through the net, obtaining SSL certificates for domain names such as banskfamerica.com (issued by Comodo), ssl-paypai-inc.com (issued by Symantec), and paypwil.com (issued by GoDaddy).

CloudFlare, a content delivery network that provides free "Universal SSL" to its customers, is a hotspot for deceptive certificates, accounting for 40% of SSL certificates used by phishing attacks with deceptive domain names during August 2015. CloudFlare's Universal SSL certificates are provided in partnership with Comodo, and CloudFlare also use GlobalSign certificates for some of its customers. CloudFlare's flexible SSL option also appeals to fraudsters, offering a padlock in victims' browsers without the need for attackers to set up SSL on their web servers.

PayPal phishing site

A screenshot of a PayPal phishing site using a widely trusted SSL certificate valid for www.pay-pal.co.com. The certificate is a CloudFlare Universal SSL certificate issued by Comodo. The certificate has not been revoked; however, the phishing site is no longer available.

Websites that use TLS (the successor to SSL) are marketed as being trustworthy and operated by legitimate organisations. Consumers have been trained to "look for the padlock" in their browser before submitting sensitive information to websites, such as passwords and credit card numbers. While the reality is more nuanced, the data submitted to a phishing site using TLS is protected from eavesdroppers. However, a displayed padlock alone does not imply that a site using TLS can be trusted, or is operated by a legitimate organisation.

NatWest phishing site

A screenshot of a NatWest phishing site using a widely trusted SSL certificate valid for natwestnwolb.co.uk. (nwolb stands for NatWest online banking. The legitimate NatWest online banking service is available at www.nwolb.com.)

Bank of America phishing site

A screenshot of a Bank of America phishing site using a widely trusted SSL certificate valid for banskfamerica.com.

The following table lists some examples of deceptive SSL certificates that have been used to conduct phishing attacks, along with their Domain Registration Risk scores:

Hostname Phishing Target Certificate Authority Assurance Risk Score Revoked
halifaxonline-uk.com Halifax GlobalSign (CloudFlare) OV* 10.0 No
emergencypaypal.net PayPal Comodo (CloudFlare) OV* 9.17 Yes
blockchaín.info (xn--blockchan-n5a.info) Blockchain GlobalSign (CloudFlare) OV* 8.52 No
blockachain.info Blockchain Comodo DV 8.42 No
itunes-security.net Apple iTunes Symantec DV 8.08 No
phypal.com PayPal Symantec DV 6.61 No
btintranert.com BT GoDaddy DV 5.56 Yes

* The certificates that CloudFlare issues to its customers are ostensibly organisation-validated, as they contain CloudFlare's company name and address. However, the customer domains themselves are only domain-validated.

The CA/Browser Forum's Baseline Requirements – a set of rules that publicly-trusted certificate authorities are expected to follow – require that high-risk domain names that may be used for fraud or phishing are subjected to additional verification:

High Risk Certificate Request: A Request that the CA flags for additional scrutiny by reference to internal criteria and databases maintained by the CA, which may include names at higher risk for phishing or other fraudulent usage.
The CA SHALL develop, maintain, and implement documented procedures that identify and require additional verification activity for High Risk Certificate Requests prior to the Certificate’s approval.

Despite this requirement, many major certificate authorities issue SSL certificates for deceptive domains used in phishing attacks. Notable exceptions include DigiCert and Entrust, neither of which issue domain-validated certificates.

A pie chart showing SSL certificates containing a deceptive domain name that were used in phishing attacks during August 2015, split by certificate authority. CloudFlare and non-CloudFlare certificates are shown separately.

Certificate authorities commonly provide SSL certificates at three different levels of assurance:

  • Domain validated (DV)
    Certificate authorities only have to check that the certificate's applicant controls the domain name contained in a DV certificate. These certificates are typically the cheapest option, and can be had for free or be purchased for less than $10. Let's Encrypt is planning to offer free, automatically-issued DV certificates starting later in 2015.
  • Organisation validated (OV)
    In addition to validating the domain name in the certificate, the identity of the person or organisation applying for an OV certificate is also verified by the certificate authority and included in the certificate. Most browsers do not treat OV certificates any differently to DV certificates.
  • Extended validation (EV)
    Like OV certificates, the identity of the organisation applying for an EV certificate is verified by the certificate authority. However, the verification is more stringent. EV certificates also receive different treatment in major web browsers – the address bar is either partially or completely coloured green and the requesting organisation's name and country are displayed next to the padlock. The requirements for EV certificates in Chrome are changing, with many certificate authorities caught out by recent changes to require Certificate Transparency.

