Extended Validation SSL Certificates 2 Years Old

Two years after their first appearance in the Netcraft SSL Survey, there are now more than 11 thousand Extended Validation (EV) SSL certificates in use on the Web. Despite enjoying two years of continued growth, EV SSL certificates still only make up around 1% of all SSL certificates in use on the Internet.

Nearly all modern browsers now support EV SSL certificates by colouring all or part of the address bar in green.

EV SSL Growth - 2 Years

The proportion of EV SSL certificates rises considerably amongst the world's busiest websites, as shown by Netcraft's top 1 million sites dataset. In general, it seems, the more traffic an SSL site has, the more likely it is to use an EV certificate, and in particular, more than a quarter of the SSL certificates within the top 1,000 sites have extended validation.

Population SSL Certificates EV SSL Certificates EV SSL Share
All Sites 1,028,868 11,300 1.1%
Top 1,000,000 45,851 2,662 5.8%
Top 100,000 7,012 710 10.1%
Top 10,000 712 115 16.2%
Top 1,000 60 17 28.3%

February 2009 Web Server Survey

In the February 2009 survey we received responses from 215,675,903 sites. This reflects a phenomenal monthly gain of more than 30 million sites, bringing the total up by more than 16%.

This majority of this month's growth is down to the appearance of 20 million Chinese sites served by QZHTTP. This web server is used by QQ to serve millions of Qzone sites beneath the qq.com domain.

QQ is already well known for providing the most widely used instant messenger client in China, but this month's inclusion of the Qzone blogging service instantly makes the company the largest blog site provider in the survey, surpassing the likes of Windows Live Spaces, Blogger and MySpace.

QQ's growth should not overshadow this month's other significant event: Apache has gained 7.8 million sites, making it the first vendor to be used by more than 100 million websites.

Microsoft-IIS gained 1.9 million sites, much of which came from Microsoft's own Windows Live Spaces service.

Total Sites Across All Domains August 1995 - February 2009

Total Sites Across All Domains, August 1995 - February 2009

Graph of market share for top servers across all domains, August 1995 - February 2009

Top Developers
DeveloperJanuary 2009PercentFebruary 2009PercentChange

Continue reading

New Phishing Attacks Combine Wildcard DNS and XSS

A new wave of phishing attacks against eBay is exploiting a clever combination of wildcard DNS records and cross-site scripting (XSS) vulnerabilities to use other people's websites to help steal credentials from victims.

The first attacks using this combined method of wildcard DNS records and XSS were detected by Netcraft on February 10th, although the source code behind the attacks suggest that the planning had begun a day earlier. The attacks have continued to the present day, and the fraudulent eBay login form remains accessible through the wildcard domains.

Fraudsters launched the attack using a number of sites that host vulnerable versions of iRedirector Subdomain Edition. This PHP and MySQL based system allows website owners to use wildcard DNS records on their domains to forward subdomains like http://user.example.com to URLs like http://www.example.com/members/~username.

A cross-site scripting vulnerability on the affected iRedirector sites is allowing the fraudsters to inject framesets into specific pages. These framesets load content from one of the fraudsters' websites hosted in France at http://df0x.54.pl, which in turn loads an iframe located at http://0xdc4bdd88:88/ws/eBayISAPI.dll/. This injected iframe presents a fraudulent eBay login page, which prompts the victim to submit their eBay User ID and Password to a site hosted by Sudokwonkangnambonbujang in South Korea.

Because the vulnerable sites can be accessed via wildcard DNS records, the fraudsters have made the attacks look all the more convincing by making the hostnames look similar to those used by the genuine eBay login page. For example, the attack has used many hostnames that are similar to this:


The hostnames used in these attacks also contain a seemingly random string of hexadecimal digits. These are simply MD5 hashes of small integers. It is likely that this semi-random measure is being used to try and bypass simplistic firewalls or email filters, which may not recognise fraudulent URLs if part of the hostname changes.

The unobtrusive methods used in the current wave of attacks have obvious appeal to fraudsters — the wildcard DNS records mean that it's easy to use arbitrary hostnames for each attack, allowing each vulnerable site to be convincingly used for many different targets. Furthermore, there is no need for the fraudsters to fully compromise a website, as the cross-site scripting vulnerability allows the fraudulent content to be placed on the sites without gaining internal access to the server. Finally, all it takes is a simple Google search to find additional sites with the same vulnerabilities. The combination of these factors makes it entirely feasible to automate the whole process.

Most Reliable Hosting Company Sites in January 2009


Aplus.net, New York Internet, and ZeroLag Communications were the most reliable hosting company sites during January 2009. These sites responded to all of the requests made by Netcraft's performance collectors throughout the month, with no failed requests.

Aplus.net was founded in 1992 as Abacus America, Inc., and began offering Internet services in 1995 and hosting services in 1998. Aplus' web site states that they have 250 employees, over 100,000 customers and 6,000 dedicated server customers. They run Apache on FreeBSD, and last made the top spot in June 2008.

New York Internet also runs Apache on FreeBSD site, and was also tied for first last month.

ZeroLag Communications is a Los Angeles-based company that offers high performance virtual hosting, fully managed dedicated servers and colocation, as well as T1 and T3 internet connections, web development services and security consulting. Their corporate site runs lighttpd, and they were joint first in September 2008.

Freely available operating systems dominate the top ten this month with four sites each running FreeBSD and Linux.

Continue reading

One Million SSL Sites on the Web

The number of SSL certificates found by Netcraft's SSL Survey that are within their validity period, have a common name that matches the hostname and are issued by a widely trusted third party, has now exceeded one million.


Netcraft's first SSL Survey in November 1996 found a total of only 3,283 certificates around the globe. It took nearly a year for this total to grow to ten thousand, and it wasn't until August 2000 that the total exceeded a hundred thousand. In comparison, the past year has seen an average growth of more than 18,000 certificates per month.

www.microsoft.com Completes Move to Microsoft-IIS/7.5

Microsoft is now running Microsoft-IIS/7.5 on its main website www.microsoft.com. IIS 7.5 is part of Windows Server 2008 R2, which is currently in beta testing.

The changeover appears to have started around the 8th January, when www.microsoft.com began responding sometimes with Microsoft-IIS/7.5, but with many requests still being served by 7.0. Now the transition appears to be complete, with all requests now being handled by version 7.5.

Microsoft has consistently upgraded www.microsoft.com to new versions of its web server platform ahead of their actual release, as a demonstration of confidence in new versions. It upgraded to the original Windows Server 2008 in June 2007, 8 months before that operating system's finished release in February 2008. www.microsoft.com is one of the very first sites to use Microsoft-IIS/7.5; Netcraft sees only 28 websites running Microsoft-IIS/7.5 in the February web server survey, of which the only significant sites were at Microsoft.

Continue reading