www.microsoft.com Completes Move to Microsoft-IIS/7.5

Microsoft is now running Microsoft-IIS/7.5 on its main website www.microsoft.com. IIS 7.5 is part of Windows Server 2008 R2, which is currently in beta testing.

The changeover appears to have started around the 8th January, when www.microsoft.com began responding sometimes with Microsoft-IIS/7.5, but with many requests still being served by 7.0. Now the transition appears to be complete, with all requests now being handled by version 7.5.

Microsoft has consistently upgraded www.microsoft.com to new versions of its web server platform ahead of their actual release, as a demonstration of confidence in new versions. It upgraded to the original Windows Server 2008 in June 2007, 8 months before that operating system's finished release in February 2008. www.microsoft.com is one of the very first sites to use Microsoft-IIS/7.5; Netcraft sees only 28 websites running Microsoft-IIS/7.5 in the February web server survey, of which the only significant sites were at Microsoft.

Continue reading

January 2009 Web Server Survey

In the January 2009 survey we received responses from 185,497,213 sites, reflecting an uncharacteristic monthly loss of 1.23 million sites.

Apache's market share grew by more than 1 percentage point this month, extending its lead over Microsoft IIS, which has fallen to less than a third of the market. In total, Apache gained 1.27 million sites this month.

Microsoft showed the largest loss this month, after more than 2 million blogging sites running on Microsoft-IIS websites expired from the survey.

GFE, which is primarily used by Google's Blogger service to publish blogs under the blogspot.com domain, lost nearly 600 thousand sites, while nginx continues to grow and increases its market share to 1.87%.

Further down the field, the number of sites hosted on httpd and WebserverX both increased by more than 20%. Both web servers take a relatively small share of the market, however, with httpd growing to 236 thousand sites and WebserverX growing to 154 thousand.

Total Sites Across All Domains August 1995 - January 2009

Total Sites Across All Domains, August 1995 - January 2009

Graph of market share for top servers across all domains, August 1995 - January 2009

Top Developers
Developer Dec-08 Share Jan-09 Share Change
Apache 95,678,052 51.24% 96,947,298 52.26% 1.02%
Microsoft 63,126,940 33.81% 61,038,371 32.91% -0.90%
Google 10,455,103 5.60% 9,868,819 5.32% -0.28%
nginx 3,354,329 1.80% 3,462,551 1.87% 0.07%
lighttpd 3,046,333 1.63% 2,989,416 1.61% -0.02%

Continue reading

Widespread vulnerabilities found in programs which use OpenSSL

New vulnerabilities were discovered yesterday in multiple programs using OpenSSL, one of the standard cryptography libraries on Linux and Unix systems. Due to a common mistake in checking return values from functions checking digital signatures, several programs may be vulnerable to spoofing of digital signatures.

The most important affected program is ISC Bind, which is the most widely used DNS server on the internet. A flaw in its validation of signatures on DNSSEC replies means that the server may be vulnerable to DNS spoofing attacks even where DNSSEC is in use. Bind have released BIND 9.6.0-P1 this morning to fix this bug.

Continue reading

New Incentives for Phishing Site Reporters

As of 1st January 2009, the Netcraft Toolbar community has blocked 1.9 million phishing attacks. To provide an incentive for the community to send us reports of phishing sites, reporters now receive the following goodies from Netcraft:

Netcraft Mug(after 100 validated phishing reports)
Netcraft Polo Shirt(after 400)
Targus Laptop Backpack(after 1,000)
Top of the range iPod(after 4,000)

To report phishing sites to us, use the form at http://toolbar.netcraft.com/report_url

Upon reaching 4,000 you become eligible for a monthly competition to incentivise large reporters.

To track the progress, we have a leaderboard displaying the people with the largest number of accepted reports so far this month, identified by their first names to preserve their anonymity.

The Netcraft Toolbar, which is available for both Internet Explorer and Firefox, serves as a giant neighborhood watch scheme for the Internet: members who encounter a phishing fraud can act to defend the larger community of users against the attack. Once the first recipients of a phishing mail have reported the target URL, it is blocked for toolbar users who subsequently access the URL and widely disseminated attacks simply mean that the phishing attack will be reported and blocked sooner.

