WordPress hosting: Do not try this at home!

Compromised WordPress blogs were used to host nearly 12,000 phishing sites in February. This represents more than 7% of all phishing attacks blocked during that month, and 11% of the unique IP addresses that were involved in phishing.

WordPress blogs were also responsible for distributing a significant amount of web-hosted malware — more than 8% of the malware URLs blocked by Netcraft in February were on WordPress blogs, or 19% of all unique IP addresses hosting malware.

WordPress is the most common blogging platform and content management system in the world: Netcraft's latest survey found nearly 27 million websites running WordPress, spread across 1.4 million different IP addresses and 12 million distinct domain names. Many of these blogs are vulnerable to brute-force password guessing attacks by virtue of the predictable location of the administrative interface and the still widespread use of the default "admin" username.

But remarkably, not a single phishing site was hosted on Automattic's own WordPress.com service in February. WordPress.com hosts millions of blogs powered by the open source WordPress software. Customers can purchase custom domain names to use for their blogs, or choose to register free blogs with hostnames like username.wordpress.com.

Automattic's founder, Matt Mullenweg, was one of the original authors of WordPress when it was released in 2003. Automattic later handed the WordPress trademark to the WordPress Foundation in 2010, but still contributes to the development of WordPress. Such familiarity with the product likely explains why blogs hosted at Automattic are significantly more secure than average.

Bloggers can also go it alone — anybody can download the WordPress software from wordpress.org and deploy it on their own website, and some hosting companies also offer "one-click" installations to simplify the process. Bloggers who install WordPress on their own websites will often also be responsible for keeping the software secure and up-to-date. Unfortunately, in many cases, they do not.

Even well-known security experts can fall victim to security flaws in WordPress if it is not their core activity. For example, in 2007, the Computer Security Group at the University of Cambridge found their own Light Blue Touchpaper blog had been compromised through several WordPress vulnerabilities.

Versions of WordPress after 3.7 are now able to automatically update themselves, provided the WordPress files are writable by the web server process. This has its own security trade-off, however, as an attacker exploiting a new and unreported vulnerability (a zero-day) that has the ability to write files will have free rein over the whole WordPress installation — an attacker could even modify the behaviour of WordPress itself to disable any future automatic security updates.

Insecure plugins

Over its lifetime, WordPress has been plagued by security issues both in its core code and in the numerous third-party plugins and themes that are available. One of the most widespread vulnerabilities this decade was discovered in the TimThumb plugin, which was bundled with many WordPress themes and consequently present on a large number of WordPress blogs. A subtle validation flaw made it possible for remote attackers to make the plugin download remote files and store them on the website. This allowed attackers to install PHP scripts on vulnerable blogs, ultimately facilitating the installation of malware and phishing kits. Similar vulnerabilities are still being exploited today.

Many of the phishing sites blocked in February were still operational this month, including this Apple iTunes phishing site hosted on a marketing company's website.

Dropzones for WordPress phishing content

Note that the above phishing content is stored in the blog's wp-includes directory, which is where the bulk of the WordPress application logic resides. More than a fifth of all phishing content hosted on WordPress blogs can be found within this directory, while another fifth resides in the wp-admin directory. However, the most common location is the wp-content directory, which is used by just over half of the phishing sites.

The wp-content directory is where WordPress stores user-supplied content, so it is almost always writable by the web server process. This makes it an obvious dropzone for malware and phishing content if a hacker is able to find and exploit a suitable vulnerability in WordPress, or indeed in any other web application running on the server. Shared hosting environments are particularly vulnerable if the file system permissions allow malicious users to write files to another user's wp-content directory. Some examples of directory structures used by phishing sites hosted in this directory on WordPress blogs include:

/wp-content/securelogin/webapps/paypal/
/wp-content/plugins/wordpress-importer/languages/image/Google/Google/
/wp-content/uploads/.1/Paypal/us/webscr.htm

The wp-includes and wp-admin directories can also be written to by other users or processes if the WordPress installation has not been suitably hardened. Failing to harden a WordPress installation and keep all of its plugins up to date could result in a site being compromised and used to carry out phishing attacks. Enabling automatic background updates is an easy way to ensure that a WordPress blog is kept up-to-date, but a significant trade off is that every WordPress file must be writable by the web server user.

