Apache has been the most common web server on the internet since April 1996, and is currently used by 38% of all websites. Most nefarious activity takes place on compromised servers, but just how many of these Apache servers are actually vulnerable?
The latest major release of the 2.4 stable branch is Apache 2.4.7, which was released in November 2013. However, very few websites claim to be using the stable branch of 2.4 releases, despite Apache encouraging users to upgrade from 2.2 and earlier versions.
Less than 1% of all Apache-powered websites feature an Apache/2.4.x server header, although amongst the top million websites, more than twice as many sites claim to be using Apache 2.4.x. Some of the busiest websites using the latest version of Apache (2.4.7) are associated with the Apache Software Foundation and run on the FreeBSD operating system, including httpd.apache.org, www.openoffice.org, wiki.apache.org, tomcat.apache.org and mail-archives.apache.org.
The most recent security vulnerabilities affecting Apache were addressed in version 2.4.5, which included fixes for the vulnerabilities described in CVE-2013-1896 and CVE-2013-2249. Depending which Apache modules are installed, and how they are used, earlier versions may be vulnerable to unauthorised disclosure of information and disruption of service. The previous release in the 2.4 branch (2.4.4), also addressed several cross-site scripting (XSS) vulnerabilities in various modules; such vulnerabilities can severely compromise a web application by facilitating remote session hijacking and the theft of user credentials. Nonetheless, millions of websites still appear to be using vulnerable versions of Apache, including versions which are no longer supported.
Top 15 versions of Apache in February 2014, where the full version string is announced in the Server HTTP response header.
Note that no versions of the Apache 2.4 branch appear within the top 15.
Apache 1.3.41 and 2.0.63 are both end-of-lined.
The Apache 2.0 branch was retired in July 2013 with the conclusive release of Apache 2.0.65. This release addressed a few security vulnerabilities, but no subsequent vulnerabilities will be addressed by official patches or subsequent releases in the 2.0 branch. Anyone still using this branch of releases should strongly consider updating to the latest version in the stable 2.4 or legacy 2.2 branches.
Nevertheless, 6.5 million websites claim to be using the end of life 2.0 branch of Apache, with the most common versions being 2.0.63 and 2.0.52. Only 12k sites are running the conclusive release of this branch (2.0.65). However, it is worth noting that just over half of all Apache-powered websites hide their version numbers, so it is not always possible to accurately determine which version is installed without carrying out additional tests. Hiding software version numbers is usually a deliberate act by a server administrator – Apache 2.4.7 will reveal its full version number by default when installed on Arch Linux, and installing the apache2 package on the latest version of Ubuntu Linux will also reveal "Apache 2.4.6 (Ubuntu)" as the default Server banner.
Due to hidden version numbers, the number of sites openly reporting to be running Apache 2.4.x could be regarded as a lower bound, but conversely, exhibiting a vulnerable version number does not necessarily mean that a server can be exploited by a remote attacker.
For example, the Red Hat Linux operating system uses a backporting approach to applying security fixes, which means that a vulnerability in Apache 2.2.3 can be patched without affecting the apparent version number of the software. From an external point of view, the server will still appear to be running Apache 2.2.3, but it might not be vulnerable to any security problems that would affect a fresh installation of Apache 2.2.3.
Red Hat 5 and 6 use Apache 2.2.3 and 2.2.15 respectively, which explains why these seemingly old versions remain so prominent today (2.2.3 was originally release in July 2006). Both are still supported by Red Hat, and providing the necessary backported patches have been applied, Red Hat Apache servers which exhibit these version numbers can be just as secure as the latest release of Apache. However, because the version numbers correspond to Apache versions which were released several years ago, it is not unusual for Red Hat powered websites to attract unfair criticism for appearing to run insecure versions of Apache.
Certain Apache vulnerabilities can also be eliminated by removing or simply not using the affected modules – a configuration which is also difficult to ascertain remotely. However, exhibiting an apparently-vulnerable version number can still have its downsides, even if there are no vulnerabilities to exploit – as well as attracting unwarranted criticism from observers who falsely believe that the server is insecure, it could also attract undesirable scrutiny from hackers who might stumble upon different vulnerabilities instead. These are both common reasons why server administrators sometimes opt to hide version information from a web server's headers. Sites which do this include wikipedia.org, www.bbc.co.uk, www.nytimes.com and www.paypal.com, all of which claim to be running Apache, but do not directly reveal which version.
A further 6.0 million websites are still using Apache 1.3.x, even though the final version in this branch was released four years ago. The release of Apache 1.3.42 in February 2010 marked the end of life for the 1.3 branch, although 2.4 million sites are still using the previous version, (1.3.41), which contains a denial of service and remote code execution vulnerability in in its mod_proxy module.
