Major update to Netcraft Anti-Phishing Extension for Firefox

An update to the Netcraft Anti-Phishing Extension for Mozilla Firefox is now available. This release replaces the Toolbar interface with a modern Button interface to sit alongside the browser's address bar.


The upcoming Firefox 57 — to be released on the 14th November — represents a major overhaul of the browser, and removes support for legacy XUL extensions. Future versions of Firefox will only support the new cross-browser WebExtensions API.

The Netcraft Anti-Phishing Extension (known then as the Netcraft Toolbar) was first made available for Internet Explorer in December 2004. A Firefox version followed in May 2005. The current button-style Anti-Phishing Extension was released for Google Chrome and the Opera browser in 2012 and 2013 respectively. The new extension enjoys a 4.5 star rating on the Google Chrome Store.

The Extension runs on any operating system supported by the desktop version of Mozilla Firefox and displays the hosting location, country, longevity, popularity, and an abstracted risk rating for each site visited. In particular its key features are:

  • Protection against phishing sites — The Netcraft anti-phishing community is effectively a giant neighbourhood watch scheme, empowering the most alert and most expert members to defend everyone within the community. As soon as the first recipients of a phishing mail report it, we can block it for all users of the extension providing an additional level of protection from Phishing. Netcraft processes reports of fraudulent URLs from a diverse variety of sources and proactively searches for new fraudulent sites.
  • Detailed site reports — simply click the Netcraft logo to access a wealth of information about the sites you visit, helping you to make informed choices about their safety.
  • Risk Ratings — we evaluate the characteristics of the site compared against those depicted by fraudulent sites. The result is a simple visual summary displayed on the site report.
  • Conveniently report suspected phishing & fraudulent sites — At the click of the button you can report suspected web forgeries to Netcraft, helping to protect the community. Netcraft operates an incentive scheme for Phishing site submissions, including iPads, backpacks, mugs, and more... Over 38.4 million phishing sites have been detected and blocked by Netcraft since the anti-phishing service was launched (November 2017).
  • Protection against cross site scripting (XSS) — The extension optionally traps XSS and other suspicious URLs which contain characters highly likely to deceive.

The Extension is available for download from the Firefox add-ons page and requires no special administrator privileges to install. Users of the existing Netcraft Anti-Phishing Toolbar will be upgraded automatically to the latest version.

Versions of the Extension are available for other browsers on the Google Chrome Store and Opera add-ons page.

Customised versions with corporate branding and navigation are also available.

Web Shells: The Criminal’s Control Panel

Web shells are an overlooked aspect of cyber crime and do not attract the level of attention of either phishing or malware. Nevertheless, Netcraft found more than 6,000 web shells during April 2017, which works out at around 1 new shell installation every 5 minutes. When web shells first appeared, the limit of their functionality was to transfer files and execute arbitrary shell commands. However, the best engineered web shells now provide well presented, sophisticated toolkits for diverse crimes, with facilities for password cracking, privilege elevation, network reconnaissance, phishing, spamming and DDoS, not solely available through a web based user interface but also accepting commands as part of a botnet.

An example of the WSO shell

An example of the hugely popular and feature-rich WSO (Web Shell by Orb) shell.

A number of shells offer the creation of a botnet in as little as a click, launching standalone processes that either connect to a command and control server or listen for commands over an insecure TCP connection. Some allow performing port scans to find potentially exploitable services. Others enable fraudsters to schedule denial of service attacks. There are shells dedicated to sending bulk spam emails, testing stolen credentials against popular websites (such as PayPal or Amazon), cracking passwords, and automatically defacing websites. With such a wide array of powerful features, it is unsurprising how popular web shells are with cyber criminals.

The WSO shell offers both bind shell and back connect options. Selecting one of these options will launch a standalone process that will connect to or listen for a connection from a remote command and control server - an easy method for the creation of a botnet.

WSO offers both bind shell and back connect options. Selecting one of these options will launch a standalone process that will connect to or listen for a connection from a remote command and control server - an easy method for the creation of a botnet.

The prevalence of these backdoors allows easy—and potentially persistent—access to thousands of compromised machines. If the web shell is missed during the webmaster's cleanup after an attack, removing the original phishing or malware content will be in vain, as the fraudster can use the web shell to upload new malicious material, or re-purpose the machine as an accessory to alternative forms of cyber crime.