Some other examples of directory structures seen in phishing sites hosted on WordPress blogs include:

/wp-includes/alibaba_online/
/wp-includes/www.paypal.com.fr.cgi.bin.webscr.cmd.login.submit.login/
/wp-includes/js/online.lloydsbank.co.uk/

/wp-admin/js/www.credit-mutuel.fr/
/wp-admin/maint/RBS-Card/index.html
/wp-admin/Googledoc/

Interestingly, the wp-admin directory appears to be the favourite location for Apple phishing sites – these make up more than 60% of all phishing sites found in this directory.

Vulnerable WordPress blogs can also be used for other nefarious purposes. A botnet of more than 162,000 WordPress blogs (less than 1% of all WordPress blogs) was recently involved in a distributed denial of service (DDoS) attack against a single website. Attackers exploited the Pingback feature in these WordPress blogs (which is enabled by default) to flood the target site with junk HTTP requests, causing it to be shut down by its hosting company.

A quarter of the phishing sites hosted on WordPress blogs in February targeted PayPal users, followed by 17% which targeted Apple customers.

Please contact us (sales@netcraft.com) for pricing or further details about any of our anti-phishing and web application security testing services.

EA Games website hacked to steal Apple IDs

An EA Games server has been compromised by hackers and is now hosting a phishing site which targets Apple ID account holders.

The compromised server is used by two websites in the ea.com domain, and is ordinarily used to host a calendar based on WebCalendar 1.2.0. This version was released in September 2008 and contains several security vulnerabilities which have been addressed in subsequent releases. For example, CVE-2012-5385 details a vulnerability which allows an unauthenticated attacker to modify settings and possibly execute arbitrary code. It is likely that one of these vulnerabilities was used to compromise the server, as the phishing content is located in the same directory as the WebCalendar application.

The phishing site attempts to trick a victim into submitting his Apple ID and password. It then presents a second form which asks the victim to verify his full name, card number, expiration date, verification code, date of birth, phone number, mother's maiden name, plus other details that would be useful to a fraudster. After submitting these details, the victim is redirected to the legitimate Apple ID website at https://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa/

The compromised server is hosted within EA's own network. Compromised internet-visible servers are often used as "stepping stones" to attack internal servers and access data which would otherwise be invisible to the internet, although there is no obvious outward facing evidence to suggest that this has happened.

In this case, the hacker has managed to install and execute arbitrary PHP scripts on the EA server, so it is likely that he can at least also view the contents of the calendar and some of the source code and other data present on the server. The mere presence of old software can often provide sufficient incentive for a hacker to target one system over another, and to spend more time looking for additional vulnerabilities or trying to probe deeper into the internal network.

As well as hosting phishing sites, EA Games is also the target of phishing attacks which try to steal credentials from users of its Origin digital distribution platform. For example, the following site — which has been online for more than a week — is attempting to steal email addresses, passwords and security question answers.

EA's Origin servers also came under attack earlier this year, causing connectivity and login problems in various EA games. A tweet by @DerpTrolling appeared to claim responsibility for the outages, while also suggesting that it was a distributed denial of service attack which caused the problems.

("Gaben" is a reference to Gabe Newell, managing director of Valve Corporation, which owns the competing Steam digital distribution platform)

Netcraft has blocked access to all phishing sites mentioned in this article, and informed EA yesterday that their server has been compromised. However, the vulnerable server — and the phishing content — is still online at the time of publication.

The Audited by Netcraft service provides a means of regularly testing internet infrastructure for old and vulnerable software, faulty configurations, weak encryption and other issues which would fail to meet the PCI DSS standard. These automated scans can be run as frequently as every day, and can be augmented by Netcraft's Web Application Security Testing service, which provides a much deeper manual analysis of a web application by an experienced security professional.

Most Reliable Hosting Company Sites in February 2014

Rank Performance Graph OS Outage
hh:mm:ss
Failed
Req%
DNS Connect First
byte
Total
1 Qube Managed Services Linux 0:00:00 0.000 0.100 0.039 0.081 0.081
2 ServerStack Linux 0:00:00 0.008 0.087 0.076 0.150 0.150
3 Hosting 4 Less Linux 0:00:00 0.017 0.174 0.125 0.248 0.634
4 Datapipe FreeBSD 0:00:00 0.021 0.077 0.018 0.037 0.055
5 XILO Communications Ltd. Linux 0:00:00 0.021 0.199 0.069 0.166 0.261
6 www.dinahosting.com Linux 0:00:00 0.021 0.233 0.087 0.175 0.175
7 Server Intellect Windows Server 2012 0:00:00 0.021 0.075 0.101 0.638 0.998
8 Pair Networks FreeBSD 0:00:00 0.025 0.226 0.085 0.170 0.562
9 iWeb Linux 0:00:00 0.033 0.155 0.090 0.177 0.177
10 Anexia Linux 0:00:00 0.050 0.131 0.103 0.453 0.746

