Most Reliable Hosting Company Sites in April 2017

Rank Performance Graph OS Outage
DNS Connect First
1 Linux 0:00:00 0.004 0.185 0.040 0.116 0.116
2 Swishmail FreeBSD 0:00:00 0.004 0.132 0.060 0.120 0.164
3 Hyve Managed Hosting Linux 0:00:00 0.004 0.075 0.062 0.127 0.127
4 Webair Linux 0:00:00 0.009 0.144 0.054 0.109 0.110
5 XILO Communications Ltd. Linux 0:00:00 0.009 0.210 0.067 0.134 0.134
6 CWCS Linux 0:00:00 0.009 0.194 0.077 0.176 0.176
7 Inc Linux 0:00:00 0.013 0.219 0.012 0.031 0.032
8 Bigstep Linux 0:00:00 0.013 0.129 0.063 0.128 0.128
9 Qube Managed Services Linux 0:00:00 0.013 0.131 0.064 0.129 0.129
10 Linux 0:00:00 0.017 0.265 0.005 0.194 0.194

See full table comes in first place in April, up from seventh place in March. responded to all but one of Netcraft's requests, with an average TCP connection time of 40 milliseconds. The company was founded in 2002 and is based in Denmark, with staff also based in Dubai and India.

Swishmail and Hyve follow in second and third places respectively. These hosting company sites also responded successfully to all but one request, but had marginally slower average connection times than's site. Swishmail is based in the United States and provides business email and web hosting services, whilst Hyve is based in the United Kingdom and provides a variety of cloud and dedicated server hosting services. Hyve reached the finals of the 2017 European IT and Software Excellence Awards under both the Managed Service Solution of the Year and Service Provider of the Year categories.

Xilo has consistently featured in the top 10 so far in 2017. Xilo provides a variety of services, ranging from shared hosting up to managed and self-managed dedicated servers, as well as domain name services and SSL certificates.

Of the top 10 hosting providers for April, all but one of their websites are running on Linux, with the exception being Swishmail's, which runs on FreeBSD.

Netcraft measures and makes available the response times of around thirty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.

April 2017 Web Server Survey

In the April 2017 survey we received responses from 1,816,416,499 sites and 6,320,910 web-facing computers. This reflects a gain of 56 million sites and 49,800 computers.

Microsoft had a noticeable gain of 108 million sites (+15.4%), recouping last month's loss and expanding its market share by nearly 5 percentage points to 44.7%. Microsoft is 10 million sites down from the start of the year, but its share is now nearly twice as large as Apache's. The only major vendor to suffer a loss of hostnames in April was nginx, which lost 1.4 million sites – this took its market share down by 0.41 points to 19.2%, leaving it slightly further behind Apache's share of 22.7%.

Despite nginx's loss of sites, it was once again the only major vendor to increase its presence within the top million sites, increasing its count by 2,164 sites, while Apache lost 1,962; but Apache stays in the lead with a 40.9% share, while nginx's increased to 28.7%.

nginx's growth is also reflected well in the web-facing computers market, where it had the largest increase of 29,900 computers (+2.44%). This took its share up by 0.32 points to 19.9%, while Apache's leading share fell by 0.27 points to 43.5%. Microsoft is still in second place with 24.2% of the web-facing computer market, but this position looks set to be taken by nginx within the next year if the trend of nginx's gains and Microsoft's losses continue.

Apache continues to reign supreme in terms of active sites, where it increased its market share slightly to 46.3%, putting it further ahead of nginx, which has a share of 19.6%; however, the long term trend over the past several years has seen the two vendors getting closer, with nginx slowly gaining market share while Apache has slowly declined. Microsoft's share of active sites is only 8.28%, but this is enough to keep it in third place, ahead of Google.

A new mainline version of nginx (1.11.13) was released on 4 April. This release included several bugfixes and formed the basis of the current stable version, nginx 1.12.0, which was later released on 12 April. As a consequence of including all bug fixes and new features from the entire 1.11.x branch, nginx 1.12.0 includes support for configuring multiple SSL certificates of different types, better support for dynamic modules, and several other new features.

Earlier this month, Netcraft examined the success of ICANN's New gTLD program, as well as the impact it has had on brand owners such as LEGO. The .loan gTLD saw the largest domain growth of any type of TLD this month, gaining 287,000 unique domains, yet losing more than 10 million websites. Only 3% of all .loan domains are considered active by Netcraft, indicating that large numbers share near-identical content, such as monetized domain holding pages.

