24 of the 100 top HTTPS sites now safe from TLS renegotiation attacks

24 of the 100 most popular HTTPS websites appear to be safe from the recently documented TLS renegotiation flaws. Meanwhile, the other 76 sites are still vulnerable to renegotiation attacks, which allow a man-in-the-middle attacker to inject data into secure communication streams. To demonstrate the seriousness of the issue, Anil Kurmus published details of an attack scenario that showed how the flaw could be used to steal passwords from vulnerable sites such as Twitter.

Among the top 100 HTTPS websites, there are several banks and commerce companies that remain vulnerable. A few of these sites give the appearance of being intermittently vulnerable, as client requests are load balanced among a mixture of vulnerable and non-vulnerable machines.

Ben Laurie of Google was working on the renegotiation flaw around six weeks before it was made public, so it is perhaps unsurprising that 7 of the 24 safe sites are owned by Google. A further 7 sites are running Microsoft IIS 6.0, which is currently believed not to be vulnerable.

Since discovering the renegotiation problem, PhoneFactor has created a Status of Patches list, showing which vendors have already responded to the problem. A few were quick to act by disabling renegotiation support in their products, and some vendors have already implemented Eric Rescorla's proposed fix.

Netcraft's November SSL Survey found 1,217,395 distinct valid third-party SSL certificates in use on the web.

November 2009 Web Server Survey

In the November 2009 survey we received responses from 233,636,281 sites.

The largest share growth comes from nginx, with a 1.1 million increase again this month bringing its total up to 15 million. Over the past three months the number of nginx's sites has increased by 3.5 million, matching Apache for growth, and far surpassing Microsoft's 200k increase.

This month, the open source version control system, Subversion has formally submitted itself to The Apache Software Foundation's Incubator. Each project makes substantial use of the other. Subversion uses Apache to make repositories available over the WebDAV/DeltaV protocol while Apache uses Subversion for versioning of the source code.

Total Sites Across All Domains August 1995 - November 2009

Total Sites Across All Domains, August 1995 - November 2009

Graph of market share for top servers across all domains, August 1995 - November 2009

Top Developers
DeveloperOctober 2009PercentNovember 2009PercentChange

Continue reading

Most Reliable Hosting Company Sites in October 2009

Rank Company site OS Outage
DNS Connect First
1 www.singlehop.com Linux    0.000  0.817 0.043 0.090 0.344
2 www.acens.com Linux    0.000  0.257 0.074 0.330 0.566
3 INetU unknown  0:00:00  0.005  0.368 0.028 0.064 0.123
4 Server Intellect Windows Server 2008  0:00:00  0.005  0.602 0.045 0.095 0.190
5 One.com Linux  0:00:00  0.005  0.133 0.098 0.196 0.196
6 ServInt Linux  0:00:00  0.010  0.614 0.020 0.050 0.096
7 iWeb Technologies Linux  0:00:00  0.010  0.138 0.045 0.090 0.090
8 New York Internet FreeBSD  0:00:00  0.014  0.308 0.029 0.064 0.149
9 Verio Linux  0:00:00  0.014  0.655 0.075 0.150 0.150
10 Virtual Internet Linux  0:00:00  0.014  0.662 0.084 0.237 0.493

See full table

For October SingleHop and Acens had the most reliable hosting company sites.

SingleHop, who in October went skydiving to celebrate a 19.5% revenue increase over the second quarter of 2009, came joint first by responding to all of Netcraft's requests. SingleHop's main site runs PHP and uses Apache on Linux.

Acens joined SingleHop at the top of the table in October. This is the second time Acens has been in the top spot this year, the other being in March. Acens is a Spanish hosting company that was set up in 1997. Like SingleHop, Acen's website is powered by PHP on an Apache sever and Linux operating system.

INetU narrowly missed out on first place this time, but has been in the top ten for nine out of ten months this year. INetU's homepage is powered by PHP and runs on Apache. In October's top ten most reliable hosting companies seven are running their website on Linux, one Windows Server 2008 and one FreeBSD.

Netcraft measures and makes available the response times of fifty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage.

Further information on the measurement process and current measurements are available.