See full table

London-based Qube Managed Services had February's most reliable hosting company site, www.qubenet.co.uk, which successfully responded to all requests sent. This is the second time in six months Qube has had no failed requests, having also achieved it back in September. Qube's reliability is perhaps due to the routing infrastructure it has in place at its data centres in London, New York and Zurich. Qube's carriers include Level 3 Communications and Zayo (formerly AboveNet), both of which are known for their extensive network coverage across Europe and America.

In second place is ServerStack with two failed requests. ServerStack has maintained a 100% uptime record over the past year and offers a 100% uptime service-level agreement from its data centres in Amsterdam, New Jersey and San Jose. ServerStack uses the nginx web server to serve its website and also some of world's busiest websites, including a site which serves 150 million pageviews per day.

In third place with four failed requests is Hosting 4 Less. Hosting 4 Less has a 99.9% uptime guarantee and has been providing web hosting services for over 15 years. It owns and operates a Californian data centre facility which is privately peered via multiple gigabit connections to the Internet backbone.

FreeBSD powered the sites for both Datapipe (lowest connection time within the top 10) and Pair Networks. Windows Server 2012 powered Server Intellect and the remaining seven sites ran Linux, including first place Qube.

Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.

March 2014 Web Server Survey

In the March 2014 survey we received responses from 919,533,715 sites — around half a million fewer than last month.

Apache has gained some breathing space this month. Nearly a year of strong market share growth by Microsoft eventually culminated in the gap between Apache and Microsoft being reduced to only 5.4 percentage points. After the gap dropped to its lowest point last month, Microsoft had looked set to usurp Apache as the most common web server within a matter of months. This month's survey saw Microsoft lose 15.8 million sites and Apache gain 3.2 million, however. Apache's market share increased to 38.6%, 7.5 percentage points ahead of Microsoft and bucking the recent trend.

Most of Microsoft's losses this month were seen at Nobis Technology Group, where more than 30 million link-farming sites stopped operating. Nobis is a private holding company, which owns the DarkStar voice communications network and Ubiquity Hosting Solutions, which has seven data centres across the United States.

nginx gained 5 million sites this month, increasing its market share to 15.6%. The latest mainline version of nginx (1.5.10) now supports SPDY 3.1, which extends the flow control features of SPDY 3.0 by allowing different sessions within a single connection to send data at different rates. It is no surprise that SPDY 3.1 is already supported in the Google Chrome web browser; SPDY was primarily developed by Google, and is one of their trademarks. SPDY 3.1 has also been supported in Mozilla Firefox since 4th February 2014.

Content delivery network CloudFlare — which uses its own web server software based on nginx — rolled out SPDY 3.1 support for all of its customers in February. Since last month, Netcraft's SSL Survey has identified a four-fold increase in the number of HTTPS websites supporting SPDY 3.1, most of which are hosted by CloudFlare. A smaller number of these SPDY 3.1 sites are hosted by the owner of the WordPress.com blogging platform, Automattic, which was one of the sponsors of the ngx_http_spdy_module.

Mozilla has been planning to remove SPDY 2 support from Firefox since September 2013, and this looks set to happen with the release of Firefox 28. Some developers asked for SPDY 2 support to be retained, arguing that dropping support for SPDY 2 would effectively drop SPDY support in many SPDY-enabled websites. However, nginx and CloudFlare now supporting SPDY 3.1 allays some of that concern.

LibreOffice — the free open source office suite bundled with Ubuntu Linux — moved its website from an Apache web server to nginx at the end of January, apparently for performance reasons. Incidentally, this further distances LibreOffice from the Apache Software Foundation - LibreOffice was forked from OpenOffice.org in 2010, before the latter was given to the ASF where development continued under the name of Apache OpenOffice.