Continue reading

I went to London and saw the Queen

Pussycat, Pussycat, where have you been? I've been to London and saw the Queen.

Yesterday, I went to the opening of the National Cyber Security Centre by Her Majesty the Queen and HRH the Duke of Edinburgh. This was a more exclusive event than I had expected, and guests outside the NCSC were royalty, ministers, senior civil servants & people running NCSC partner companies.

The NCSC showed our countermeasures system to disrupt malware, phishing and advance fee fraud to guests, though I don't know whether the Queen saw it, as she & Prince Philip had a private viewing of the demonstrations.

I was introduced to the Queen and HRH Duke of Edinburgh, which I hadn't anticipated, and there's a picture from the Royal Family's twitter feed of me telling the Queen (sadly out of the picture to the left) and the Duke of Edinburgh what we do & how it works. I sensed that they liked the notion of counterattacking and disrupting attacks as opposed to passively blocking them. And, although our business is spread all around the world, it felt good to be contributing to something that makes the UK a safer and better place.

HRH the Duke of Edinburgh asks how it works

HRH the Duke of Edinburgh asks how it works

I must say how impressive the Queen and the Duke of Edinburgh are and how good they were with people at the event. At 90 & 95 respectively, few, if any people can have had more experiences and in a world where some of the most powerful elected politicians seem completely frazzled, how urbane & reasonable our monarch appears by contrast.

Counting SSL certificates

The SSL/TLS protocol — used to protect sensitive communication across the internet — combines encryption with authentication, providing a private connection to the intended recipient. To achieve this, SSL certificates bind together a cryptographic key and a domain name, and are digitally-signed by a trusted certificate authority (CA). Commercial CAs compete to sell certificates to the general public and account for the bulk of the SSL certificates seen on the internet.

Netcraft's SSL Server Survey has been running since 1996 and has tracked the evolution of this marketplace from its inception — there are now more than one thousand times more certificates on the web now than in 1996. As CAs issue certificates, and most charge (or not charge) accordingly, the number of certificates issued becomes the natural unit of measurement. Our survey therefore counts valid, trusted SSL certificates used on public-facing web servers, counting each certificate once, even if used on multiple websites.


Two types of certificates make the distinction between counting sites and certificates most apparent: multi-domain certificates and wildcard certificates. These two types now account for almost a quarter of all certificates found.

  • Multi-domain certificates (or UCC certificates) use the Subject Alternative Name extension to specify additional hostnames for which this certificate is valid — CloudFlare uses this technique heavily, having dozens of unrelated sites share the same certificate.
  • Wildcard certificates are valid for all possible subdomains of a domain, for example * would be valid for,,, etc. Our methodology counts a wildcard certificate once, no matter the number of sites for which it is valid.

Netcraft also counts certificates used by subdomains. For example, if, and are all using different SSL certificates, Netcraft will count all three certificates that have been issued.

Although the global SSL ecosystem is competitive, it is dominated by a handful of major CAs — three certificate authorities (Symantec, Comodo and GoDaddy) account for three-quarters of all issued SSL certificates on public-facing web servers. The top spot has been held by Symantec (or VeriSign before it was purchased by Symantec) ever since the survey began, with it currently accounting for just under a third of all certificates. To illustrate the effect of differing methodologies, amongst the million busiest sites Symantec issued 44% of the valid, trusted certificates in use — significantly more than its overall market share.

However, nothing ever stays still forever — Let's Encrypt could shake up the market for SSL certificates later on this year by offering free certificates with a simplified installation process. Whilst free certificates and automated tools are nothing new, the open approach and the backing of Mozilla, IdenTrust, the EFF, and Akamai could change the SSL ecosystem forever.

Beyond counting certificate numbers, Netcraft's SSL Survey also tracks the list and reseller prices of the most popular certificate authorities. This provides another useful market share metric, as it allows us to estimate the total monthly and annual revenue of each certificate authority attributable to public SSL issuance.

As each type of certificate — multi-domain, wildcard, or Extended Validation for example — is available at a distinct price point, the estimated revenue of a CA can vary significantly, despite initially appearing similarly sized by the total number of certificates. For example, GlobalSign comes in third-place when considering its estimated annual revenue (by list price) in 2014, despite accounting for approximately 6% of all currently valid publicly-visible SSL certificates.

