Possible security breach at LastPass forces master password changes

LastPass is forcing its users to change their master passwords following a possible security breach. The free, multiplatform password manager software allows individuals to store passwords for many different websites, all of which can then be accessed using a single master password.


LastPass users only need to remember their master password to log into any website.

Users were notified of the issue after LastPass identified anomalous outbound network traffic. Although this traffic could not be accounted for, the amount of data transferred was big enough to include people's email addresses, the server salt and salted password hashes. This would provide enough information for a hacker to carry out an offline brute-force attack against the hashes, possibly allowing plaintext passwords to be recovered from many users.

LastPass remains unsure of what has actually happened, but prudently assumed the worst, noting that, "We realize this may be an overreaction and we apologize for the disruption this will cause, but we'd rather be paranoid and slightly inconvenience you than to be even more sorry later."

May 2011 Web Server Survey

In the May 2011 survey we received responses from 324,697,205 sites.

Apache exhibited by far the largest growth this month, gaining 12.5M hostnames and over 1.5 percentage points of market share. SoftLayer saw the largest increase, gaining 3.0M hostnames, while Earthlink took a big drop, losing 1.3M.

Microsoft only gained 0.8M hostnames this month, losing them half a percentage point of market share. Rackspace and GoDaddy both showed notable growth, 260k and 280k respectively, but Intergenia AG suffered a fairly big loss of 1.1M hostnames at server4you.net in the US.

nginx and lighttpd both saw small gains of 381k and 21k respectively, while Google gained a much larger 1.5M hostnames.

The Tōhoku Earthquake has not caused any significant drops in the number of sites seen by the survey, though Japan's growth this month of 231k hostnames was about two thirds of what was seen in March (345k) and April (389k).

In Libya, where most of the country's internet access was cut off in early March, hostnames have dropped by about 95% from 917 to just 42. The recent mass protests and political turmoil experienced by other North African and Middle Eastern countries, such as Tunisia, Egypt and Syria, has not yet resulted in any noticeable changes to the countries' hostname numbers.

Total Sites Across All Domains
August 1995 - May 2011

Total Sites Across All Domains, August 1995 - May 2011


Market Share for Top Servers Across All Domains
August 1995 - May 2011

Graph of market share for top servers across all domains, August 1995 - May 2011


DeveloperApril 2011PercentMay 2011PercentChange
Apache191,139,96661.13%203,609,89062.71%1.58
Microsoft58,867,09718.83%59,646,77818.37%-0.46
nginx23,463,6697.50%23,850,2657.35%-0.16
Google14,690,4224.70%16,219,8245.00%0.30
lighttpd1,862,9630.60%1,884,8760.58%-0.02
Continue reading

Most Reliable Hosting Company Sites in April 2011

Rank Company site OS Outage
hh:mm:ss
Failed
Req%
DNS Connect First
byte
Total
1 Rackspace F5 Big-IP 0:00:00 0.008 0.120 0.063 0.127 0.127
2 www.qubenet.net Linux 0:00:00 0.015 0.081 0.043 0.088 0.088
3 www.netcetera.co.uk Windows 0:00:00 0.015 0.067 0.071 0.143 0.288
4 Datapipe FreeBSD 0:00:00 0.019 0.124 0.008 0.019 0.026
5 New York Internet FreeBSD 0:00:00 0.019 0.167 0.063 0.126 0.341
6 www.logicworks.net Linux 0:00:00 0.027 0.114 0.064 0.142 0.344
7 INetU unknown 0:00:00 0.031 0.097 0.039 0.101 0.242
8 Hosting 4 Less Linux 0:00:00 0.035 0.122 0.096 0.195 0.422
9 www.serverbeach.com Linux 0:00:00 0.039 0.076 0.007 0.047 0.080
10 www.poundhost.com Linux 0:00:00 0.039 0.215 0.061 0.136 0.260

See full table

Heading the table for April with only two failed requests from any of the performance monitors during the month was Rackspace. Rackspace provides managed and cloud hosting from nine datacentres in the U.S., the U.K. and China. Rackspace frequently features in Netcraft's top ten most reliable hosting companies, having appeared five times in the last year.

Second most reliable this month was Qube, a London-based hosting company which also has datacentres in New York and Zurich. Qube provide managed hosting, managed colocation and cloud hosting for a wide variety of customers, particularly in the areas of finance and new media. Although Qube has previously appeared in the top ten, this is the first time the hosting company has made it to the top three.

The third most reliable hosting company in April was Netcetera. Netcetera experienced the same number of failed requests as Qube, but had a longer average connection time. Netcetera provides a wide range of colocation, hosting and cloud services to customers throughout the world.

Five of the top ten sites this month were running on Linux, two were running on FreeBSD, and one on Windows. Rackspace's site, which performed best this month, is hosted on F5 Big-IP.

Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.

Fire at data centre sends Aruba offline

Italian hosting company Aruba was knocked offline for a few hours today after a fire broke out in the centre of a server farm.