More than 30 new generic top-level domains (gTLDs) were delegated to the Root Zone during February, making them officially part of the internet. There are now 471 top level domains in total. The new ones added in February included .flights, .wiki, .xyz, .fish and .移动 (xn--6frz82g – Chinese for "mobile").

Many of these new gTLDs were applied for by Donuts Inc, a US domain registry which was founded in 2011. The company's CEO and co-founder, Paul Stahura, previously founded domain name registrar eNom in 1997. Donuts raised more than $100,000,000 in its Series A financing round and applied to ICANN for more than 300 TLDs in 2012. As a registry, Donuts does not sell domain names directly to the public; instead, customers must purchase them from one of its accredited registrars.





DeveloperFebruary 2014PercentMarch 2014PercentChange
Apache351,700,57238.22%354,956,66038.60%0.38
Microsoft301,781,99732.80%286,014,56631.10%-1.69
nginx138,056,44415.00%143,095,18115.56%0.56
Google21,129,5092.30%20,960,4222.28%-0.02
Continue reading

Microsoft neck and neck with Amazon in Windows hosting

Microsoft has edged ahead of Amazon to become the largest hosting company as measured by the number of web-facing Windows computers. The pair have been neck and neck for almost nine months: Microsoft now has 23,400 web-facing Windows computers against Amazon's 22,600. Barring companies with large connectivity aspects to their businesses — including China Telecom, Comcast, Time Warner, and Verizon — Amazon and Microsoft are the largest Windows hosting companies in the world, though the market is still fragmented with each having just over 1% of the market.

Microsoft's growth is predominantly a result of the growth of Windows Azure: Azure now accounts for close to 90% of all web-facing computers at Microsoft. Windows Azure has grown by almost 50% since May 2013, during the February 2014 Web Server survey Netcraft found 27,000 web-facing computers (both Windows and Linux) using the cloud computing platform. Many of Microsoft's own services are powered by Windows Azure including Office 365, Xbox Live, Skype, and OneDrive.

Windows Azure Web Sites service — available to the general public since June 2013 — may be the driving force behind Azure's growth. This Platform as a Service allows existing applications written in ASP, ASP.NET, PHP, Node.js, or Python to be deployed on an automatically scaling platform without managing individual computers. Microsoft also provides pre-configured software packages, such as WordPress, which can be used immediately with the Web Site service.

With over 1% of all Windows web-facing computers in the world hosted at Azure, Microsoft is now defeating the Windows hosting providers which it still partners with, and which four years ago would have been its sole revenue source in the hosting market.

Azure Regions

Azure's data centres are split into regions and geos: there are several regions within each larger geo (formerly major regions).

GEO REGIONS
United States US West (California), US East (Virginia), US North Central (Illinois), US South Central (Texas)
Europe Europe West (Netherlands), Europe North (Ireland)
Asia Pacific Asia Pacific East (Hong Kong), Asia Pacific South-East (Singapore)
Japan Japan East (Saitama Prefecture), Japan West (Osaka Prefecture)

The two new Japanese Azure regions were made available to the general public on 25th February 2014, less than a year after they were first announced. Whilst all other Azure regions all share the same price for virtual machines (from 2¢ per hour), the two new Japanese regions are more expensive: virtual machines start at 2.7¢ (Japan East) and 2.4¢ (Japan West) per hour. Neither Japanese region was detected in the February 2014 web server survey which ran in mid-January.

More than half of all web-facing Azure computers are hosted within the United States. US East is the most populated US region, closely followed by US West. However, Europe West is the most populated Azure region in the world, accounting for 20% of all web-facing Azure computers. In total, 52% of Azure's web-facing computers are in the United States, 36% are in Europe, and only 12% are in Asia Pacific.

Being able to use Windows Azure in China could offer new opportunities to non-Chinese companies who wish to increase their internet presence in China, although Netcraft has previously noted a number of issues which could hold back the growth of cloud computing in China.

For additional performance when serving content to users around the globe, the Windows Azure Content Delivery Network (CDN) can be used. This allows end users to download content from one of more than 20 different CDN node locations, which is likely to be quicker than downloading the non-cached content directly.

Whilst Azure operates across the globe certain features, such as redundancy, can only operate within the same geo. Furthermore, some Azure services are not available in all regions – for example, Azure Web Sites cannot be deployed in US South Central or Asia Pacific South-East, and the Windows Azure Scheduler is only available in one region per geo.

