Phishing sites using Extended Validation SSL

Netcraft's anti-phishing toolbar community identified a noteworthy phishing attack against PayPal in December. FasterPay – which describes itself as the UK's only safe, all-in-one Internet Banking payment service – was apparently hacked, and a subdirectory on the company's own website at was used to host a PayPal phishing site.

The veracity of the phishing attack was enhanced by the Extended Validation SSL certificate used by the FasterPay website. This meant that any victims of the phishing attack would have been presented with the reassuring green EV indicator in (or near) the browser's address bar. This attack acts as a reminder that users must do more than merely look for the presence of an EV certificate when deciding whether or not it is safe to submit personal or financial data to a website.

The CA/Browser Forum defines a strict set of guidelines [pdf] that a certificate authority must adhere to when issuing an Extended Validation certificate. These guidelines clearly detail the steps required to verify the identity and legitimacy of an organisation when it applies for a certificate, as well as the security processes that must be implemented by the certificate authority.

Each certificate authority must maintain a comprehensive security program to protect all EV processes, including carrying out regular risk assessments. However, no such requirements are placed upon the owners of websites which use EV certificates, which perhaps highlights a weakness in the current guidelines.

According to these guidelines, one of the secondary purposes of EV certificates is to address the problem of phishing, but the attack hosted by FasterPay demonstrates how this type of protection can be undermined and rendered trustworthy – if a user is conditioned to be reassured by the presence of an EV certificate, he will be more susceptible to any phishing attack that is hosted on a site with an EV certificate. FasterPay is by no means the first EV-toting website to have exhibited a security vulnerability, which raises the question of whether the issuance guidelines for EV certificates should also require the applicant to provide similar assurances regarding the security of the website on which an EV certificate is to be deployed – for example, by carrying out regular automated vulnerability scans or manual web application security testing.

December 2011 Web Server Survey

In the December 2011 survey we received responses from 555,482,744 sites, giving a rise of 29.5 million (+5.6%) since last month.

Since June all major web server vendors have continuously gained hostnames. This month Apache saw, once again, the largest increase of just over 20M hostnames, which is the largest gain for Apache in five months. The second largest growth was seen by Microsoft, with a gain of 1.2M; however, this still resulted in Microsoft losing market share. nginx, on the other hand, successfully recovered from its recent loss bringing the web server vendor to another all-time high of 8.85% market share.

All server vendors also saw an increase in Active Sites this month. Apache experienced the largest increase with a gain of nearly 1.5M sites. Microsoft also gained 0.5M Active Sites increasing its market share advantage over its close rival nginx by 0.7 percentage points. The total number of Active Sites in our survey now stands at 175 million.

Total Sites Across All Domains
August 1995 - December 2011

Total Sites Across All Domains, August 1995 - December 2011

Market Share for Top Servers Across All Domains
August 1995 - December 2011

Continue reading

Sustained LiveJournal DDoS attack continues

Blogging site LiveJournal is still being hammered by a distributed denial of service attack which started 10 days ago.

On November 28, the LiveJournal Status website announced in both English and Russian that the site was under a DDoS attack.

The attack appears to have continued over the past 10 days, causing some significant outages and slowdowns. Nonetheless, LiveJournal did manage to stay online throughout most of this period, although the company had to disable support for third party services such as Facebook, Twitter and Google yesterday.

LiveJournal has been owned by Russian media company SUP since 2007, and there has been much speculation that this latest attack could be related to recent elections in Russia. LiveJournal was subjected to a series of similar attacks in March and April this year, which LiveJournal attempted to counter by upgrading their servers.

At 13:15 UTC today, LiveJournal again confirmed that the site was up, but still under a DDoS attack.