The busiest site still using Apache 1.3 is Weather Underground, which uses Apache 1.3.42. This currently has a Netcraft site rank of 177, which makes it even more popular than the busiest Apache 2.0.x website. It is served from a device which exhibits the characteristics of a Citrix NetScaler application delivery controller. Weather Underground also uses Apache 1.3.42 for the mobile version of its site at m.wund.com.
Amongst the million busiest websites, Linux is by far the most common operating system used to run Apache web server software. With near-ubiquitous support for PHP, such platforms make tempting targets for fraudsters. Most of the phishing sites analysed by Netcraft rely on PHP to process the content of web forms and send emails.
The Audited by Netcraft service provides a means of regularly testing internet infrastructure for similarly vulnerable web server software, faulty configurations, weak encryption and other issues which would fail to meet the PCI DSS standard. Netcraft's heuristic fingerprinting techniques can often use the behaviour of a web server to identify which version of Apache is installed, even if the server does not directly state which version is being used. These automated scans can be run as frequently as every day, and can be augmented by Netcraft's Web Application Security Testing service, which provides a much deeper manual analysis of a web application by an experienced security professional.
At the start of the first US Government shutdown since 1996, an SSL certificate used on barackobama.com has expired. Issued by Go Daddy in September 2012, the SSL certificate for *.barackobama.com and barackobama.com was used by Organizing for Action, a non-profit grassroots organisation aligned with Obama's political policies. Whilst not directly associated with the US Government, the expiry of the SSL certificate for barackobama.com during a US Government shutdown is nonetheless a curious coincidence.
Warning in Google Chrome when visiting a website using the SSL certificate for *.barackobama.com.
Several SSL certificates controlled by the US Government expired today and are still being used — for example, the SSL certificates used on both ui.tn.gov and webmail.coop-uspto.gov have expired and may not be replaced any time soon. Furthermore, there are at least 30 US Government sites still using SSL certificates that are scheduled to expire before Friday.
|Metric||Sep 2012||Mar 2013||Jun 2013||Jul 2013||Aug 2013||Sep 2013|
TLD share by domains of websites at Aliyun in September 2013
- 从海外访问中国境内的网站有时不够顺畅 - 从英国发送到阿里云官方网站的数据包往返几乎要耗时半秒钟，而从美国访问的效果也没有好很多。在过去20天，有多达4%的来自荷兰的访问请求都以失败告终。
- 很多中国主机服务提供商只支持中文。以阿里云为例，无论是官方网站、控制面板还是技术支持，中文都是其唯一的语言。不过，亚马逊云对中文的支持也几乎一样有限 - 只有首页有中文版。
Performance of www.aliyun.com from a Netcraft performance collector located in the Netherlands
China, the world's largest trading nation in 2012, has long been a desirable location for outsourcing labour and services, even within the technology and IT sector where it is not far behind India. The growth of cloud computing providers in Europe and the United States — particularly Amazon and DigitalOcean — may foretell cloud computing infrastructure becoming a commodity and outsourced to the cheapest provider.
The ever-increasing number of internet users in China (591 million at the end of June 2013) requires the development of home-grown internet infrastructure: hosting web applications and other content within a target user's own country typically speeds up requests and improves reliability. The number of internet users in China is greater than either the United States or Europe.
Stratospheric growth in Chinese cloud hosting
Although the number of web-facing computers in China has grown by 8.3% over the last year — the majority of this growth has occurred within the cloud hosting market. Aliyun (云, pronounced 'yun', is the Chinese word for cloud) is the largest cloud computing provider in China in terms of the number of web-facing computers, and remarkably, Aliyun now has six times more web-facing computers than it did a year ago, reaching a total of 17,934 in September 2013. Worldwide, only the cloud computing giant Amazon gained a greater number of web-facing computers.
Although China's cloud computing infrastructure is still in its infancy, Aliyun's future looks particularly promising, as it is owned by the Alibaba Group. This group is the largest hosting provider in China, features within the top 30 hosting providers worldwide, and has already established a strong internet presence with its better known e-commerce platforms, Taobao and Alibaba.com. Aliyun now makes up almost 92% of the web-facing computers at Alibaba Group.
|Metric||Sep 2012||Mar 2013||Jun 2013||Jul 2013||Aug 2013||Sep 2013|
Indigenous market and the Great Firewall of China
Despite the strong growth of the Chinese cloud hosting market, most of the growth seen by Netcraft is hosting sites aimed at the Chinese market. Hosting content as close to the end-users as possible increases the performance of the web site, and this effect is particularly prominent in China: internet traffic crossing the border can sometimes appear to be slow, unstable, or even blocked, perhaps as a side-effect of blocks enforced by the Golden Shield Project (also known as the Great Firewall of China). In September 2013, more than half of the domains of websites hosted at Aliyun were in the .cn TLD, around 41% in .com, whilst domains in other ccTLDs appeared to be very rare. Unlike Amazon's global reach, Aliyun's reach appears to be limited to the local market — at least for the time being.
