Solaris sites curiously slow to upgrade

A couple of months ago we highlighted the low numbers of sites migrating to Apache/2.0, and contrasted it with the speed at which site administrators adopted Apache/1.3.26 which contained a fix for a potential buffer overflow problem. 

If anything more surprising is the slow adoption of new versions of Sun's Solaris operating system. Solaris 9, released in May this year, is running on fewer than 1000 web site ip addresses found by the September survey, and there are roughly twice as many sites running Solaris 2 & Solaris 7 as are running Solaris 8, released in March 2000.

OSIP Addresses
 Solaris 2/7 165,527
 Solaris 881,730
 Solaris 9987

Historically, slowness to gather upgrade revenue has usually been a portent of trouble to come for web technology vendors, and the figures coincide with Sun's difficulties generating revenue and profits over the last eighteen months. By contrast, Windows .Net Server, which is not yet scheduled for release, has almost as many as ip addresses as Solaris 9, including some impressive, high volume sites, such as Nasdaq.

Sun would reasonably point out that their boxes typically cost a lot more, and the upgrade cycle for more expensive kit could be expected to be slower.

Crypto Regulations Cast Long Shadow

Recently, the strength of SSL key lengths has been the subject of heated debate in security circles, after Nicko van Someren disclosed that he is able to break 512-bit keys in around six weeks, using conventional office computers.

The analysis focuses on the key length used for the server's public key (the key which is used to prove the authenticity of the server to web browsers). The longer the key, the harder it is for an attacker to break the key - if this key is broken, it can compromise both past and future secure browsing sessions, and allow the attacker to impersonate the server. Most experts currently recommend a key length of at least 1024 bits as secure and some of the strongest debate has concerned the perceived safety of these 1024 bit keys.

However, a more timely aspect to the work is to highlight the number of SSL servers currently in use on the internet, and their geographical location.

Although US export restrictions on strong cryptography have been relaxed in recent years, data collected as part of our SSL Server Survey shows that the US export legislation and locally acted legislation to restrict the use of cryptography in countries with repressive or eccentric administrations, does still cast a shadow over the security of ecommerce even years after the acts have been repealed.

CountryPercentage of sites
with short keys
USA 15.1%

Internet-wide, around 18% of SSL Servers use potentially vulnerable key lengths. However, these tend to be concentrated in geographical areas outside the United States and its close trading partners. In the US, where over 60% of SSL sites are situated, and Canada only around 15% of sites are using short keys. In most European countries over 25% are still using short keys, and in France, which had laws restricting the use of cryptography until relatively recently, over 40% of sites are using short keys.

US export regulations (described in detail by the crypto law survey) have had a discernable impact in slowing use of strong cryptography outside of the States. One reason export grade cryptography remains quite common is that the relative weakness of the server's choice of cryptography is not obvious to the end user, so there is so little pressure to make the change. Browser developers are in a position to help change this, perhaps by displaying a graded indication of key length rather than the present lock symbol displayed on all SSL sessions regardless of strength.