Perfect Forward Secrecy in the Netcraft Extension

Netcraft has added a Perfect Forward Secrecy (PFS) indicator to the Netcraft Extension for Firefox, Chrome and Opera. This lets users see which websites would allow encrypted traffic to be decrypted en mass at a later date if the site's private key were to be compromised — a danger previously highlighted by Netcraft in June.

PFS, when implemented correctly, ensures that if the long-term private key of a site served over SSL is compromised, historical encrypted traffic cannot be decrypted in bulk. Instead, an eavesdropper would have to break each individual connection independently, which would be incredibly time consuming.

With the recent revelations from Edward Snowden that the NSA is able to read encrypted internet traffic, PFS support is very desirable for privacy-conscious internet users, particularly in countries that also have key disclosure laws.

Currently, most of the major web browsers make it difficult to tell whether or not a website supports PFS. For example, Chrome, Opera 15, and Internet Explorer display information about the current cipher suite in a pop-up, but checking for PFS support relies on in-depth knowledge. Firefox and Opera 12 display part of the cipher suite in their user interfaces; however, they crucially lack the key exchange mechanism, which means it is not possible for the user to tell whether the site supports PFS. Safari fares the worst, as it does not display any information at all about the current cipher suite.

The Netcraft Extension — which blocks phishing attacks and displays metadata about visited websites — now clearly indicates whether the site you are visiting supports PFS. This is displayed in the user interface as a green tick if the site supports PFS, and a red cross if it does not. In addition, in both Chrome and Opera, a small indicator is displayed beside the Netcraft badge when visiting an SSL site which does not support PFS.

The following screenshots show the PFS indicator in the Netcraft Extension when visiting the DuckDuckGo search engine, which enabled the use of PFS cipher suites after the lack of PFS was highlighted in Netcraft's previous analysis of PFS support.

PFS indicator in the Netcraft Extension for Google Chrome™
(The Opera version looks similar)

PFS indicator in the Netcraft Extension for Firefox

The Netcraft Extension is available for Firefox, Chrome and Opera, and can be downloaded from More information about the PFS indicator can be found on the Netcraft Extension FAQ page.

Note: The new version of the Firefox extension is currently awaiting approval from Mozilla; however, it can be manually installed from the version history page by selecting version 1.8.1.

Deceptive domain and SSL certificate issued by Network Solutions

Network Solutions allowed a fraudster to register a deceptive domain name earlier this week: Network Solutions also issued a valid SSL certificate for the domain, which was used for a phishing attack which targeted customers of Chase Bank.

Phishing attack targeting Chase bank on

The phishing site added further credibility to the attack by using an encrypted HTTPS connection. The fraudster obtained a domain-validated SSL certificate from Network Solutions, and, as with the domain, it was valid for one year from 3rd September 2013.

The SSL certificate used on

Although opportunities were missed to prevent the suspicious domain name being registered and the corresponding SSL certificate being issued, the certificate used by the site does at least support OCSP, which can allow the issuer to instantly revoke the certificate. However, the efficacy of this mechanism largely depends on which browser the victim is using, and how it has been configured. For example, Firefox — which does performs OCSP checks by default — will only display content from if the certificate has not been revoked. Google Chrome, on the other hand, does not perform such checks by default (for non-EV certificates).

However, as Network Solutions was also the registrar of the domain, it would have been more effective to simply suspend the domain, which is what appears to have happened yesterday:

>>> Last update of whois database: Thu, 05 Sep 2013 12:56:58 UTC <<<

The fraudulent SSL certificate was later revoked — the certificate's serial number can be found on Network Solutions' certificate revocation list at

The CA/Browser Forum's Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates [PDF] says that certificate authorities SHALL subject high risk requests — which includes names at high risk of being used in a phishing attack — to further scrutiny prior to issuance. Netcraft's Domain Registration Risk service is ideal for both domain registrars and certificate authorities, as it judges the likelihood of a new domain being used for fraudulent activities. It identifies domains which are deceptively similar to legitimate websites run by banks and other institutions that are commonly targeted by phishing attackers.

While some phishing attacks can be identified prior to domain registration or SSL certificate issuance (such as the one described above), a significant proportion of phishing attacks make use of compromised web sites (often exploiting vulnerabilities in commonly deployed software platforms, such as WordPress). Netcraft can alert registries, SSL certificate authorities, or registrars and hosting companies of phishing sites discovered using their infrastructure to conduct a phishing attack.

Please get in touch ( if you would like to try out this service or for subscription information.

Free domains put Mali back on the map – for phishing

When the African nation of Mali announced that it was going to provide free .ml domains from July, their goal was to put Mali back on the map. It appears they have now succeeded, but perhaps not in the way they had intended — thanks to the free domains, Mali now has the most phishy top-level domain of any country in the world.