For additional information or details on how to purchase Netcraft’s SSL Server Survey please contact us at or visit our web site.

Netcraft releases Heartbleed indicator for Chrome, Firefox, and Opera

The Netcraft Extension: Heartbleed and phishing protection rolled into one

The Heartbleed bug affected around 17% of all trusted SSL web servers when it was announced a week ago. The critical vulnerability in the OpenSSL cryptographic library has the potential to allow attackers to retrieve private keys and ultimately decrypt a server's encrypted traffic or even impersonate the server. This is not a theoretical problem: practical attacks have actually succeeded in stealing private keys, yet despite the potential dangers, many of the affected sites have yet to take remedial action.

Even if heartbeat support has been disabled, or OpenSSL upgraded to the latest version, a website that was previously vulnerable to Heartbleed is not necessarily secure today. If the vulnerability had been exploited prior to the upgrade, the certificate's private key could have been compromised. If the certificate has not yet been replaced and the old one revoked, an attacker could impersonate the site and carry out man-in-the-middle attacks against the site's visitors.

Netcraft's updated extensions for Chrome, Firefox and Opera now allow you to see whether the sites you visit are still using potentially compromised certificates. The extensions use data from Netcraft's SSL Survey to determine whether a site offered the heartbeat TLS Extension prior to the Heartbleed disclosure. If this is the case, the extension will also check to see if the site's SSL certificate has been replaced; if it has not, then the site is considered to be unsafe, as the certificate's private key could have been compromised. Even if the certificate has been replaced, it does not guarantee that the site cannot still be impersonated with a copy of the old certificate unless the old certificate has been revoked – and even then, the revocation checking done by browsers is not infallible.

Go here to download the Netcraft Extension for Chrome, Firefox or Opera.

Heartbleed indicator in the Netcraft Google Chrome and Opera Extensions

The extension will indicate when a site is potentially unsafe by displaying a bleeding heart icon. Additionally, in the Google Chrome and Opera versions of the Extension, a warning triangle will be displayed on top of the Netcraft icon.

Heartbleed indicator in the Netcraft Firefox Extension

As well as indicating which sites are using a certificate potentially compromised using Heartbleed, the Netcraft Extension also helps protect you from phishing attacks, displays the hosting location and risk rating of every site you visit, and lets you help to defend the internet community against fraudsters.

Netcraft's site report pages can also be used to determine whether a website might still be affected by the fallout from the Heartbleed bug. For example, our site report for shows that it no longer supports the TLS heartbeat extension and is using a new certificate.

In contrast, the site report for currently shows that the server previously supported TLS heartbeat and the SSL certificate has not been replaced. Even though TLS heartbeat is now disabled, the certificate could still be used to impersonate the site if it had been compromised prior to heartbeat being disabled. Fedex's website is hosted by Akamai, a popular Content Distribution Network, which was potentially vulnerable to Heartbleed. Akamai is in the process of rotating its customers' SSL certificates and stated that "some require extra validation with the certificate authorities and may take longer".

Heartbleed indicator in the Netcraft Site Report

Incentives for Phishing Site Reporters

We incentivise phishing reports from our community of reporters. The current list of prizes is as follows:

Prize When
Netcraft USB Flash Drive after 100 validated phishing reports
Netcraft Mug after 250
Netcraft Polo Shirt after 500
Targus Laptop Backpack after 1,000
iPad after 5,000

On reaching 5,000 validated reports you become eligible for a monthly competition to incentivise large reporters.

To report phishing sites to us, please use the form at, or forward any phishing URLs or emails you receive to

The Netcraft Extension, which is available for Firefox, Google Chrome™ and Opera, serves as a giant neighbourhood watch scheme for the Internet. Members who encounter a phishing site can act to defend the larger community of users against the attack. Once the first recipients of a phishing mail have reported the attack URL, it is blocked for community members as they subsequently access the URL. Widely disseminated attacks simply mean that the phishing attack will be reported and blocked sooner.

Anti-Phishing Chrome Extension Netcraft Toolbar for Firefox Netcraft Toolbar for Opera