From the TLD operator's perspective, the rise in .loan domains is much more significant than the large reduction in sites, as each unique domain will correspond to a domain registration, which invariably involves some type of transaction. The cost of registering a single .loan domain can vary between $20-$40 per year (including ICANN fees), depending which registrar is used, although some registrars – such as Namecheap – offer low introductory prices of $0.88 for the first year only. The prevalence of domain holding pages suggests that many of these domains may have been bought at introductory prices, so the estimated revenue from the 980,000 unique .loan domains currently in use on the web is likely to be much closer to $1m than $40m.

Total number of websites

Web server market share

DeveloperMarch 2017PercentApril 2017PercentChange
Continue reading

Hotpoint service sites hacked

Hotpoint's UK service website has been hacked. Instead of allowing customers to activate warranties, book services or find an engineer, the site is currently putting its customers at risk by redirecting them to a variety of dubious websites.

Some visitors were presented with a fake Java update page, which downloaded malware.

Some Hotpoint visitors are being redirected to a fake Java update page, which downloads malware.

The hacker has accomplished this feat by appending malicious JavaScript code to several of the scripts hosted on the Hotpoint service site. It was not readily apparent how the hacker gained write-access to these files, but the WordPress content management system that the site runs on is notorious for being compromised if both it and its plugins are not kept up to date.

The hack has also affected Hotpoint's Irish service website, which is hosted on the same IP address as the UK one.

The malicious code appended by the attacker. This appears at the end of an otherwise-legitimate script which asks the user whether they want to accept cookies from the site

The malicious code appended by the attacker. This appears at the end of an otherwise-legitimate script which asks the customer whether they want to accept cookies from the site.

The appended code is obfuscated to make its purpose less apparent, perhaps in the hope that nobody would dare to delete it. De-obfuscating the code reveals that it is responsible for loading a larger obfuscated script from an external site.

The externally hosted malicious script pretends to be an innocuous jQuery file; but scrolling down reveals its true content, which is obfuscated.

The externally hosted malicious script pretends to be an innocuous jQuery file; but scrolling down reveals its true content, which is obfuscated.

Presumably, this external site is operated by the hacker, in which case he has the opportunity to change the content of his malicious payload at will. Any visitor to the Hotpoint service site could consequently be at risk of much more serious attacks, such as drive-by malware or phishing.

Hotpoint service customers are also being redirected to scam survey sites like this one.

Many bank holiday shoppers who buy Hotpoint white goods are likely to fall victim to this attack, as the paperwork included with new appliances directs new customers to the site to activate their 10 year parts guarantee.

Thanks Tim

New customers are directed to the hacked site.

Existing customers desperate to find out about certain models of dangerous tumble dryers are also likely to be snared by the JavaScript attack.

Generally, the Easter bank holiday weekend is a good time for hackers to strike UK websites, as many people will be on holiday on both Good Friday and the following Monday. The longer the attacker can keep his redirection code in place, the more revenue he can reap.

Of course, there could be wider-reaching repercussions to this attack – if an attacker has been able to modify scripts on Hotpoint's website, then he could also have been in a position to view any data stored or transmitted by the site.

LEGO vs Cybersquatters: The burden of new gTLDs

netcraft-minifig-annotated ICANN's New gTLD Program was developed to increase the amount of choice within the domain name space, and it has been unquestionably successful in that respect. Consumers and businesses alike can now register domains under hundreds of different top-level domains such as .toys, .mortgage, .software, .gifts, .london and so on.

But the launch of so many new gTLDs could be costly for brand owners, who will have to contend with even more "bad faith" registrations by cybersquatters and fraudsters. When a company fails to register its own trademarks — along with many subtle variations of those trademarks — under each new gTLD, there is a risk that someone else will, and these opportunities are often abused to acquire some of the traffic that would otherwise have gone to the brand owner's own websites. Not only does this divert money away from the legitimate brand owner, but it can also be detrimental to its reputation.

LEGO: A bigger brand than Google

LEGO is one of the brands that is most affected by bad faith registrations, as its globally-recognised name makes an attractive target for anyone who wants to piggyback on its success. was registered anonymously by a domain squatter last year. It currently shows a monetized domain holding page that has sponsored listings for LEGO-related keywords. was registered anonymously by a domain squatter last year. It currently shows a monetized domain holding page that has sponsored listings for LEGO-related keywords.

Early this year, LEGO regained its status as the world's most powerful brand, beating the likes of Google, Nike, Ferrari, Visa and Disney. Last year, the privately held LEGO Group increased its revenue to a record high of DKK 37.9 billion (US $5.4 billion), and its operating profit grew to DKK 12.4 billion (US $1.8 billion).