TLD share by domains of websites at Aliyun in September 2013
Obstacles holding back the Chinese cloud
Using cloud hosting in China could make sense for non-Chinese companies looking to increase their presence in China; however, a number of obstacles remain. These explain why the Chinese cloud is still mostly indigenous, and is likely to remain so for some time:
- Neither the pricing models nor the variety or operating systems are as attractive as those offered by the cheapest non-Chinese cloud hosting companies. Taking Aliyun as an example, its on-demand instances do not support Windows operating systems unless you opt for a 2-core or 4-core CPU, and they are not significantly cheaper than its more established competitors. The cheapest on-demand option at Aliyun is ¥0.27 ($0.04) per hour which buys you a single core, 512MB of RAM, and a 1Mbps internet connection. This is almost twice the price of Amazon's cheapest option and a comparable DigitalOcean instance can be had for just $0.007 per hour. However, as pricing models vary, reserved instances at Aliyun can be cheaper in some circumstances.
- Internet connectivity from outside China can be patchy — packets sent to www.aliyun.com from the United Kingdom take almost half a second to make the journey and back again, and the performance in the United States is not much better. More than 4% of requests to www.aliyun.com from the Netherlands failed during the past 20 days.
- Many Chinese hosting services are only available in the Chinese language. This is the only language available for Aliyun's brochure website, control panel, and technical support. However, Amazon's support for the Chinese language is almost as limited — a single marketing site appears to be the sole Chinese-language site for AWS.
- Some Chinese hosting companies only accept business from Chinese customers. For example, Aliyun's customers are required to have a Chinese mobile phone number in order to receive a verification code to complete the signup process. Customers wishing to buy an on-demand instance at Aliyun must go through an identity verification process, which requires the registrant to be a national of China or one of a few other Asia-Pacific countries, or to represent a Chinese company. Customers must also hold a credit or debit card issued by a Chinese bank compatible with Alipay. Customers must also register with the Chinese Ministry of Industry and Information Technology if they wish to associate a domain name with an Aliyun cloud server, but such registration is currently unavailable to foreign enterprises.
Performance of www.aliyun.com from a Netcraft performance collector located in the Netherlands
The current obstacles suggest that the cloud is unlikely to be outsourced to China yet. However, the availability of cloud computers in China is likely to increase to match its rapidly increasing local demand with competition both from local providers like Aliyun and overseas players like Microsoft and Amazon. Microsoft has collaborated with a partner company in China, 21Vianet, in order to bring its Cloud to China, and is making competitive price plans customised for the Chinese market. Perhaps by following this model, other non-Chinese companies such as Amazon could enter the Chinese market, providing local data centres and support to Chinese-speaking customers within the stricter regulatory environment. Equally, if some red tape were cut and network connectivity improved, Aliyun and other Chinese cloud providers could be poised to take a larger share of the global cloud computing market.
Netcraft provides information on the internet's infrastructure, including the hosting industry and web content technologies. For information on the cloud computing industry, please see http://www.netcraft.com/internet-data-mining/.
Netcraft blocked a Twitter phishing site being served from multiple Facebook Applications on 6th June. Visitors to the Facebook applications were requested to enter their Twitter credentials in order to view a "Twitter Video" application. On submission of the fake Twitter login form, the user is redirected to YouTube.
Links to the phishing attack were spread via both public tweets and direct messages. A Twitter direct message can only be sent to and from users who are following each other which lends credence to the message and the link it contains. The message entices the recipient to visit the fraudulent Facebook application: "I'm turning off my page if no one comes farward [sic] regarding this. https://apps.facebook.com/165922313586222".
Facebook — a trusted website which is served over HTTPS — is a useful medium for a fraudster; a Facebook user may be accustomed to seeing legitimate third-party authorisation forms on the social network making a fake login form all the more convincing. Netcraft has also observed similar attacks targeting Facebook itself which are being spread via Facebook statuses.
Twitter phishing via Facebook Apps and Twitter direct messages
Facebook Apps are not hosted on Facebook servers, instead they are hosted by a third party provider. The Facebook Apps involved in this phishing attack were hosted on Heroku and included on facebook.com via an iframe. In September 2011 Facebook partnered with Heroku, simplifying the process of setting up a new Heroku hosting account and Facebook App down to a few clicks. Heroku provides free accounts which are attractive for fraudsters wishing to host phishing attacks on Facebook.
The Facebook App at Heroku has a further iframe showing the actual fake login form, which is hosted at another hosting provider Joe's Datacenter. Both Facebook and the Facebook App hosted at Heroku are served using HTTPS but the final iframe is not, causing some browsers to display an insecure content warning.