Most Reliable Hosting Company Sites in November 2011

Rank Company site OS Outage hh:mm:ss Failed Req% DNS Connect First byte Total
1 Datapipe FreeBSD 0:00:00 0.004 0.273 0.005 0.012 0.078
2 Qube Managed Services Linux 0:00:00 0.011 0.300 0.053 0.107 0.107
3 Hosting 4 Less Linux 0:00:00 0.011 0.201 0.079 0.295 0.551
4 Linux 0:00:00 0.014 0.267 0.063 0.340 0.511
5 Server Intellect Windows Server 2008 0:00:00 0.014 0.175 0.092 0.188 0.453
6 Linux 0:00:00 0.018 0.461 0.071 0.145 0.156
7 New York Internet FreeBSD 0:00:00 0.021 0.096 0.034 0.074 0.223
8 Swishmail FreeBSD 0:00:00 0.021 0.762 0.068 0.137 0.342
9 Linux 0:00:00 0.025 0.098 0.037 0.107 0.245
10 ServInt Linux 0:00:00 0.025 0.471 0.076 0.156 0.332
See full table

Datapipe was the most reliable hosting company in November and has now claimed the top spot seven times this year. The company offers a range of services including managed hosting, compliance, security and cloud computing. Datapipe recently extended its presence in Asia by partnering with Shanghai Data Solutions (SDS), which owns and operates fully redundant carrier-neutral datacentres in China.

The second most reliable this month was Qube Managed Services, a London-based hosting company with additional datacentres in New York and Zurich. The company offers managed hosting, cloud hosting and managed colocation for a range of customers with a particular interest for those in the Finance and New Media sectors. This is the second time that Qube has ranked in the top three. The company was also listed as best performing cloud platform in Europe and the US this month.

Hosting 4 Less came in third this month. The company guarantees a 99.9% uptime and offers Windows and Linux hosting as well as e-commerce and FTP hosting. Hosting 4 Less also sells SSL Certificates through Certs 4 Less, a sibling company which is a Platinum Partner of VeriSign, GeoTrust, Thawte and RapidSSL.

Six of November’s top ten most reliable hosting company sites used Linux, while three used FreeBSD and one used Windows Server 2008.

Netcraft measures and makes available the response times of around forty leading hosting providers’ sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer’s point of view, the percentage of failed requests is more pertinent than outages on hosting companies’ own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.

Sustained DDoS attack against 4chan

A sustained distributed denial of service attack against 4chan has kept the site's message boards mostly offline since the weekend:

4chan's status page, which is hosted on Google's Blogger platform, announced on Sunday 13 November that the site was down due to a large DDoS attack. 4chan today revealed that the ongoing DDoS attack consists of a UDP packet flood on port 80. Such attacks typically aim to disrupt normal operation of a website, either by saturating all available bandwidth, or by exhausting the processing capacity of a web server, thus denying service to legitimate users.

The attack also affected 4chan's main page at, which has been intermittently unavailable during the same period:

Many popular internet memes are believed to have originated from 4chan's message boards, including Lolcats and the practice of rickrolling. The boards were also used to recruit volunteers when the group Anonymous carried out a series of DDoS attacks against MasterCard, Visa and PayPal last year. When 4chan itself subsequently suffered a similar attack at the start of this year, 4chan made light of the fact that it had joined "the ranks of MasterCard, Visa, PayPal et al.–an exclusive club!".

November 2011 Web Server Survey

In the November 2011 survey, we received responses from 525,998,433 sites, giving a rise of 22 million (+4.3%) since last month.

Once again, all of the major web server vendors gained sites this month; however, Apache showed a greater rise of 15.9 million sites this time, allowing it to claw back some of the market share it lost last month. Microsoft showed the second largest absolute gain of 2.3 million sites, although this was not enough to prevent its market share falling by 0.21 percentage points. nginx also suffered a small loss in market share after reaching its all-time high of 8.54% last month.

In terms of active sites, Microsoft was the only major web server vendor to show a loss. Conversely, nginx made the largest gain, rising by 0.86 million active sites and bringing it to within 0.66 percentage points of Microsoft's market share. The total number of active sites in our survey now stands at 172 million.

Total Sites Across All Domains
August 1995 - November 2011

Total Sites Across All Domains, August 1995 - November 2011

Market Share for Top Servers Across All Domains
August 1995 - November 2011

Continue reading