To safeguard its continued success, The LEGO Group is very protective of its trademarks, and actively seeks to prevent any misuse that could lead to confusion as to whether it sponsors or authorizes unofficial or unlicensed websites. In particular, it asserts that the use of a LEGO trademark in a domain name is an infringement of its rights. is a clear infringement of LEGO's rights. It monetises its content through advertising banners and Amazon affiliate links to LEGO products.

The domain is a clear infringement of LEGO's asserted rights. It monetizes its content through advertising banners and Amazon affiliate links, which earn commission of up to 5%.

To deter these infringements, The LEGO Group has a legal notice that asks for Fair Play from customers and competitors alike. This philosophy mirrors the names of its own products: "LEGO" is derived from the Danish words "leg godt", which means "play well".

But of course, a polite request cannot deter all ne'er-do-wells. Many domain squatters are unlikely to take heed of legal notices when they register infringing domain names. Consequently, lots of infringement does occur, and The LEGO Group has to expend more effort in dealing with these.

WIPO to the rescue

The LEGO Group is an avid supporter of the World Intellectual Property Organization (WIPO), which it relies on to settle some of its disputes over infringing domain names. Last year, LEGO was the fourth largest filer of domain name cases, accounting for more than 1.4% of all cases handled by WIPO in 2016.

When a domain name is disputed via WIPO, the costs can vary depending on how many domains are included in the complaint, and how many panellists will be involved in considering the complaint. A dispute over a single domain name with a single panellist costs $1,500, or $4,000 with three panellists. These costs are borne solely by the complainant, while the infringing party stands only to lose the registration fee he paid for the domain.

Speculating before the speculators

With so many new gTLDs available to choose from, domain name speculators have many more opportunities than they did a few years ago. Filing disputes amongst an ever-growing landscape of TLDs could soon become a very costly exercise for brand owners.

To avoid these costs, some brand owners speculatively register their own trademarks before the domain squatters can, even if they have no practical use for them. This prevents the domains being registered by others in bad faith, and works out much cheaper than having to file disputes for each one. Legitimate trademark owners can submit claims for their domains during each new gTLD's sunrise period, before anyone else has the opportunity to register them.

LEGO Juris A/S (which does business as The LEGO Group) is the registrant of more than a hundred domains for just its "lego" string. A few examples of these include,,,,,,,,, and even As long as LEGO holds on to these domains, nobody else will be able to register them. Most of these sites simply display a blank homepage, while a few redirect visitors to LEGO's main website at

However, not all lego domains belong to LEGO. For example, is currently registered to an individual at an agricultural university in Beijing. The site previously displayed a Wishloop domain holding page, which suggested that the owner might have eventually tried to monetize it through conversions, but now the domain name does not resolve in DNS. However, the domain is still registered, and it is not clear why LEGO has not yet acted on this or many other infringing domains – perhaps it is not worth the cost or effort until an infringing site becomes popular enough to cause measurable damage.

Last year, both and were registered to an individual in Pennsylvania, and the latter domain was used to host a WordPress blog. Rather than being taken over by LEGO Juris A/S, both domain registrations expired and are purportedly now available for registration.

New gTLDs increase the size of the cybersquatter's playground

Speculatively registering domains before they are registered in bad faith by domain squatters can be effective in some cases, but this approach rapidly becomes less practical and too expensive when there are multiple trademarks to protect.

The LEGO Group produces its plastic construction toys under a variety of trademarked themes, such as Dimensions, Ninjago, Chima, Mixels and Mindstorms – plus several licenced brands such as Star Wars and Angry Birds. These provide even more opportunities for cybersquatters to register deceptive domain names.

LEGO owns more than 4,000 unique domains that serve websites, and many of these typify the type of strings that might be registered by domain squatters. These include,,,,,, and more. Each of these sites serves nothing more than a blank webpage, which implies that LEGO only owns them so that others cannot. A few domains, such as and are configured to redirect visitors to LEGO's main website at

But it is clearly not feasible to defensively register all possible permutations of LEGO's brands, particularly now there are also hundreds of new gTLDs under which such domains can be registered. This situation makes the domain name dispute process seem almost unavoidable; and indeed, the total number of disputes handled by WIPO during 2016 rose by 10%.

Deciding who a domain name should belong to

When a domain name dispute is handled by the WIPO Arbitration and Mediation Center, the panel considers many factors when deciding whether the domain should be transferred to the complainant. The process is largely transparent, with the procedural history and reasons behind each decision being published on

Take as an example, which was handled in case D2015-1217. The infringing domain was registered by an individual in the United States, but she did not respond at any point during the dispute proceedings, and thus failed to show that she had any rights or legitimate interests in the disputed domain name.

