Extended Validation SSL certificates: 4 years of growth

After more than 4 years of continued growth, Extended Validation SSL certificates still only account for 2.3% of all valid third party certificates found in the Netcraft SSL Survey. The majority of sites use the cheapest type of certificate – domain validated – although these are less common amongst high-traffic websites.

Netcraft's April 2011 survey found a total of 38,966 valid EV certificates:

Extended Validation SSL certificates typically cost more than both domain and organisation validated certificates. The vetting process for EV certificates cannot always be automated to the same degree as for domain validated certificates – for example, the current guidelines may in some circumstances require the certificate authority to arrange a site visit in order to verify an applicant's business address. Such checks ultimately ensure that EV certificates are only issued to legally established businesses or organisations.

Because simpler domain validation checks can be performed automatically, CAs can enjoy a very fast and low cost issuance process for domain validated certificates. Eddy Nigg's StartSSL is perhaps a prime example of this – they offer free domain validated certificates for one year, in addition to their range of other paid-for certificates.

EV certificates are much more prevalent amongst high-traffic or financial websites, where it is often beneficial to demonstrate higher levels of assurance to visitors. For example, losses to phishing fraud can be reduced by educating online banking customers to look for the green indicator in the browser's address bar. Because this can only be activated by an EV certificate, a fraudster would be unable to replicate this behaviour on an HTTP website or by using a more easily obtainable type of certificate.

Of course, EV certificates cannot entirely prevent phishing attacks. If an attacker were to compromise a website which already uses a valid EV certificate, he can piggyback on the trust instilled by that site's certificate to present his fraudulent content. Such a problem was first demonstrated on SourceForge, and then on paypal.com a few years ago, when cross-site scripting (XSS) vulnerabilities allowed arbitrary content to be injected into webpages. PayPal was one of the first companies to use EV certificates, which they believe resulted in noticeably lower abandonment rates on signup flows.

Restricting our analysis to the busiest 1,000 websites in the world, 81 sites accepted HTTPS connections and presented a valid SSL certificate. Nearly a third of these certificates used Extended Validation – a far higher proportion than the 2.3% share of all certificates.

While domain validated certificates have the largest share of the entire market, this share starts to decline when the least visited sites are removed from the analysis. Organisation validated certificates take the largest share within the top million sites, and are still almost twice as popular as EV certificates in the top 1,000.

The future looks quite promising for both Extended Validation and domain validated certificates. Both types have shown continued growth in recent years, while the growth of organisation validated certificates has been relatively subdued. Organisation validated certificates do not offer the same level of assurance as an EV certificate, and typically cost more than a domain validated certificate, so it will be interesting to see whether these "middle of the road" certificates continue to grow – particularly in a market where many consumers may only be interested in either having the highest assurance or paying the lowest price.

April 2011 Web Server Survey

In the April 2011 survey we received responses from 312,693,296 sites, a growth of almost 14.7M hostnames. This is the tenth consecutive month of growth seen by the survey.

As in recent months, Apache contributed most to the increase, gaining 11.4M hostnames. Especially large increases were seen at AmeriNOC, SoftLayer and ServerInt, which saw gains of 3.7M, 2.5M, and 1.2M hostnames respectively. Large increases were also seen at several hosting companies, including Amazon, China Telecom and BurstNET.

Microsoft saw an overall increase of 1.2M hostnames, with the largest growth seen at Go Daddy. Microsoft's largest loss was due to the continuing movement of Windows Live Spaces to WordPress.com.

This month saw nginx gain 651k hostnames overall, despite losses at ServePath, China Telecom and Amazon. The largest increase was seen at Hetzner Online AG which saw an additional 349k sites.

The Tōhoku Earthquake did not cause a drop in the number of sites seen by the Web Server Survey this month, as the data collection completed before the earthquake struck.

Total Sites Across All Domains
August 1995 - April 2011

Total Sites Across All Domains, August 1995 - April 2011


Market Share for Top Servers Across All Domains
August 1995 - April 2011

Graph of market share for top servers across all domains, August 1995 - April 2011


DeveloperMarch 2011PercentApril 2011PercentChange
Apache179,720,33260.31%191,139,96661.13%0.82
Microsoft57,644,69219.34%58,867,09718.83%-0.52
nginx22,806,0607.65%23,463,6697.50%-0.15
Google15,161,5305.09%14,690,4224.70%-0.39
lighttpd1,796,4710.60%1,862,9630.60%-0.01
Continue reading

Most Reliable Hosting Company Sites in March 2011

Rank Company site OS Outage
hh:mm:ss
Failed
Req%
DNS Connect First
byte
Total
1 www.dinahosting.com Linux 0:00:00 0.011 0.241 0.077 0.154 0.154
2 Virtual Internet Linux 0:00:00 0.030 0.136 0.095 0.192 0.393
3 iWeb Technologies Linux 0:00:00 0.034 0.077 0.047 0.094 0.094
4 Kattare Internet Services Linux 0:00:00 0.034 0.095 0.073 0.146 0.296
5 Datapipe FreeBSD 0:00:00 0.037 0.105 0.023 0.047 0.066
6 Rackspace F5 BIG-IP 0:00:00 0.037 0.212 0.234 0.282 0.282
7 INetU unknown 0:00:00 0.041 0.065 0.030 0.375 0.491
8 www.logicworks.net Linux 0:00:00 0.041 0.145 0.048 0.515 0.671
9 www.qubenet.net Linux 0:00:00 0.041 0.114 0.056 0.113 0.113
10 Swishmail FreeBSD 0:00:00 0.045 0.135 0.049 0.097 0.261