Nearly 6% of the .ml domains in Netcraft's survey are currently blocked for hosting phishing sites, making it by far the phishiest TLD. In comparison, the second most phishy TLD, .bt (Bhutan), has only 0.7% of its sites blocked for phishing.

.ml domains can be quickly and easily registered at Freenom, which is owned by the Netherlands-based Freedom Registry. Registrants are required to create an account with a valid email address, and a CAPTCHA is used to try and prevent automated registrations. Domains can be registered for between 1 and 12 months initially, with an unlimited number of renewals. Domains which contain more than 3 characters are free.

It is not surprising to see free domain names being used in phishing attacks, but some TLDs have managed to tackle such fraud with astounding efficacy. The .tk TLD was taken advantage of extensively by phishers in 2011, prompting its registrar, Dot TK (another subsidiary of Freedom Registry), to introduce an anti-abuse API to allow trusted partners to shut down sites that use the .tk ccTLD. This dramatically reduced the average uptime of phishing sites which used .tk domains, making it a less attractive platform for fraudsters. Indeed, .tk does not even appear within the top 50 phishiest TLDs today; however, considering .tk and .ml share the same owner, this makes it somewhat surprising to see .ml being so heavily abused already.

A Taobao (Chinese shopping site) phish using a .ml domain, hosted in the US.

Despite the obvious appeal of a free and easily registered domain name when orchestrating a phishing attack, the phishiest TLDs are not always free, nor easy to register. Back in June, Morocco had the phishiest TLD (.ma), although it has since fallen to 12th place. As well as not being free, the administrative contact for an .ma domain must be established in Morocco; however, people living outside Morocco can still register an .ma domain through third parties.

Netcraft provides services to help protect domain registries, brand owners and hosting companies. You can also protect yourself against the latest phishing attacks by installing Netcraft's Anti-Phishing Extension and help protect the internet community by reporting potential phishing sites to Netcraft by email to or at

September 2013 Web Server Survey

In the September 2013 survey we received responses from 739,032,236 sites, 22.2M more than last month.

nginx gained 7.4M hostnames this month, and the web server is now used by more than 15% of the web. Within the Million Busiest websites, however, nginx's market share dipped slightly but remains just under 15%. Seeking to capitalise on nginx's success (usage of nginx has almost doubled in the last two years), Nginx Inc. has launched nginx Plus, a commercial variant of the nginx web server. nginx Plus provides additional services not available in the open-source version including on-the-fly configuration which has drawn mixed feedback from the community.

Apache contributed most to this month's growth, with a net gain of 9.7M hostnames; however, for the second consecutive month, Apache's market share remains below 50%. Apache's market share has been falling steadily since June 2012 (when it had a 64% share of the market) — despite its current downward trend, Apache is still the most commonly seen web server, its market share is greater than nginx, Microsoft, and Google combined. Microsoft, on the other hand, had the largest drop in hostnames this month, 2.4M, and lost market share across all sites and within the Million Busiest sites. Microsoft is getting closer to the official release of Windows Server 2012 R2 on the 18th October 2013. Even before the official release, IIS 8.5 is seemingly in use already — more than 300 sites reported using IIS/8.5 during this month's survey.

At the end of August, ICANN signed 13 new generic top level domain (gTLD) agreements with a number of private organizations. The agreements define new gTLDs including .estate, .guru, .voyage, .holdings. These agreements follow the first set, published in July, that have been signed since ICANN decided to drop a number of restrictions on top level domain name registrations. Netcraft has not yet seen any domains within the four TLDs agreed in July (all of which use non-latin characters encoded using the punycode representation).

In a study published earlier in August by ICANN assessing dotless domain security and stability a number of key risks have been identified that ICANN will need to mitigate before dotless gTLDs (e.g. accessing http://com/ directly) can be safely implemented. This puts on hold Google’s intentions to run .search as a dotless domain (http://search). The .home and .corp gTLD applications are also on hold, and identified as high risk after a study was published addressing the consequences of name collisions.

DeveloperAugust 2013PercentSeptember 2013PercentChange
Continue reading

Most Reliable Hosting Company Sites in August 2013

Rank Performance Graph OS Outage
DNS Connect First
1 Multacom FreeBSD 0:00:00 0.000 0.176 0.105 0.212 0.529
2 Hyve Managed Hosting Linux 0:00:00 0.007 0.272 0.069 0.138 0.140
3 Bigstep Linux 0:00:00 0.007 0.303 0.070 0.144 0.260
4 Linux 0:00:00 0.007 0.215 0.098 0.195 0.195
5 Netcetera Windows Server 2012 0:00:00 0.010 0.079 0.074 0.158 0.305
6 CWCS Linux 0:00:00 0.010 0.234 0.127 0.217 0.564
7 iWeb Linux 0:00:00 0.013 0.160 0.084 0.166 0.166
8 Swishmail FreeBSD 0:00:00 0.017 0.134 0.068 0.136 0.182
9 INetU Windows Server 2003 0:00:00 0.017 0.147 0.080 0.207 0.454
10 Server Intellect Windows Server 2008 0:00:00 0.027 0.095 0.096 0.193 0.480

See full table

Multacom had the most reliable hosting company site in August 2013, with no failed requests and an average connection time of 0.105s. Multacom operates out of two secure data centres in Los Angeles, and focuses on providing shared and dedicated hosting services.