Prior to filing the dispute, LEGO had attempted the much cheaper option of sending a cease-and-desist letter to the respondent, and proposed to compensate her for the expense of registering the disputed domain name; but this letter was also ignored. This contributed to the panel's decision that the domain had been registered in bad faith.

LEGO requested the panel to issue a decision to transfer the disputed domain name on the grounds that it is a combination of the LEGO trademark and the licenced trademark STARWARS, and that the respondent had no rights or legitimate interests. Although the disputed domain did not serve any content when the complaint was considered by the panel, LEGO claimed it had been connected to a website containing sponsored links to various online shops where LEGO products were sold.

Amongst its findings, the panel pointed out that the use of the .xyz gTLD is not relevant when assessing whether a trademark is identical or confusingly similar. This means that if the respondent had also registered dozens of identical strings under other gTLDs, those might also have had to be taken down via WIPO's service.

Less than two months after the dispute had been filed, the administrative panel ultimately ordered the domain to be transferred to LEGO. It has now joined LEGO's collection of websites that display nothing more than a blank page.

But many infringing domains still get away with it...

WIPO's arbitration and mediation process for domain name disputes seems effective, albeit a slow and expensive option when there are lots of infringing domains to deal with. This could explain why the LEGO Group does not take swift action against every site that tries to monetize its brand without permission.

Take as an example. This domain was registered anonymously in 2015, via a WHOIS privacy service, and was used to display a set of LEGO products that are sold on Amazon. These used Amazon affiliate links, so that when a visitor clicked through and subsequently bought one of the items from Amazon, the site's operator would have netted a small percentage of the sale. For just the cost of a .xyz domain (which can be as little as $0.88 for a whole year) the operator of this site could recoup his outlay — and more — with just one sale.

Screenshot of This domain registration has since expired.

Screenshot of This domain registration has since expired.

Bad faith registrations are also capitalising on the success of The LEGO Batman Movie, which was released in February. For instance, the following domain purportedly offers the chance to stream or download the full movie for free. This is clearly dubious and not recommended.

This .xyz domain (which contains both "lego" and "batman" in its name) has clearly been registered in bad faith, as it offers free access to a pirated copy of The LEGO Batman Movie.

This .xyz domain (which contains both "lego" and "batman" in its name) has clearly been registered in bad faith, as it offers free access to a pirated copy of The LEGO Batman Movie.

Nearly 7% of the domains disputed in WIPO cases last year were under the .xyz top-level domain, making it the most problematic new gTLD in terms of bad faith registrations. Nonetheless, the majority of filed disputes still concern .com domains. This is possibly because .com is still the most recognised top-level domain, and so more people are likely to end up visiting these sites as a result of typo-traffic.

But preventing bad faith registrations is arguably not always in the interests of a domain registrar, as even after a domain has expired, it can still be monetized by the registrar. As an example, expired in March after being registered for two years. It still serves a website, which now displays a set of LEGO-related links that lead to sponsored ads paid for by various LEGO toy retailers. has expired, but still displays monetized search links. has expired, but still displays monetized search links.

Some of the infringing domain names contain high-value search keywords, which are likely to generate more money through contextual advertising. For example, the domain name might look like a strange choice to some, but it refers to the 5-digit set number of one of LEGO's most expensive and sought after sets: 10179: The Ultimate Collector's Millennium Falcon. This massive 5,197-part Star Wars set retailed at $500 before it was discontinued seven years ago, but an unopened box can easily fetch several thousand dollars today.

Another very specific example is, which refers to set 4184. This LEGO model ship is based on the Black Pearl from the Pirates of the Caribbean film series. The set was discontinued in 2012, but it already commands a high price on the aftermarket. This likely explains the existence of such peculiar infringing domain names, and it's also no wonder that some people consider LEGO to be a better investment than gold. To prevent misuse, the domain is now registered to LEGO Juris A/S.

An eBay listing for the Black Pearl, which had an original RRP of £84.99.

An eBay listing for the Black Pearl, which had an original RRP of £84.99.

Dozens of domains that contain the numbers of expensive LEGO sets, such as,, and are now registered to LEGO Juris A/S after previously being registered to other parties.

Other costs of gTLDs

The plethora of new gTLDs has unarguably increased the size of the cybersquatter's playground, but ICANN's new gTLD program has also drawn more than $100 million directly from brand owners who have applied for their own Brand TLDs. Around a third of all new gTLD applications are brand applications, and many of these brand owners will also have to fork out additional money to manage the application process and for the provision of backend registry services.

