TripAdvisor email list stolen

TripAdvisor is the latest company to announce a security breach of its customer email addresses. The travel advice company has published limited details of the incident at http://www.tripadvisor.com/vpages/more_information.html, but is still investigating when the breach actually occurred.

TripAdvisor's statement does not make it clear how many addresses have been compromised, but they note that the vulnerability has been identified and fixed:

"While we're still investigating the details, we've identified the vulnerability, shut it down and are vigorously pursuing the matter with law enforcement. We are also are implementing additional security precautions to help prevent another incident in the future."

TripAdvisor was previously a client of Silverpop, which was blamed for a similar breach at Play.com earlier this week. However, Silverpop confirmed to Netcraft that TripAdvisor has not been a client of theirs since 2008, adding "Clearly this is an industry-wide issue".

TripAdvisor was unable to provide any further information to Netcraft at this stage, as their investigations are ongoing, but they did reiterate that no financial details have been compromised.

Browsers vulnerable to fraudulent SSL certificates

Security researcher ioerror has discovered a suspected Certificate Authority compromise. This may allow an attacker to impersonate a high-value website by presenting a fraudulent SSL certificate which nonetheless satisfies a browser's validity checks:

"A Certification Authority appeared to be compromised in some capacity, and the attacker issued themselves valid HTTPS certificates for high-value web sites. With these certificates, the attacker could impersonate the identities of the victim web sites or other related systems, probably undetectably for the majority of users on the internet."

ioerror discovered the compromise last week, but responsibly offered to embargo his findings until the launch of Firefox 4. Mozilla yesterday announced that it had revoked these fraudulent certificates and updated Firefox 4.0, 3.6 and 3.5 to recognise the fraudulent certificates and block them automatically.

By examining recent source code revisions in Chromium and Firefox, ioerror discovered certificate revocation lists (CRLs) for certificates issued by The USERTRUST Network, which is part of Comodo.

ioerror found 11 revoked certificates, which he believes could indicate a compromise at USERTRUST:

"This is evidence of a rather serious event and one that cannot be ignored. If I had to make a bet, I'd wager that an attacker was able to issue high value certificates, probably by compromising USERTRUST in some manner"

Furthermore, ioerror suggests that many users are probably still updating and therefore remain vulnerable to "the failure that is the CRL and OCSP method for revocation."

Mozilla revealed that addons.mozilla.org was one of the certificates acquired by the attacker, and ioerror called upon Comodo to disclose which other sites had been targeted.

Two years ago, a Comodo reseller erroneously issued an SSL certificate to an unverified party. Eddy Nigg demonstrably exploited a lack of validation by Certstar in order to obtain a legitimate domain-validated certificate for mozilla.com – a domain he did not own.

Play.com believes security breach related to Silverpop hack

After confirming a security breach to its customers yesterday, Play.com today suggested that email marketing company Silverpop may have been responsible for the leak which resulted in spam being delivered to Play.com customers.

In a statement sent to Netcraft, John Perkins, CEO of Play.com, said:

"We believe this issue may be related to some irregular activity that was identified in December 2010 at our email service provider, Silverpop. Investigations at the time showed no evidence that any of our customer email addresses had been downloaded. We would like to assure all our customers that the only information communicated to our email service provider was email addresses. Play.com has taken all the necessary steps with Silverpop to ensure a security breach of this nature does not happen again."

Following the attacks in December 2010, Silverpop posted some details of its forensic investigation on its blog.

Several Play.com customers have speculated whether any other personal data may have been compromised, while the Sophos blog recommended that customers change their passwords. However, Play.com offered some reassurance by confirming that no other personal data has been compromised:

"We would also like to reassure our customers that all other personal information (i.e. credit cards, addresses, passwords, etc.) are kept in the very secure Play.com environment. Play.com has one of the most stringent internal standards of e-commerce security in the industry. This is audited and tested several times a year by leading internet security companies to ensure this high level of security is maintained. On behalf of Play.com, I would like to once again apologise to our customers for any inconvenience due to a potential increase in spam that may be caused by this issue."

In a separate statement, Silverpop confirmed to Netcraft that it had notified all customers impacted by the cyber attack in 2010 and worked with the FBI to help identify those responsible.