The requirement to perform additional verification of high risk certificate requests applies to all levels of assurance. However, DV certificates are often issued completely automatically within minutes, making it easy for fraudsters to obtain DV certificates for deceptive domain names.

Several certificate authorities offer free trial certificates with shorter validity periods. For example, Comodo offers free 90 day certificates, which have been used by a number of SSL phishing attacks. Symantec also offers free 30 day certificates through its GeoTrust brand. The short validity periods are ideal for fraudsters as phishing attacks themselves typically have short lifetimes.

Netcraft's Domain Registration Risk service automatically identifies deceptive domain names constructed using such tricks. The service calculates a risk score between 0 (low risk) and 10 (high risk) for each domain name, which represents the likelihood that the domain name will be used to carry out a phishing attack. Certificate authorities can make use of the service to determine if a domain name is likely to be used for fraudulent purposes before issuing the certificate.

The service can be provided as an API that mimics a Certificate Transparency log server for ease of integration with your existing certificate issuance process. The same API can also be used with Netcraft's certificate compliance checking service, which can identify certificates before they are issued that do not conform with the CA/B Forum's Baseline Requirements or its EV Guidelines.

Most Reliable Hosting Company Sites in September 2015

Rank Performance Graph OS Outage
DNS Connect First
1 GoDaddy.com Inc Linux 0:00:00 0.000 0.256 0.008 0.019 0.019
2 Datapipe Linux 0:00:00 0.004 0.164 0.012 0.025 0.032
3 Qube Managed Services Linux 0:00:00 0.004 0.150 0.044 0.089 0.089
4 XILO Communications Ltd. Linux 0:00:00 0.009 0.224 0.064 0.128 0.129
5 Memset Linux 0:00:00 0.013 0.159 0.065 0.158 0.248
6 EveryCity SmartOS 0:00:00 0.018 0.100 0.067 0.133 0.134
7 Anexia Linux 0:00:00 0.018 0.191 0.086 0.174 0.174
8 Pickaweb Linux 0:00:00 0.026 0.305 0.010 0.168 0.169
9 Hyve Managed Hosting Linux 0:00:00 0.031 0.110 0.063 0.127 0.128
10 Pair Networks FreeBSD 0:00:00 0.031 0.241 0.070 0.141 0.141

See full table

For the second month in a row, GoDaddy had the most reliable hosting company website. Throughout September, it was the only company to respond to all of Netcraft's requests, with an average connection time of only 8 milliseconds. This is the fifth time this year that GoDaddy has been in the top ten.

GoDaddy recently added new features to its GoDaddy Pro programme, which has grown to more than 50,000 members since its launch in June. Aimed at web designers and developers, it allows members to manage clients and clients' products, offering discounts of at least 30%.

Datapipe had the second most reliable hosting company website in September, with just a single failed request. Datapipe came first in July, and August was the only month so far this year when it was absent from the top ten.

On 9 September 2015, Datapipe announced that it had acquired DualSpark – an Amazon Web Services assessment, automation and migration company, which was founded by former AWS managers. Datapipe hopes to use DualSpark's DevOps and automation expertise to bring increased levels of support to its cloud clients.

Qube Managed Services ranked third in September, also with only one failed request, but with a marginally longer average connection time than Datapipe. Qube's site has appeared in the top ten for all but two months so far in 2015, making this its seventh appearance.

Linux dominates the chart this month, being used by eight of the top ten sites, and all of the top five. EveryCity uses the SmartOS community fork of OpenSolaris, while Pair Networks uses the FreeBSD operating system. This is the third month in a row where Microsoft Windows has been completely absent from the top ten.

Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.

eBay phishing sites hosted by… eBay

Fraudsters are stealing eBay usernames and passwords using phishing pages hosted on eBay's own infrastructure. One of these pages, targeting German users, is shown below:

An eBay phishing form hosted on eBay's own infrastructure. The form contents are submitted to an external domain in Russia.

An eBay phishing form hosted on eBay's own infrastructure. The form contents are submitted to an external domain in Russia.

The convincing appearance of the spoof login form is bolstered by the fact that it is hosted on a genuine eBay domain, ebaydesc.com. This domain is ordinarily used to host descriptions for eBay listings which are displayed within iframes on eBay listing pages.

In this case, the corresponding eBay listing has already been deleted, although the phishing content within the listing's description can still be viewed by browsing directly to the relevant URL on vi.vipr.ebaydesc.com. Consequently, the attack is still live and capable of stealing credentials from eBay users.