The LEGO Group applied for its own .lego Brand TLD in 2012, in order to gain exclusive control over all .lego websites. As well as being able to ban cybersquatters from its own TLD, another obvious benefit of operating a Brand TLD registry is being able to make shorter, more memorable internet addresses. However, the LEGO Group does not appear to be using the .lego TLD for any of its websites yet.

Another common motivation for owning a Brand TLD is to mitigate phishing attacks, as fraudulent sites will not be able to directly leverage the trust instilled by the brand's own TLD. But remarkably, phishing attacks against LEGO's customers are practically unheard of, even though it is the world's most powerful brand, and stores payment details and loyalty credit on its online store at

LEGO's application for the .lego Brand TLD passed Initial Evaluation in 2013, and was eventually delegated in June 2016. Rather than operating the .lego gTLD itself, LEGO has opted to use Verisign as its backend registry services provider. Since the launch of ICANN's new gTLD program, more than 150 other brands have also engaged Verisign to apply for and manage their new gTLDs. Verisign is well known for its management of the .com and .net generic TLDs, which has no doubt helped to make it a popular choice as a gTLD operator.

Abandoned new gTLDs

Whether or not LEGO ends up making good use of its new gTLD has yet to be seen, but it appears that at least two brand owners have had a change of heart over having their own TLDs. The South Korean conglomerate Doosan initiated the termination of its Registry Agreement for .doosan in September 2015, and the global engineering company FLSmidth – which is headquartered in the same country as LEGO – did the same for .flsmidth in February 2016. Both of these new gTLDs made it to the point where they were successfully delegated to the internet's root zone, which suggests that the owners had already spent hundreds of thousands of dollars before deciding to abandon them.

Detecting infringements

Netcraft's Fraud Detection service can be used to find domains and content that infringe a company's rights. This service also monitors app stores, social media sites, sponsored search engine results and DMARC reports to detect additional infringements. The results for all of the searches are made available via a web interface, together with detailed site information (hosting locations, registrations details, etc.), and are reviewed into categories including 'owned by company', suspicious, benign (e.g. a mention on a news or personal site), unavailable, or phishing.

New gTLDs: Are they a success?

More than three years have flown by since the first new generic top-level domain (gTLD) was delegated on 23 October 2013. Today, hundreds of new gTLDs are now available, giving consumers and businesses the opportunity to register domains under the likes of .science, .guru, .xyz, .expert, .ninja, .pizza, .wine, and many more.

ICANN's New gTLD Program was launched in June 2011, and it received nearly 2,000 applications when the application window eventually opened in January 2012. Guided by a 338-page application book, each applicant was required to pay a $185,000 evaluation fee, which was intended to recover the costs involved in running the New gTLD Program.

The initial application fees alone have netted ICANN more than $300 million to date, so the program has arguably been worthwhile from its point of view, avoiding the need to subsidise it with ICANN's other funding sources; but with such high fees, how successful has it been for the applicants?

The fact that each applicant had stumped up $185,000 for each gTLD evaluation suggests that they must have had a fair degree of confidence in their own business plans before filing their gTLD applications. Applicants are required to provide financial projections, which would typically include forecasted registration volumes and the associated cash inflows. Every application that passes ICANN's Initial Evaluation process implies that both the applicant and ICANN were satisfied that the operation of the new gTLD would be sustainable. Even so, profits are not necessarily expected to be instant – the applicant's demonstration of a sustainable business model does not have to reach break-even within the first three years of operation.

Success in numbers

Now, after a few years of growth, it is clear that some of the new gTLDs have been very successful indeed. Take .guru, for instance: this was launched in January 2014, and quickly became one of the most commonly purchased new gTLDs offered by its operator, Donuts Inc. It has nearly 64,000 active registrations, and more than 56,000 of these are running websites that appear in our latest survey.

This registration volume likely translates to somewhere between 1.5-2.0 million dollars in registration fees being paid by consumers each year, depending on which registrar is used. While .guru's domain registry will only receive a portion of the consumer cost of the domain, with the rest being split between ICANN and the registrar, the amounts are likely to be significant.

Beyond the initial evaluation fees, applicants are also required to pay ICANN ongoing quarterly fees; but for the majority of gTLD operators, these will be much lower than the initial application costs. It is likely that .guru in particular is making a handsome amount of profit for its operator.

Donuts is evidently a firm believer in the potential for new gTLDs. Founded by Paul Stahura, who sold the domain name registrar eNom in 2006, this start-up company raised $100m in venture funding and ploughed most of it into 307 applications for new gTLDs.