See full table

The most reliable hosting company in March was dinahosting, which has been offering hosting services since 2002. The company's data centre is spread across 25 buildings located in Madrid, Spain, which are physically protected by sluice gates and biometric access controls. Besides Spanish, dinahosting also provides support for customers who speak Catalan, Galician, English, and Portuguese. To increase performance from other countries, dinahosting also has additional DNS servers in London and Dallas.

dinahosting is currently offering 50% off its RealCloud cloud hosting service, which is managed by Xen hypervisor 4.0.0 running on Dell PowerEdge R410 servers. This platform supports auto-scaling to dynamically allocate additional resources when required, such as during traffic spikes. As with many other cloud hosting services, CPU-hours and bandwidth are charged for on a pay-as-you-go basis.

Virtual Internet took second place, with only eight failed requests throughout March. The UK-based company is scheduled to launch its flexible managed hosting and cloud hosting solutions in the USA from 1st May 2011. Virtual Intenet's cloud hosting services are based on VMWare, and include a 100% uptime guarantee, automatic crash recovery, 1 gigabit networking and 20 day try-before-you-buy offer. Other services offered by Virtual Internet include colocation, global content delivery and business email hosting.

Six of the most reliable hosting company sites in March were running on Linux, including each company within the top four. Of the remaining companies, two used FreeBSD and one used F5 BIG-IP.

Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.

Compromised GlobalTrust database is published online

In the aftermath of last month's successful attacks against three of Comodo's affiliate Registration Authorities, Cryptome has just published a database purportedly belonging to GlobalTrust and InstantSSL. It is likely that the database was obtained during last month's security breach, where an Iranian attacker caused fraudulent certificates to be issued for several high-value domains including www.google.com. Many GlobalTrust websites were subsequently taken offline for forensic investigation.

GlobalTrust.it is still up and running, but it appears that InstantSSL.it has quickly been taken down again, possibly to defend it against any unauthorised access which may result from this latest leak. The site currently responds with a 403 Forbidden message:

The ComodoHacker stated via Twitter that the comodo-db.rar file on cryptome.org contains the "entire database of GlobalTrust and InstantSSL Italy". ComodoHacker proved his involvement in last month's attack by publishing the private key for one of the fraudulently issued certificates, so it is likely that this file does indeed contain the compromised database.

LiveJournal under DDoS attack

LiveJournal has been knocked offline by another DDoS (distributed denial of service) attack, less than a week after a separate sustained attack caused the site to go down for several hours. In response to last week's attack, LiveJournal upgraded their servers to make the site run faster; however, this does not appear to have prevented the current attack from succeeding.

Svetlana Ivannikova, Head of LiveJournal Russia, confirmed that the current outage was caused by another DDoS attack: "We can confirm that the service has not been working correctly for the last hour due to another DDoS attack on LiveJournal. Administrators are aware of the problem and trying to identify the source and target of the attack". No further details were given at this time.

The attack which caused last week's outage apparently began on 24th March, but LiveJournal largely withstood the attack until it was ramped up on 30th March. LiveJournal maintenance said, "Turns out we upset our attackers and they started hitting us 10x harder".

Both www.livejournal.com and news.livejournal.com were still inaccessible at the time of publication.

Xbox LIVE director’s account hijacked over bans

The Director of Policy and Enforcement for Xbox LIVE, Stephen Toulouse, had his Xbox LIVE account hijacked yesterday. The attacker purportedly used social engineering to convince Network Solutions to transfer DNS control of Toulouse's stepto.com domain name, allowing the attacker to receive any email sent to that domain. The attacker most likely used this to reset Toulouse's Xbox LIVE password and gain unauthorised access to his account, where he goes by the gamertag of Stepto.

The excited attacker subsequently uploaded footage of the hijack to YouTube, where he changed Stepto's motto from "Behave" to "Jacked by Predator". The attacker also advertised his account hijacking services in Stepto's bio, offering his AOL Instant Messenger contact details and payment methods. In his description of the video, Predator proudly boasts "ANY ACCOUNT $100 - $250 PayPal or AlertPay!!".

Predator revealed that the attack was carried out in revenge for being banned from using Xbox LIVE. During the video, he appears to hold Stephen Toulouse personally responsible for this: "Stepto, this is for console banning me over 35 times. You had it coming, man. Like, I'm tired of getting the console ban; now let's see what I can do to your account."

Proud of hijacking the Director's account, Predator ends his video's description with "I rest my name as Xbox Live's greatest account jacker."

Predator later uploaded a second video, noting that Stepto's account had been locked out. Toulouse regained control of his email and his domain's nameserver settings several hours after the attack, and his Xbox LIVE profile now looks to be restored.