Operating systems

Windows Azure virtual machines exhibit the TCP/IP characteristics of the operating systems installed on them, and thus it is possible to remotely determine which operating systems are being used by Azure customers.

Windows Server 2008 is the most popular operating system installed on Azure instances, although this is not necessarily a choice that is down to the customer — for example, when using the Blob storage service to expose files over HTTP/HTTPS, the user cannot choose which operating system to use.

Windows Server is used by 90% of all web-facing computers at Azure, including three computers which still appear to be running Windows Server 2003. The remaining 10% use Linux, with Ubuntu being the most commonly identified distribution.

Unsurprisingly, Microsoft IIS and Microsoft HTTPAPI are the most common web servers on the Windows Server computers at Azure; however, a few hundred websites use Apache on Windows. As expected, Apache is the most common web server for websites served from Linux machines at Azure (62%) followed by nginx (33%).

Preview services

Several Azure services are currently offered only as preview services, which means they are made available only for evaluation purposes. Some of these preview services have had well-established Amazon equivalents for several years. For example, the Windows Azure Scheduler preview service offers similar functionality to Amazon's Simple Workflow Service (SWF), which has been available for 2 years.

Microsoft's preview services also include the Azure Import/Export Service, which allows users to transfer large amounts of data into Windows Azure Blob storage. Customers can send an encrypted hard disk to Microsoft and the data on the hard disk will be uploaded directly into the Blob storage account. Microsoft currently only accepts hard disk deliveries from the United States (although the service can be used to send data to and from European and Asian cloud regions). Amazon's own Import/Export service has been available since 2010.

Blob Storage

Windows Azure Blob (Binary Large Object) Storage is Microsoft's answer to Amazon's Simple Storage Service (S3). Both allow large files such as video, audio and images to be stored, although while Amazon has no storage limits, individual blobs on Azure have a storage limit of 200TB. Blobs can be mounted as drives and accessed from a web application as if they were ordinary NTFS volumes. If this is the only way a Blob is used, then the frontend computer responsible for that Blob will not be directly measurable over the internet: Netcraft measures only publicly visible computers with corresponding DNS entries and which respond to HTTP requests.

Microsoft offers both locally redundant storage (replicas are held within a single region) and geo-redundant storage (replicas are held in multiple regions within a single geo). Read-Access Geo Redundant Storage is currently available as a preview service. This allows customers to have read access to a secondary storage replica so that it may still be accessed in the event of a failure in the primary storage location.

Users of Windows Azure

Some well known users of Windows Azure include the Sochi 2014 Olympic Games, luxury sports car manufacturer Aston Martin, Taiwanese electronics brand BenQ, McDonald's Happy Studio, and the Have I been pwned? website, which allows users to see whether their email addresses or usernames have been affected by any publicly released website security breaches.

Troy Hunt, the developer of haveibeenpwned.com, uses Windows Azure Table Storage to store more than 160 million records much more cheaply than a comparable relational database. In fact, one of his complaints about Windows Azure is that it is too damn fast: "The response from each search was coming back so quickly that the user wasn’t sure if it was legitimately checking subsequent addresses they entered or if there was a glitch". Hunt also described how he used SQL Server on Windows Azure to analyse last year's Adobe data breach, which with 153 million records. After downloading the breach data to a low-spec Azure virtual machine, he then upgraded the virtual machine to an 8-processor system with 56 gigabytes of RAM and completed his on-demand analysis at an estimated cost of $12.

Fake SSL certificates deployed across the internet

Netcraft has found dozens of fake SSL certificates impersonating banks, ecommerce sites, ISPs and social networks. Some of these certificates may be used to carry out man-in-the-middle attacks against the affected companies and their customers. Successful attacks would allow criminals to decrypt legitimate online banking traffic before re-encrypting it and forwarding it to the bank. This would leave both parties unaware that the attacker may have captured the customer's authentication credentials, or manipulated the amount or recipient of a money transfer.

The fake certificates bear common names (CNs) which match the hostnames of their targets (e.g. www.facebook.com). As the certificates are not signed by trusted certificate authorities, none will be regarded as valid by mainstream web browser software; however, an increasing amount of online banking traffic now originates from apps and other non-browser software which may fail to adequately check the validity of SSL certificates.