Donuts operates nearly 200 of the 1,000 or so gTLDs that have been delegated so far (i.e. introduced to the internet's authoritative Root Zone database). While Donuts' .guru gTLD quickly established itself as a favourite, it has since been taken over by .life, .email, .today and .solutions. All of these — including .guru — were launched in 2014, giving them a head start in gaining popularity compared with newer new gTLDs. The .life gTLD is the current leader amongst Donuts' domains, with nearly 79,000 registrations.

In terms of the number of websites (rather than domains) using new gTLDs, the most common one in Netcraft's April 2017 survey is .top. This entered general availability in November 2014 and broke through one million registrations by 2016. The .top gTLD is operated from China by .Top Registry, and is now used by 160 million websites across more than 2 million unique second-level domains (e.g.

Many of these .top sites are nothing more than webspam, but it is the registration volume that counts when it comes to potential revenue, regardless of how interesting the websites are. However, depending which registrar a customer uses, a .guru domain could cost roughly three times the price of a .top domain, so the higher registration volume of .top does not necessarily translate to an equivalently higher revenue. Taking Namecheap as an example, a .top domain costs $0.88 for the first year and $10.88 per year thereafter; whereas a .guru domain costs $6.88 for the first year and $24.88 after that.

The actual revenue being drawn from new gTLDs is not clear, as the financial projections submitted by applicants do not have to be made public; however, a leaked presentation back in 2013 revealed that Famous Four Media put the potential year 1 revenue for each new gTLD at almost $30 million. Famous Four Media is another prominent applicant in ICANN's New gTLD Program, using separate limited companies to apply for 60 new gTLDs. A year ago, its .science gTLD was the most used new gTLD (by hostnames), then used by 66 million websites across more than 160,000 unique second-level domain names (e.g.

.top might have most websites (e.g., but in terms of unique second-level domains (e.g., and therefore active registrations, .xyz is the most commonly registered new gTLD in use on the web. Netcraft's latest survey shows it has a registration volume of more than 3.7 million, although many of these domains will have been given away by XYZ.COM LLC for free or at very low cost.

This time last year, much of the interest in the .xyz gTLD came from China: About 40% of all .xyz websites were hosted in China; more than half of all .xyz registrations originated from China; many of its 200,000 IDNs (internationalised domain names) were in Chinese scripts (e.g. 台北郵購網.xyz); and the single-digit domain sold at auction for a record $182,000 to a Chinese registrant. However, today, the United States hosts nearly 80% of all .xyz sites.

Things are evidently going well for XYZ.COM LLC, which also operates several other new gTLDs. Its CEO, Daniel Negari, notably put out a $5 million offer to buy four gTLDs from Rightside Group Ltd, and has also expressed its desire to buy gTLDs from other registry operators, saying it is "cashed up, and ready to do deals".

The large registration volumes of .xyz, .top and .life make these gTLDs serve as flagships for their respective operators, but not all gTLDs are this popular. For example, .accountants has only 1,400 registrations, even though it has been operated by Donuts since 2014. However, this lower uptake is not too surprising, as the target registrants for this particular gTLD are professionals practicing in the field of accounting and auditing. Lower registration volumes are therefore to be expected among these niche gTLDs, but the operational costs can be countered by charging more per registration – registering a new .accountants domains costs around five times more than a .guru domain (again, depending which registrar is used).

The .accountants gTLD also has to contend with the similar—but much cheaper—.accountant gTLD, which is managed by Famous Four Media. Despite the obvious similarity and mission overlap, the .accountant gTLD was approved by ICANN and delegated in March 2015.

Netcraft's survey found more than 50 times as many domains registered under the cheaper .accountant gTLD. While there are undoubtedly more individual accountants than there are groups of accountants, the cheaper cost of .accountant domains must also play a big part in these different registration volumes.

Most obviously, cheaper domains are more likely to appeal to domain squatters and ad networks. Demonstrating this, more than half of all .accountant websites are hosted by a single company, with most of these sites being used to display monetized search links rather than anything to do with accountancy.

Nonetheless, registrations are a gTLD operator's primary source of revenue, and so it is largely inconsequential to the operator what the registrants end up using these domains for. Although the .accountant gTLD is aimed at accountants and related businesses, it is actually possible for anyone to register these domains. Registrants of .accountant domains are required to agree to the Registry's Abuse and Rights Protection Terms and Conditions, which includes displaying an APM seal on their homepages. This measure is supposed to "augment the security and stability" of the gTLD, but it seems that this requirement is not actively enforced, as many of the spam sites using the .accountant gTLD do not display this seal at all.