In second and third place were Hyve Managed Hosting and Bigstep. Both sites had only two failed requests, but Hyve's slightly shorter time to connect gave it the edge over Bigstep. Hyve provides managed hosting options from data centres across America, as well as in Shangai, Hong Kong, and London. Hyve also handles hosting for several major international firms, including British Airways, Tesco and Nokia. Bigstep, which provides hosting services for "big data" companies, continues to maintain its impressive record since Netcraft started monitoring its performance, with a consistent 100% uptime over 5 months.

For the first time since May, hosting companies running Windows Server ranked in the top ten: Netcetera's website runs on Windows Server 2012, INetU use Windows Server 2003 and Server Intellect use Windows Server 2008. The most reliable hosting company site, Multacom, runs FreeBSD (as does last month's most reliable site, Swishmail). All other sites in the top ten run on Linux.

Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.

Estimating the value of hosting companies by counting computers

Is it possible to estimate the revenue of a hosting company based on its public presence — that is, is the number of websites it hosts directly proportional to its market value? By using the market capitalisation (or acquisition purchase price, where appropriate) as a valuation and examining the number of web-facing computers, a striking patterns emerges.

Valuation of a hosting company against the number of web-facing computers found in August 2013.
Blue = "pure" hosting company; Orange = significant other areas of business. The dashed line is based only on pure hosting companies.
†Go Daddy’s valuation is based on its 2011 buyout offer, adjusted for growth in web-facing computers and for inflation.

Amongst the hosting companies examined, there is a fairly strong correlation between the number of web-facing computers and the valuation of the hosting company: the more computers visible at a hosting company, the higher the valuation. Considering only pure hosting companies (without significant other business, marked in blue), the average value per web-facing computer is circa $43,000.

An average company value per web-facing computer on the order of tens of thousands of dollars may seem surprisingly high, but there is, of course, more to it than the cost of a single computer. The number of web-facing computers does not take into account the potentially large number of computers used behind the scenes, which may vary from hosting company to hosting company depending on business model — there are likely to be fewer hidden computers at a shared hosting provider than at a cloud hosting provider.

Even with the same number of web-facing computers, the valuation of a hosting company can vary due to the quality of the physical hardware, the network infrastructure, and also sales and support staff. Most important is the current and future revenue, and hence profit, that each web-facing computer can generate.

This average value per web-facing computer masks a great deal of variation between hosting companies:

Hosting company Value per web-facing
computer (USD)
DADA $15.3k
Peer 1 $30.0k
SoftLayer $49.7k
iomart $52.3k
United Internet* $66.8k
Internap* $67.3k
Rackspace $68.1k
Go Daddy* $177.2k

Value (USD) per web-facing computer. Companies marked with a * have significant other areas of business.

Comparing two competitors in the managed hosting market, Rackspace and Peer1, highlights a significant difference in the valuation based on web-facing computers. Each web-facing computer at Rackspace is valued at twice as much as one at Peer1; perhaps this reflects the value of Fanatical Support and the flexibility of Rackspace's OpenStack-based cloud.

Go Daddy's valuation of $4.1bn is based on a deal in 2011 (adjusted for both inflation and computer growth), which reportedly amounted to $2.25bn for 65% of the company. This valuation is greater than expected from the number of computers at Go Daddy, but this difference could be explained by its equally prominent role as the largest ICANN-accredited domain name registrar.

SoftLayer is in the process of being acquired by IBM, who say the acquisition will strengthen their leadership position in cloud computing and help speed business adoption of public and private cloud solutions. Financial terms were not disclosed, but the deal is speculated to be worth more than $2bn.

The correlation between computers and market value can be used not only to estimate the value of private companies which have never been sold before, but also to estimate the value of the hosting divisions within much larger companies, such as Amazon.

Amazon's market capital stands at around $131bn today, but the majority of its revenue comes from online retailing. A valuation based on computer counting would suggest that its hosting division, Amazon Web Services, could be worth approximately $7.8bn, around 6% of Amazon's entire market value. Based on its Q2 2013 earnings report, Amazon's AWS division (within the Other category) accounted for 5.7% of its total revenue between 1st April and 30th June 2013.

Netcraft has developed a technique for identifying the number of computers (rather than IP addresses) acting as web servers on the Internet, providing an independent view with a consistent methodology on the number of web-facing computers at each hosting location worldwide. For more information, see our Hosting Provider Server Count.