Fake certificates alone are not enough to allow an attacker to carry out a man-in-the-middle attack. He would also need to be in a position to eavesdrop the network traffic flowing between the victim's mobile device and the servers it communicates with. In practice, this means that an attacker would need to share a network and internet connection with the victim, or would need to have access to some system on the internet between the victim and the server. Setting up a rogue wireless access point is one of the easiest ways for an individual to carry out such attacks, as the attacker can easily monitor all network traffic as well as influence the results of DNS lookups (for example, making www.examplebank.com resolve to an IP address under his control).

Researchers from Stanford University and The University of Texas at Austin found broken SSL certificate validation in Amazon's EC2 Java library, Amazon's and PayPal's merchant SDKs, integrated shopping carts such as osCommerce and ZenCart, and AdMob code used by mobile websites. A lack of certificate checks within the popular Steam gaming platform also allowed consumer PayPal payments to be undetectably intercepted for at least 3 months before eventually being fixed.

Online banking apps for mobile devices are tempting targets for man-in-the-middle attacks, as SSL certificate validation is far from trivial, and mobile applications often fall short of the standard of validation performed by web browsers. 40% of iOS-based banking apps tested by IO Active are vulnerable to such attacks because they fail to validate the authenticity of SSL certificates presented by the server. 41% of selected Android apps were found to be vulnerable in manual tests by Leibniz University of Hannover and Philipps University of Marburg in Germany. Both apps and browsers may also be vulnerable if a user can be tricked into installing rogue root certificates through social engineering or malware attacks, although this kind of attack is far from trivial on an iPhone.

The following fake certificate for facebook.com is served from a web server in Ukraine. There are clearly fraudulent intentions behind this certificate, as browsing to the site presents a Facebook phishing site; however, the official Facebook app is safe from such attacks, as it properly validates SSL certificates and also uses certificate pinning to ensure that it is protected against fraudulently issued certificates.

Similarly, this wildcard certificate for *.google.com could suggest an attempted attack against a multitude of Google services. The fake certificate is served from a machine in Romania, which also hosts dozens of websites with .ro and .com top level domains. It claims to have been issued by America Online Root Certification Authority 42, closely mimicking the legitimate AOL trusted root certificates which are installed in all browsers, but the fake certificate lacks a verifiable certificate chain. Some browsers' default settings will not allow a user to bypass the resultant error message.

Not all fake certificates have fraudulent intentions, though. The KyoCast mod uses a similar wildcard certificate for *.google.com, allowing rooted Chromecast devices to intentionally send certain traffic to KyoCast servers instead of Google's. The fake certificate is issued by "Kyocast Root CA". Using the Subject Alternative Name extension, the certificate specifies a list of other hostnames for which the certificate should be considered valid:

Russia's second largest bank was seemingly targeted by the following certificate – note that the issuer details have also been forged, possibly in an attempt to exploit superficial validation of the certificate chain.

A similar technique is used in this certificate which impersonates a large Russian payment services provider. SecureTrust is part of Trustwave, a small but bona fide certificate authority.

GoDaddy's POP mail server is impersonated in the following certificate. In this case, the opportunities could be criminal (capturing mail credentials, issuing password resets, stealing sensitive data) or even state spying, although it is unexpected to see such a certificate being offered via a website. Although the actual intentions are unknown, it is worth noting that many mail clients allow certificate errors to be ignored either temporarily or permanently, and some users may be accustomed to dismissing such warnings.

Apple iTunes is currently the most popular phishing target after PayPal. In this example, the fake certificate has an issuer common name of "VeriSign Class 3 Secure Server CA - G2", which mimics legitimate common names in valid certificates; however, there is no certificate chain linking it back to VeriSign's root (so it is a forgery rather than a mis-issued certificate).

It is not always criminals who use fake certificates to intercept communications. As a final example, the following fake certificate for youtube.com was served from a machine in Pakistan, where there is a history of blocking access to YouTube. This certificate is probably part of an attempt to prevent citizens from watching videos on YouTube, as the website serves "This content is banned in Pakistan" when visited.

Netcraft's Mobile App Security Testing service provides a detailed security analysis of phone or tablet based apps. A key feature of this service is manual testing by experienced security professionals, which typically uncovers many more issues than automated tests alone. The service is designed to rigorously push the defences of not only the app itself, but also the servers it interacts with. It is suitable for commissioning, third party assurance, post-attack analysis, audit and regulatory purposes where independence and quality of service are important requirements.