Other metrics for success

Financially, it looks like the well-established new gTLDs have been successful, and many of the newer ones have similar potential; but this success has not yet manifested itself so visibly on the internet.

The most commonly registered gTLD, .xyz, might have 3.7 million current registrations, but fewer than 2,500 of these domains appear amongst the top million websites; and even though .science was the most commonly used new gTLD this time last year, even fewer of these—just 22—have made it into the top million. These amounts are mere drops in the ocean compared with the well-established .com, which is used by more than 403,000 unique domains within the top million sites.

.xyz is the most commonly used new gTLD, but remains outpaced by several traditional TLDs.

.xyz is the most commonly used new gTLD, but remains outpaced by several traditional TLDs.

Much of the early success of .xyz—relative to other new gTLDs, at least—can be put down to a Network Solutions promotion which offered a free matching .xyz domain with each .com domain purchased. Within its first ten days of operation, Network Solutions had registered nearly 100,000 .xyz domains, but many of these could not be monetized until the following year when the domains became due for renewal.

Phishers seizing new opportunities

Unsurprisingly, fraudsters have also exploited the plethora of new gTLDs by registering domains that are then used to host phishing sites. Many of the domains involved in recent attacks appear to have been registered specifically for the purpose of fraud, rather than belonging to sites that had been compromised.

While ICANN requires all gTLD registries to deal only with registrars that prohibit end-users from carrying out phishing attacks, each registry maintains its own safeguards, meaning that some are better than others at proactively defending against fraud.

With some new gTLD operators allowing domains to be registered by fraudsters, and others failing to enforce their own safeguarding policies effectively, it is clear that more could be done to make new gTLDs safer; but fraud prevention and policy enforcement often consumes time and money. The availability of both of these resources is largely dependent on how much revenue the gTLD operator makes, and so the operator's effectiveness at wiping out fraud could, bizarrely, also serve as a metric for success.

So, are they a success?

In conclusion, most new gTLDs appear to have been successful in some way or another, whether that be measured in registration volumes or revenue. Many of the new gTLDs that have low registration volumes are operated by companies who also operate several other gTLDs, so even if they were to make a loss on one, it would likely be offset by their more successful gTLDs. One thing that can be said for certain is that the new gTLD program has succeeded in its goal of giving registrants a much wider choice of domain names, whilst resulting in millions of dollars being exchanged between ICANN, the operating registries, and domain registrars.

However, there are indications of a slowdown in applications for new gTLDs: ICANN's Draft FY18 Operating Plan and Budget forecasts that its revenue from new gTLD applicant fees in FY2017 will be only $21 million, compared with $27 million (actual) the previous year, and $71 million the year before that. While this projection is unlikely to affect the revenue being made by the operators of existing new gTLDs, it suggests that the hundreds of new gTLDs in operation today may already provide more than enough choice for most consumers.

Netcraft services for new gTLD operators

New gTLD operators can confidently protect their top-level domains against phishing and malware with Netcraft's suite of services for domain registries. Taking a proactive stance against these attacks is vital, as it demonstrates to fraudsters that they are unwelcome, and thus ensures that the reputation of the new gTLD is not tarnished.

Let’s Encrypt and Comodo issue thousands of certificates for phishing

Update: This article was published in April 2017. Up-to-date statistics on TLS certificates used for phishing can be found at Netcraft's Phishiest Certificate Authorities page.

Certificate Authorities are still issuing tens of thousands of certificates for domain names obviously intended for use in phishing and fraud. Fraudsters are mostly using just two CAs — Let's Encrypt and Comodo domain-validated certificates accounted for 96% of phishing sites with a valid TLS certificate found in the first quarter of 2017.

Netcraft has blocked phishing attacks on more than 47,500 sites with a valid TLS certificate between 1st January and 31st March 2017. On 19,700 of these, Netcraft blocked the whole site rather than a specific subdirectory. 61% of the sites that were entirely blocked were using certificates issued by Let's Encrypt, and 36% by Comodo.

While some CAs, browser vendors, and commentators have argued that fraud prevention is not and should not be the role of certificate authorities, the scale of foreseeable misuse that can be combated automatically warrants further consideration of this policy. Without change, issuance of certificates for sites such as and that are obviously intended for misuse will continue unabated.

Certificates issued by publicly-trusted CAs that have been used on phishing sites

Certificates issued by publicly-trusted CAs that have been used on phishing sites. An interactive, updating version of this graph can be found on Netcraft's Phishiest Certificate Authorities page.