Looking back at 2008, Netcraft has seen phishing attacks evolve, with fraudsters using progressively sneakier tactics:

  • October 2008 saw an attack against Yahoo! which was used to steal authentication cookies from its users. The cross-site scripting vulnerability on Yahoo!'s own website allowed the fraudster to steal the details simply as a result of a victim visiting the page.
  • The two-edged nature of how browsers present Extended Validation (EV) SSL certificates was highlighted after a cross-site scripting vulnerability was demonstrated on paypal.com. This flaw would have allowed hackers to carry out highly plausible attacks, adding their own content to the site and stealing credentials from users.
  • Phishers branched out into telephone phishing. Victims were asked to phone a toll free number to reactivate their card.
  • Fraudsters found a cross-site scripting vulnerability on an Italian bank's website. This was used to orchestrate an attack against the bank, using its own HTTPS website URL.
  • Backdoored phishing kits have been deployed by criminal programmers wishing to reduce their workload by getting novice fraudsters to deploy the kits onto websites and send the phishing emails. Netcraft later reported a large range of different phishing kits being offered by the same group.

New York Internet and WestHost are the Most Reliable Hosting Companies in December 2008

Rank Company site OS Outage
DNS Connect First
1 New York Internet FreeBSD  0:00:00  0.014  0.011 0.039 0.080 0.212
2 www.westhost.com Linux  0:00:00  0.014  0.001 0.058 0.119 0.238
3 Hosting 4 Less Linux  0:00:00  0.019  0.056 0.060 0.124 0.249
4 www.green.ch F5 Big-IP  0:00:00  0.019  0.202 0.128 0.331 0.713
5 www.easynet.net Windows Server 2003  0:00:00  0.024  0.002 0.108 0.215 0.215
6 Swishmail FreeBSD  0:00:00  0.029  0.001 0.040 0.080 0.206
7 www.he.net Linux  0:00:00  0.029  0.002 0.041 0.087 0.128
8 webhosting.tiscali.it Linux  0:00:00  0.029  0.009 0.103 0.207 0.415
9 www.webair.com FreeBSD  0:00:00  0.034  0.078 0.046 0.106 0.303
10 www.memset.com Linux  0:00:00  0.034  0.085 0.087 0.174 0.174

See full table

New York Internet and WestHost are the most reliable hosting company sites for December 2008. New York Internet sees its third consecutive appearance in the top ten, while WestHost becomes the most reliable hosting company for the second month in a row.

Established in 1996, New York Internet is located in the heart of the Wall Street area and owns and maintains its own data centers. The company's core services include dedicated servers, colocation and virtual web hosting. New York Internet uses Apache on FreeBSD to host its own site.

WestHost uses Linux for its main site and hosts more than 70,000 other websites. Their services include shared web hosting, dedicated servers, reseller hosting and domain name registration. WestHost's data center is SAS 70 Type II certified and constructed from nine base isolation units bolted on top of a 3.5ft reinforced matte footing, which helps to absorb shock during earthquakes.

In total, half of December's top ten hosting companies use Linux for their main company site, while three use FreeBSD. green.ch uses the F5 BIG-IP device and Easynet uses Windows Server 2003.

Continue reading

14% of SSL Certificates signed using Vulnerable MD5 Algorithm

Netcraft's SSL Survey shows that 14% of valid third party SSL certificates have been issued using MD5 signatures — an algorithm that has recently been demonstrated to be vulnerable to attack by producing a fake certificate authority certificate signed by a widely-trusted third party certificate authority.

The researchers achieved this by producing a hash collision — they submitted valid certificate requests to a certificate authority (CA), while producing a second certificate that had the same signature but entirely different details. When the CA signed the valid certificate, the signature applied also to the invalid certificate, allowing the researchers to spoof any secure website that they liked. This attack is the first practical use against SSL of already-known attacks against the MD5 checksum algorithm.

Netcraft's December 2008 SSL Survey found 135,000 valid third party certificates using MD5 signatures on public web sites, which is around 14% of the total number of valid SSL certificates in use.The great majority consist of certificates from RapidSSL (shown as Equifax on the certiifcate). As of Netcraft's December survey, all of the 128,000 RapidSSL certificates in use on public sites were signed with MD5; there are some much smaller CAs that use MD5 still, and there are a small number of certificates from Thawte and VeriSign, although most of their certificates are signed with the more secure SHA1. Other CAs use only SHA1.

Verisign (owners of RapidSSL since 2006) have stated that they have stopped using MD5-signing for RapidSSL certificates, and will have phased out MD5-signing across all their certificate products by the end of January 2009. Other affected CAs are likely to follow suit, as SHA1 is well established and is already in use for the majority of SSL certificate signing, so it should be simple to switch to using this more secure alternative. Once it is impossible to obtain new certificates signed with MD5, this attack will be neutralised.

Continue reading