Top Developers
| Developer | October 2001 | Percent | November 2001 | Percent | Change |
|---|---|---|---|---|---|
| Apache | 18851352 | 56.89 | 20713781 | 56.81 | -0.08 |
| Microsoft | 9607363 | 28.99 | 10844419 | 29.74 | 0.75 |
| iPlanet | 1278720 | 3.86 | 1310502 | 3.59 | -0.27 |
| Zeus | 775438 | 2.34 | 800661 | 2.20 | -0.14 |
Active Sites
| Developer | October 2001 | Percent | November 2001 | Percent | Change |
|---|---|---|---|---|---|
| Apache | 7781145 | 61.36 | 7750275 | 61.88 | 0.52 |
| Microsoft | 3612310 | 28.49 | 3307207 | 26.40 | -2.09 |
| iPlanet | 249418 | 1.97 | 431935 | 3.45 | 1.48 |
| Zeus | 171023 | 1.35 | 174052 | 1.39 | 0.04 |
Around the Net
Unusually, numbers of active sites running on Solaris & Netscape-Enterprise rose this month, primarily because of the extension of facilities on a Network Solutions domain parking system to include simple small html sites as part of the parking facility. Network Solutions is by far iPlanet’s largest installation in terms of numbers of hostnames, and the iPlanet active site numbers would fall considerably if they were persuaded to switch. Earlier in the year Network Solutions switched part of their hosting operations to Windows 2000.
By contrast, the principle reason for the fall in active Microsoft-IIS sites this month, was the change in business model at a large hoster of free shared sites Homestead which last month revoked access to many of their users free sites in the hope that they might pay to regain access to their site content.
Security of some high profile JSP sites in question
Over the last couple of months we reviewed Microsoft-IIS based ecommerce sites and the significant improvement in their security prompted by the combination of Code Red and Microsoft’s first cumulative patch. A reasonable interpretation of the significant fall in the number of vulnerable Microsoft-IIS tested by Netcraft is that Code Red was so disruptive that sites could ignore security no longer, and the cumulative patch gave them a convenient solution whereby addressing the Code Red problem solved several other standard vulnerabilities as well.
One technology that is yet to have this kind of stimulus towards security is Java Servlet Pages. Although not widely deployed by rank and file sites, JSP is quite a common technology on ecommerce sites that prefer a Sun based solution to the Microsoft platform. Often, users of JSP technology have invested very significant sums in their sites, and their sites often provide core stockbroking, banking, retail, ticketing and ecommerce services to the internet community, where large sums of money can change hands.
On these sites identity theft is a very serious issue, enabling an attacker to, for example, buy goods or transfer money, using the identity and account information of another customer of the site.
In November 2000, Netcraft reported a vulnerability in session IDs generated by a variety of Java Application Servers based on Sun’s reference implementation of the Java Servlet Developers Kit (JSDK 2.0), including Java Web Server (JWS) from V1.1, IBM WebSphere and ATG Dynamo e-Business Platform. Typically with these systems, each user connecting to the site is issued with a unique session ID, which is then used to identify all subsequent requests made by that user, either encoded in the URLs, or as a cookie. The server can then store data for each user session, for instance the state of a web shopping cart. Session IDs are also often used to control access to sites requiring a login; instead of sending the username/password with every request, the site issues a session ID after the user logs on, which identifies the user for the rest of the session.
The attack demonstrates a way for a person to hijack another customer’s session, and complete transactions transactions as if that person. This is fundamental to ecommerce systems, and one might have expected that the advisory would be quickly acted on. Remarkably, a year on from the advisory, there are well over a thousand transactional sites still using predictable session ids on the internet, including several very high profile ones.
If you are using a JSP based system, and are not confident that your session ids are unpredictable, study the advisory, and if you are still not confident, we would be pleased to answer questions.
Netcraft also released an advisory in conjunction with Macromedia earlier this week concerning the JRUN product, which can be induced to reveal the source code of java server pages in some circumstances.
Her Majesty replaces Linux
Two years ago the Queen of England became an unlikely icon for the Linux revolution when her webmaster replaced Solaris as the platform for the Royal Family’s site, citing the better price/performance of the Dell/Linux platform over the previous incumbent, Sun/Solaris. The open source community celebrated and speculated on when the Apache web server might receive the “By Royal Appointment” moniker. This week the site has changed platforms again, this time to Microsoft-IIS.
The Queen launched the updated site yesterday, remarking that the new site took advantage of changes in internet technology, including Flash and DHTML, but so far as we can tell, made no comments about the relative merits of the underlying platforms.
Buckingham Palace told Netcraft that the site’s new designers were responsible for the decision to change platforms. The Palace have thoughtfully provided a contact information page for people with questions about the site, as there is sure to a lot of interest in the change at what has been an icon of Linux’s progress into the establishment and a Red Hat reference site.
Exodus sold to Cable & Wireless
Today, Exodus was sold to Cable & Wireless for a total of around $850M. The sale can not have come a moment too soon for creditors, as around 20% of Exodus’ customers have departed since the company entered Chapter 11 during the summer.