Mozilla Firefox's telemetry reports that approximately 55% of all page loads are over HTTPS. The movement to a secure web is crucial to defend against the risks posed by unencrypted traffic, and easy access to trusted certificates is a key factor in the recent growth. However, this easy access also offers opportunities for fraudsters to capitalise on the perception of HTTPS as trustworthy as demonstrated by the number of certificates issued for clearly deceptive domain names.

Looking at a small sample of these blocked phishing sites with valid TLS certificates that have high Deceptive Domain Scores:

Hostname Certificate Authority Target Deceptive Domain Score Let's Encrypt Apple
9.25 Let's Encrypt PayPal
9.13 Symantec Airbnb
8.99 Comodo Chase
10.00 GoDaddy PayPal
9.13 GlobalSign Apple
9.30 Let's Encrypt American Express
7.99 Comodo Dropbox
9.70 Let's Encrypt Wells Fargo
10.00 Comodo Bank of America
9.40 Let's Encrypt La Banque Postale
7.10 Let's Encrypt USAA

In each of these examples above — and in the other statistics referenced above — the certificate authority had sight of the whole hostname that was blocked. These examples did not rely on wildcard certificates to carry out their deception. In particular, some of these examples (such as demonstrate that the certificate authority was better placed to prevent misuse than the domain registrar (who would have seen upon registration).

Let's Encrypt and Comodo are attractive to fraudsters as both offer automated, domain-validated certificates at no cost to end users. Let's Encrypt's ACME protocol allows for free automated issuance, while Comodo offers no-cost certificates via its trial certificates, cPanel AutoSSL, and its Cloudflare partnership.

While Let's Encrypt's policy on phishing and malware is to check the Safe Browsing API, this does not provide effective pre-issuance blocking. It does not match the reality of automated certificate deployment, where the certificate is likely to be issued and installed before the phishing content has been uploaded, detected, and blocked. Let's Encrypt also has a limited list of domain names for which they block issuance which has triggered forum posts by users unable to obtain a certificate for the blocked name. All of the Let's Encrypt certificates that Netcraft found on phishing sites were issued despite the Safe Browsing check and the additional name-based blocking.

Phishing site on

Phishing site on (Deceptive Domain Score is 9.46).

The use of TLS by these phishing sites is particularly dangerous, as websites that use TLS are marketed as being trustworthy and operated by legitimate organisations. Consumers have been trained to look for padlocks, security indicators, and https:// in the address bar in their browser before submitting sensitive information, such as passwords and credit card numbers, to websites.

However, a displayed padlock or "Secure" indicator alone does not imply that a site using TLS can be trusted, or is operated by a legitimate organisation. The distinction between the connection being "Secure" and the safety of providing sensitive information to the HTTPS site may be challenging to interpret for those unfamiliar with the technical underpinnings of TLS.

"Secure" vs. "Private" in Google Chrome

"Secure" vs. "Private" in Google Chrome.

Demonstrating the difficulty of explaining this technical distinction, Google Chrome indicates that an HTTPS connection is using a valid TLS certificate by displaying the word "Secure" in the address bar. While the word "secure" refers to the encrypted connection's protection against eavesdroppers, this is explained in the drop-down with the word "private". The distinction between these two words is subtle, yet potentially significant for user understanding. However, it is important to note that Google has been at the forefront of research into how security indicators are perceived by internet users at large.

Mozilla Firefox's warning when selecting a password form field on a non-secure HTTP site

Mozilla Firefox's warning when selecting a password form field on a non-secure HTTP site.

Both Google Chrome and Mozilla Firefox have made recent changes to the display of password input forms on non-TLS sites — non-secure forms now trigger in-context warnings. These warnings are likely to increase the prevalence of TLS on phishing sites, with fraudsters deploying TLS to both gain the positive "Secure" indicator, and now to avoid negative indicators when collecting passwords.

Deceptive Domain Score service

Netcraft's Deceptive Domain Score service provides an automated mechanism for evaluating whether a given hostname or domain name is likely to be used to fraudulently impersonate an organisation. Crucially, this can be evaluated before issuing a certificate. Of these 19,700 hostnames with valid TLS certificates where Netcraft blocked the entire site, 72.5% scored more than 5.0 and 49% more than 7.0 (on a scale from 0.0 to 10.0).

Distribution of Deceptive Domain Score across blocked phishing sites with valid TLS certificates

Distribution of Deceptive Domain Score across blocked phishing sites with valid TLS certificates.

For comparison, a random sample of 10,000 hostnames taken from domain-validated certificates issued in February 2017 as found in Netcraft's April 2017 SSL survey, had an average score of 0.72, with 7% having a score over 5.0, and 4.4% a score over 7.0.

More information on Netcraft's Deceptive Domain Score service can be found on Netcraft's website.