Phishing on sites using SSL Certificates

Over the years the Internet community has been taught that one of the key steps in protecting their personal information on the Internet is to ensure that it is entered only over an encrypted connection, perhaps by looking for the lock symbol in the browser address bar or web addresses beginning with https://. As a result, phishing attacks which make use of SSL certificates are especially dangerous  as most users associate the presence of a valid SSL certificate with an increased level of assurance. Such attacks  erode the reputation of Certificate Authorities and SSL certificates, which makes identifying and revoking maliciously used certificates a material issue.

Netcraft's anti-phishing feed has blocked over 5 million unique phishing sites to date, receiving over 4 reports a minute from our reporter community, and while the majority of phishing attacks run over HTTP,  a significant number run on sites for which SSL certificates have been issued. In July 2012 alone, Netcraft found 505 unique valid certificates on blocked sites.

The following table, produced for the Netcraft SSL Survey, shows the number of unique valid certificates returned by phishing sites that were blocked by Netcraft in July 2012:

Certificate Authority (CA) Unique certificates ...with matching Common Names ...and accessed by https://
Symantec 216 41 21
Comodo 130 16 7
Go Daddy 67 19 8
Other 41 11 6
GlobalSign 39 2 1
DigiCert 12 2 2

The columns of the table are ordered left to right by trustworthiness, as using a valid SSL certificate is not always enough to trick a user into trusting a phishing website and two further conditions have to be met:

  • The Subject Common Name of the certificate has to match the hostname of the phishing site that returned it. Some sites will return the hosting company's certificate when requested over HTTPS. As most modern browsers display warnings when a non-matching certificate is encountered (pictured below), such certificates only serve to make the user more suspicious instead of increasing the perceived security of the site.
  • A phishing site accessed over HTTPS displays the SSL certificate for the hosting company.
  • The phishing attack has to actively use the SSL certificate by including https:// in the phishing URL. Having a valid SSL certificate does not make a phishing site appear more trustworthy if victims only access it over HTTP.

Fraudsters will often host their phishing content on a compromised website and so can make use of the website's legitimate certificate, however they may not have realized that SSL services are available and so serve the content over HTTP. None of the certificates found on phishing sites in this period appeared to have been issued specifically for the purpose of phishing.

Taking Certificate Authority market shares into consideration, Go Daddy has a lower proportion of its SSL certificates used in phishing attacks than the other large CAs, in part because it provides the hosting for a large proportion of the certificates which they issue and is a long term user of Netcraft's feed to remove phishing attacks.

Most Reliable Hosting Company Sites in July 2012

Rank Company site OS Outage hh:mm:ss Failed Req% DNS Connect First byte Total
1 New York Internet FreeBSD 0:00:00 0.000 0.161 0.082 0.166 0.494
2 www.logicworks.net Linux 0:00:00 0.003 0.143 0.082 0.548 0.689
3 www.netcetera.co.uk Windows Server 2008 0:00:00 0.003 0.109 0.120 0.242 0.604
4 Swishmail FreeBSD 0:00:00 0.007 0.133 0.073 0.147 0.368
5 iWeb Technologies Linux 0:00:00 0.007 0.145 0.082 0.163 0.163
6 Datapipe FreeBSD 0:00:00 0.010 0.151 0.025 0.051 0.077
7 www.choopa.com Linux 0:00:00 0.010 0.192 0.093 0.191 0.272
8 www.memset.com Linux 0:00:00 0.010 0.170 0.124 0.248 0.504
9 ReliableServers.com Linux 0:00:00 0.013 0.215 0.088 0.180 0.256
10 www.cwcs.co.uk Linux 0:00:00 0.017 0.343 0.137 0.278 1.006
See full table

The most reliable hosting company in July with no failed requests was New York Internet, which last month ranked third. They opened their first facility in Lower Manhattan in 1996, and also run a datacentre 40 miles away in New Jersey for business continuity and backup operations. Within our million busiest websites, Opera's FastMail service is the most popular website hosted by New York Internet.