Aruba said the fire involved UPS batteries and confirmed that no servers had been damaged; however, the fire alarm system caused the power to be cut, sending many websites offline. Aruba started restoring power once it was deemed safe to do so.

At the time of writing, Aruba has restored 2 out of 3 data rooms and warns that the ongoing UPS restoration may result in unexpected downtime if there are any further power interruptions. Further updates can be found on Aruba's Twitter page.

Extended Validation SSL certificates: 4 years of growth

After more than 4 years of continued growth, Extended Validation SSL certificates still only account for 2.3% of all valid third party certificates found in the Netcraft SSL Survey. The majority of sites use the cheapest type of certificate – domain validated – although these are less common amongst high-traffic websites.

Netcraft's April 2011 survey found a total of 38,966 valid EV certificates:

Extended Validation SSL certificates typically cost more than both domain and organisation validated certificates. The vetting process for EV certificates cannot always be automated to the same degree as for domain validated certificates – for example, the current guidelines may in some circumstances require the certificate authority to arrange a site visit in order to verify an applicant's business address. Such checks ultimately ensure that EV certificates are only issued to legally established businesses or organisations.

Because simpler domain validation checks can be performed automatically, CAs can enjoy a very fast and low cost issuance process for domain validated certificates. Eddy Nigg's StartSSL is perhaps a prime example of this – they offer free domain validated certificates for one year, in addition to their range of other paid-for certificates.

EV certificates are much more prevalent amongst high-traffic or financial websites, where it is often beneficial to demonstrate higher levels of assurance to visitors. For example, losses to phishing fraud can be reduced by educating online banking customers to look for the green indicator in the browser's address bar. Because this can only be activated by an EV certificate, a fraudster would be unable to replicate this behaviour on an HTTP website or by using a more easily obtainable type of certificate.

Of course, EV certificates cannot entirely prevent phishing attacks. If an attacker were to compromise a website which already uses a valid EV certificate, he can piggyback on the trust instilled by that site's certificate to present his fraudulent content. Such a problem was first demonstrated on SourceForge, and then on paypal.com a few years ago, when cross-site scripting (XSS) vulnerabilities allowed arbitrary content to be injected into webpages. PayPal was one of the first companies to use EV certificates, which they believe resulted in noticeably lower abandonment rates on signup flows.

Restricting our analysis to the busiest 1,000 websites in the world, 81 sites accepted HTTPS connections and presented a valid SSL certificate. Nearly a third of these certificates used Extended Validation – a far higher proportion than the 2.3% share of all certificates.

While domain validated certificates have the largest share of the entire market, this share starts to decline when the least visited sites are removed from the analysis. Organisation validated certificates take the largest share within the top million sites, and are still almost twice as popular as EV certificates in the top 1,000.

The future looks quite promising for both Extended Validation and domain validated certificates. Both types have shown continued growth in recent years, while the growth of organisation validated certificates has been relatively subdued. Organisation validated certificates do not offer the same level of assurance as an EV certificate, and typically cost more than a domain validated certificate, so it will be interesting to see whether these "middle of the road" certificates continue to grow – particularly in a market where many consumers may only be interested in either having the highest assurance or paying the lowest price.

April 2011 Web Server Survey

In the April 2011 survey we received responses from 312,693,296 sites, a growth of almost 14.7M hostnames. This is the tenth consecutive month of growth seen by the survey.

As in recent months, Apache contributed most to the increase, gaining 11.4M hostnames. Especially large increases were seen at AmeriNOC, SoftLayer and ServerInt, which saw gains of 3.7M, 2.5M, and 1.2M hostnames respectively. Large increases were also seen at several hosting companies, including Amazon, China Telecom and BurstNET.

Microsoft saw an overall increase of 1.2M hostnames, with the largest growth seen at Go Daddy. Microsoft's largest loss was due to the continuing movement of Windows Live Spaces to WordPress.com.

This month saw nginx gain 651k hostnames overall, despite losses at ServePath, China Telecom and Amazon. The largest increase was seen at Hetzner Online AG which saw an additional 349k sites.

The Tōhoku Earthquake did not cause a drop in the number of sites seen by the Web Server Survey this month, as the data collection completed before the earthquake struck.

Total Sites Across All Domains
August 1995 - April 2011

Total Sites Across All Domains, August 1995 - April 2011


Market Share for Top Servers Across All Domains
August 1995 - April 2011

Graph of market share for top servers across all domains, August 1995 - April 2011


DeveloperMarch 2011PercentApril 2011PercentChange
Apache179,720,33260.31%191,139,96661.13%0.82
Microsoft57,644,69219.34%58,867,09718.83%-0.52
nginx22,806,0607.65%23,463,6697.50%-0.15
Google15,161,5305.09%14,690,4224.70%-0.39
lighttpd1,796,4710.60%1,862,9630.60%-0.01
Continue reading