The URL of the credential-stealing script is only momentarily visible in the address bar before the victim is redirected to the genuine eBay site.

The URL of the credential-stealing script is only momentarily visible in the address bar before the victim is redirected to the genuine eBay site.

When a victim enters his username and password into the form, both values are submitted to a PHP script hosted on a server in Russia. After stealing the credentials, this script then redirects the victim to the genuine ebay.de login page, which reports that the username or password was incorrect.

After the victim's credentials are stolen, he is redirected to the real eBay login page. Note that the username field has been automatically populated with the username stolen by the fraudster.

After the victim's credentials are stolen, he is redirected to the real eBay login page. Note that the username field has been automatically populated with the username stolen by the fraudster.

This error message might cause the victim to become suspicious enough to look at the browser's address bar, to check he is on the right website; but it will already be too late at this point – his credentials will have already been stolen, and because his browser will now be showing ebay.de in the address bar, he may not even realise that his credentials have just been sent to a web server in Russia. There is consequently little chance of the victim reacting by changing his password, allowing the fraudster to take full advantage of the stolen credentials at his leisure.

The website involved in collecting the stolen credentials has also been used to host other phishing attacks targeting German-speaking consumers, including sites impersonating PayPal, Apple, and mobile.de.

In an attempt to evade detection by eBay and others, the fraudster has obfuscated the HTML source of his eBay phishing form. This makes it impossible to find such a listing by searching for any of the words that appear in the description, yet the rendered results appear as normal when viewed in a web browser.

The obfuscated HTML source used by the phishing content hosted by eBay.

The obfuscated HTML source used by the phishing content hosted by eBay.

Allowing anyone to insert arbitrary HTML and malicious scripts into a listing's description gives plentiful opportunities to would-be fraudsters, particularly as this weakness has been exploited to carry out similar attacks against eBay users in the past. Last year, Netcraft reported on fraudsters injecting malicious JavaScript into eBay listings to set up man-in-the-middle attacks against car buyers, and similar JavaScript redirection techniques have continued to be exploited throughout 2015.

These phishing methods can be much more successful than traditional phishing attacks (where content is hosted solely on an unrelated domain). The techniques employed in these latest attacks are not permitted under eBay's HTML and JavaScript policy; however, a fraudster intent on stealing passwords is not going to be deterred by words alone.

September 2015 Web Server Survey

In the September 2015 survey we received responses from 892,743,625 sites and 5,438,101 web-facing computers. Both of these key metrics grew this month, with net gains of 18 million sites and 47,000 computers.

Microsoft made by far the largest gain in hostnames this month, with an additional 33.6 million sites bringing its total up to 265 million. Combined with a 15.9 million loss in Apache-powered sites, the difference between Microsoft's and Apache's market shares has now halved: Microsoft's share went up by 3.22 percentage points to 29.68%, while Apache's fell by 2.55 to 34.96%, reducing Apache's lead to just over five percentage points.

However, September's growth in web-facing computers paints a different picture, with Apache's net gain of 19,800 computers being more than six times higher than Microsoft's. Despite this, both Microsoft and Apache lost market share this month, while nginx – which gained the most web-facing computers in September (+22,100) – grew its share to nearly 13%. With an additional 6.9 million sites bumping its site share up to 15.60%, nginx was the only major server vendor to increase its market share in both sites and computers this month.

Despite no longer being supported by Microsoft, the number of websites using Microsoft IIS 6.0 (which typically runs on Windows Server 2003) has since grown by 19% and accounted for much of the overall Microsoft hostname growth this month. 153 million websites are now using Microsoft IIS 6.0, compared with 129 million in July; however, the number of web-facing computers using IIS 6.0 has fallen by 6%, and the number of active sites fell by 16%.

China accounted for around a third of this month's overall growth in web facing computers, outpacing the growth seen in the United States and Germany by a factor of three. Even so, China was responsible for only a tiny fraction of this month's site growth. Microsoft Windows continues to be the preferred hosting platform for computers in China, where it is currently used by 42% of all web-facing computers and 43% of all sites. Astoundingly, over half of these Windows computers are running Windows Server 2003, and some Chinese hosting providers continue to provide new installations of this deprecated operating system.

Amongst the world's top million websites, nginx has continued to increase its market share and now powers more than twice as many sites as Microsoft. Apache's share has been steadily declining over the past few years mostly as a result of nginx's gains, but it looks set to remain the dominant server vendor within the top million for a while longer, as it is still used by more than twice as many sites as nginx.

Total number of websites

Web server market share

DeveloperAugust 2015PercentSeptember 2015PercentChange
Continue reading