Logicworks and Netcetera had the same number of failed requests and are therefore ranked by average connection time in second and third places respectively. Logicworks, which last appeared in the top ten in February in seventh position, offer cloud computing and managed hosting to some prominent brands including Dow Jones and NBC. Netcetera appeared in first place last month, however despite slipping slightly to third they actually experienced a drop in the number of failed requests this month.

Swishmail (ranked fourth) and iWeb Technologies (ranked fifth) also had the same number of failed requests, but had connection times of 73ms and 82ms respectively. Both companies have now appeared in the top ten for the fifth time this year.

Linux is the favourite choice of operating system for this month’s most reliable hosts, with six of the top ten running on the OS; three companies used FreeBSD, including first place New York Internet; and one company was running Windows Server 2008.

Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event that the number of failed requests are equal, the sites are ranked by average connection times.

Information on the measurement process and current measurements is available.

August 2012 Web Server Survey

In the August 2012 survey we received responses from 628,170,204 sites, a decrease of 38M sites since last month's survey.

Once again, this month's drop comes as a result of improvements to the survey's handling of wildcard hostnames, with over 40M hostnames on only 242 IP addresses being removed from the Survey. This has again had a negative effect on the number of hostnames running on Apache, with 36M hostnames lost, taking its market share down to 59%. This meant that despite Microsoft, nginx and Google losing hostnames (855k, 1.4M and 370k respectively), they all increased their percentage share.

In the Million busiest sites, the situation was reversed. Apache gained 15k sites to lift its share past the 60% threshold. Microsoft, nginx and Google all saw losses, by 4k, 10k and 2k respectively.

6th June 2012 saw the World IPv6 Launch, an event organised to build on World IPv6 Day (held a year ago). This year, the event focused on bringing together major internet technology firms to 'permanently enable IPv6 for their products and services'. The effect of the day was clearly visible in the Survey, with the number of IPv6 enabled hostnames jumping by over 300% from 7M to 30M.

Apple's decision to migrate MobileMe accounts to its new iCloud service has meant that Akamai experienced a 138k drop in active sites in the Survey. The MobileMe service allowed users to publish data to a page on the me.com site or their own domain. The new iCloud services don't offer users the same functionality.





Developer July 2012 Percent August 2012 Percent Change
Apache 409,185,675 61.45% 373,069,751 59.39% -2.06
Microsoft 97,385,377 14.62% 96,529,586 15.37% 0.74
nginx 73,833,173 11.09% 72,429,976 11.53% 0.44
Google 22,931,169 3.44% 22,561,854 3.59% 0.15
Continue reading

Most Reliable Hosting Company Sites in June 2012

Rank Company site OS Outage hh:mm:ss Failed Req% DNS Connect First byte Total
1 www.netcetera.co.uk Windows Server 2008 0:00:00 0.010 0.033 0.050 0.102 0.254
2 Swishmail FreeBSD 0:00:00 0.010 0.106 0.072 0.144 0.374
3 New York Internet FreeBSD 0:00:00 0.010 0.193 0.076 0.154 0.473
4 ReliableServers.com Linux 0:00:00 0.010 0.190 0.080 0.165 0.209
5 www.memset.com Linux 0:00:00 0.014 0.064 0.054 0.108 0.255
6 www.codero.com Linux 0:00:00 0.014 0.199 0.077 0.407 0.756
7 Pair Networks FreeBSD 0:00:00 0.014 0.266 0.082 0.168 0.545
8 www.choopa.com Linux 0:00:00 0.014 0.323 0.087 0.179 0.243
9 Datapipe FreeBSD 0:00:00 0.017 0.123 0.019 0.039 0.059
10 iWeb Technologies Linux 0:00:00 0.017 0.123 0.084 0.171 0.171

See full table

The top four hosting companies had the same number of failed requests this month and they are therefore ranked by average connection time.

With a 99.9% uptime guarantee, Netcetera are June's most reliable hosting company as they had the fastest average connection time of the four. Based in the Isle of Man, Netcetera have customers in over 60 countries worldwide and offer a wide range of services including co-location, cloud, virtual and email hosting, domain registrations and e-commerce. They last made it into the top 10 in February 2012 when they ranked fifth.