Play.com confirms security breach

Following our previous article about an apparent email address leak at Play.com, the company has confirmed that a security breach has occurred.

In an email to its customers, Play.com stated that the breach occurred at a marketing company, resulting in customer names and email addresses being compromised:

"We are emailing all our customers to let you know that a company that handles part of our marketing communications has had a security breach. Unfortunately this has meant that some customer names and email addresses may have been compromised.

We take privacy and security very seriously and ensure all sensitive customer data is protected. Please be assured this issue has occurred outside of Play.com and no other personal customer information has been involved."

Many customers already appear to have received spam as a result of this breach, apparently including some who had opted out of receiving marketing emails from Play.com.

An information security manager at Play.com refused to tell Netcraft which marketing company was responsible for the breach.

Play.com customer emails leaked?

Online retailer Play.com has been accused of leaking its customers' email addresses to spammers.

Many customers reported receiving a spam email yesterday, offering an Adobe Reader upgrade which requires registration and payment. Some of these emails were sent to unique email addresses that have only been used at play.com, suggesting that the spammer had access to private customer details.

Most complaints relate to an email with the subject line "Get more done, much faster, with Acrobat X PDF Reader. Upgrade Available Now":

One Play.com customer commented yesterday:

"I too received the email this morning. I use a unique email address for each website using the plus addressing feature of gmail; in this case the phishing attack was sent to myemailaddress+play@gmail.com. This is pretty compelling evidence that play.com are at fault."

Although it does seem that Play.com's customer details have been breached, it is not yet clear how this may have happened, or indeed whether Play.com are at fault. In particular, Play.com's privacy policy reveals several other places where leaks could have occurred. Play.com shares data with other business and technical partners to handle orders, process credit and debit card payments and for fraud protection.

Another recipient of the spam was advised the following by Play.com:

"Please be advised that our database is maintained on a secure internal server that is not connected to the internet. No unauthorised access of any kind is available to the network."

Fortunately, most browser software has already blocked the spammer's website as a web forgery:

If the user chooses to ignore this warning, the site offers a download link for PDF Reader/Writer software:

The user is then taken to a third-party site, secureonline-form.com, which requires registration:

Finally, the user must pay for membership in order to obtain the software:

Play.com did not respond to Netcraft's request for comment before this article was published.

March 2011 Web Server Survey

In the March 2011 survey we received responses from 298,002,705 sites, a growth of just over 13M hostnames on last month's survey; a continuation of the steady growth which has been seen since July last year.

Apache was the biggest contributor to this month's growth, with an increase of 8.5M hostnames. This increase comes despite large losses of 2.23M at skyrock.net due to their servers no longer reporting a server banner. Most of the increase is once again due to AmeriNOC and Softlayer, with gains of 5.5M and 1.2M hostnames respectively. Large increases were also seen at both Leaseweb and Hetzner Online AG.

nginx gained 1.2M hostnames this month due to increases at a number of hosting companies, the largest of which was 289k at Hetzner Online AG.

Small gains were seen by both Microsoft and Google, with increases of 560k and 205k hostnames respectively. Microsoft's increase came primarily from Go Daddy, and an increase of 296k hostnames hosted by Microsoft which made up for a drop seen there last month. Despite the gain in hostnames, Microsoft experienced a 0.7 percentage point loss in market share, while Google's share was relatively unchanged.

The only web server vendor to see a loss in the number of hostnames this month was lighttpd. It experienced a drop of 157k hostnames which was shared by multiple hosting companies.

Total Sites Across All Domains
August 1995 - March 2011

Total Sites Across All Domains, August 1995 - March 2011


Market Share for Top Servers Across All Domains
August 1995 - March 2011

Graph of market share for top servers across all domains, August 1995 - March 2011


DeveloperFebruary 2011PercentMarch 2011PercentChange
Apache171,195,55460.10%179,720,33260.31%0.21
Microsoft57,084,12620.04%57,644,69219.34%-0.70
nginx21,570,4637.57%22,806,0607.65%0.08
Google14,454,4845.07%15,161,5305.09%0.01
lighttpd1,953,9660.69%1,796,4710.60%-0.08
Continue reading