Structure of the phishing attack: the fake twitter login form is included in an iframe within the Heroku-hosted Facebook App. The Facebook App is then included on facebook.com within another iframe.
Internet Explorer 9+ blocks HTTP iframes on HTTPS pages by default as it considers them as Mixed Active Content. Firefox currently hides the padlock when viewing mixed content, but does not block it. Firefox 23, due for release later this month, will automatically block iframes when it introduces Mixed Active Content blocking. In Google Chrome, iframes are currently considered passive rather than active, so the padlock icon displays a warning but the content is not blocked. Chrome 29 will switch to treating iframes as Mixed Active Content and block them by default.
Mixed Active Content Blocking in IE10, Pre-release Firefox Nightly, Pre-release Chromium
On 6th June, Netcraft observed the following events (times are GMT). Netcraft had access to both a compromised Twitter account and a second Twitter account which was targeted by the first.
- A Twitter direct message with a link to the phishing attack is received from the compromised account. Netcraft blocks the phishing attack in its Phishing Feed.
- Twitter resets the password on the compromised account: "Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We've reset your password to prevent others from accessing your account". The direct message containing the link to the phishing attack is removed. This is the same email that Twitter sent to 250,000 users in February when it discovered an attack which may have accessed user information.
- Facebook removes the phishing applications Netcraft discovered, but the content is still accessible directly.
Social network credentials are particularly appealing to fraudsters as they have a built-in method to spread the attack without further involvement from the fraudster. Some features, such as attached third-party applications, can make a compromised account even more valuable to a fraudster. Authentication forms of the type imitated in this attack are common and train users to expect to see social media login forms triggered from websites other than that of the social network itself. Despite this attack asking for Twitter credentials within a Facebook App, the fraudster was still able to gather twitter account credentials and use them to further spread the attack using twitter direct messages and tweets.
You can protect yourself against phishing attacks by installing Netcraft's Anti-Phishing Extension. You can help protect the internet community by reporting potential phishing sites to Netcraft by email to email@example.com or at https://report.netcraft.com. Netcraft can also help protect both brand owners and hosting companies.
The Malaysian government's Police Portal (Johor Contingent) is currently hosting a phishing attack against PayPal on its secure website https://www.polisjohor.gov.my (Site Report). Phishing sites using SSL certificates can piggyback on the trust instilled by browser indicators, such as the padlock icon, to trick potential victims into revealing sensitive information such as their username and password. The SSL certificate used for this phishing attack is irrevocable in some major browsers including Firefox (due to the lack of an OCSP URL in the certificate) and Safari (which doesn't check revocation by default).
A phishing site targeting PayPal hosted on the Malaysian Police's web site which is available over HTTPS.
Fraudsters often use a compromised third party website to host their phishing attack rather than obtaining web hosting directly. By compromising an existing trusted website the fraudster can avoid paying for a potentially suspicious domain name or SSL certificate himself. For example, registering or obtaining an SSL certificate for paypaal.com could draw unwanted attention if the registrar or SSL certificate authority is already conscious of the risk posed by this type of domain name.
The presence of an SSL certificate on a website hosting a phishing site is far from unusual. In May 2013, Netcraft identified 234 trusted SSL certificates on websites with at least one known phishing site. Of these, 67 were issued by Symantec (including the polisjohor.gov.my certificate) which may not be surprising given its leading position in the SSL certificate market. Comodo and Go Daddy had a similar number of such certificates discovered by Netcraft, 42 and 46 respectively. Extended Validation (EV) certificates could be especially valuable to a fraudster as they are designed explicitly to increase the perceived trustworthiness of websites which have passed the validation process by displaying additional indicators such as green bar. During May 2013, Netcraft identified five EV certificates being used on potentially compromised websites: two signed by Symantec and one each signed by Comodo, DigiCert, and Go Daddy.
The SSL certificate for polisjohor.gov.my was issued by GeoTrust (a Symantec brand) back in 2011 and is valid for several more months. If Symantec wished to revoke the certificate to make the site inaccessible over HTTPS it could do so by updating its Certificate Revocation List or by providing on-demand OCSP responses noting its revocation. As examined by Netcraft recently, the current treatment of revocation in many major browsers leaves some room for improvement: this certificate does not contain an OCSP URL so is irrevocable in Firefox. Even if the CA wanted to, it could not directly prevent further use of the certificate in Firefox. Safari users are left unprotected by default as the revocation checking has to be explicitly enabled.
Netcraft offers Phishing alerts to CAs to provide timely alerts to the CA about potential misuse of a certificate. Having access to timely, professionally validated alerts when phishing attacks occur can allow the CA to provide the first alert of a compromise to the webmaster. Both the CA and the webmaster are then able to respond appropriately to the potential compromise, safeguarding the reputation of both parties.