Very close behind Netcetera came Swishmail and New York Internet - both based in New York City, who ranked second and third place, whilst ReliableServers.com based in New Jersey, USA came fourth. Though they had the same number of failed requests, their average connection times were 22ms, 26ms and 30ms slower respectively than Netcetera's. Swishmail and ReliableServers.com have attained a top ten rank for the fourth time this year and New York Internet for the third time.

FreeBSD and Linux are the dominant choice of operating system for the most reliable hosting companies, with Netcetera the exception in running Windows Server 2008.

Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.

July 2012 Web Server Survey

In the July 2012 survey we received responses from 665,916,461 sites, a decrease of 31M since last month.

This drop comes as a result of the loss of a large number of wildcard hostnames with similar content at AmeriNOC (-30M), Axoft Group (-10M), and Tailor Made Servers (-8M). All of these sites were running Apache, resulting in a decrease of 39M hostnames running on Apache and dropping its market share slightly to 61%. All other web server vendors gained hostnames this month, with the biggest increase being 1.5M hostnames running on Microsoft IIS. This was followed by nginx and lighttpd with increases of 950k and 800k hostnames respectively.

Within Netcraft’s million busiest websites, nginx experienced a jump in market share this month to 12.5% after an increase of 22k sites. Nginx also saw the biggest switch of hostnames, with about.com changing around 600 top-million hostnames from Apache, the most popular of these being pcsupport.about.com. Nginx now stands nearly 1 percentage point of market share behind Microsoft. Apache and Microsoft both saw losses within the top million, of 32k and 10k respectively.

Total Sites Across All Domains
August 1995 - July 2012

Total Sites Across All Domains, August 1995 - July 2012


Market Share for Top Servers Across All Domains
August 1995 - July 2012

Graph of market share for top servers across all domains, August 1995 - July 2012


Developer June 2012 Percent July 2012 Percent Change
Apache 448,452,703 64.33% 409,185,675 61.45% -2.89
Microsoft 95,891,537 13.76% 97,385,377 14.62% 0.87
nginx 72,881,755 10.46% 73,833,173 11.09% 0.63
Google 22,464,345 3.22% 22,931,169 3.44% 0.22
Continue reading

Most Reliable Hosting Company Sites in May 2012

Rank Company site OS Outage
hh:mm:ss
Failed
Req%
DNS Connect First
byte
Total
1 www.cwcs.co.uk Linux 0:00:00 0.003 0.327 0.214 0.337 1.018
2 ReliableServers.com Linux 0:00:00 0.007 0.250 0.081 0.167 0.244
3 iWeb Technologies Linux 0:00:00 0.017 0.116 0.084 0.167 0.167
4 Hosting 4 Less Linux 0:00:00 0.017 0.152 0.094 0.187 0.386
5 Datapipe FreeBSD 0:00:00 0.024 0.174 0.025 0.050 0.076
6 www.choopa.com Linux 0:00:00 0.024 0.203 0.084 0.172 0.246
7 www.catalyst2.com Linux 0:00:00 0.024 0.372 0.097 0.201 0.300
8 www.dinahosting.com Linux 0:00:00 0.024 0.162 0.117 0.234 0.234
9 Qube Managed Services Linux 0:00:00 0.030 0.143 0.100 0.201 0.201
10 www.memset.com Linux 0:00:00 0.037 0.101 0.096 0.192 0.382

See full table

The most reliable hosting company during May was CWCS — a UK-based company offering a variety of web and managed hosting services from their own data centres in Nottingham. Advertising a "100% uptime guarantee" CWCS top the chart for May after responding to all but one request.

ReliableServers.com remains in the top ten for the third month in a row, placing second — 6 places higher than last month. Offering dedicated hosting and colocation from their two New Jersey data centres — located in Newark and North Bergen — ReliableServers.com also guarantees 100% uptime.

Seeing their highest placing this year, iWeb Technologies are May's third most reliable hosting company. Their four data centres in the Montréal area are supplied by 7 different network providers to ensure high reliability.

During May nine out of the ten most reliable companies were using Linux servers with the remaining company, Datapipe, last month's most reliable company, running FreeBSD.

Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.