Fraudsters use paypal-office.com OV certificate for phishing

In June 2015, Trustwave issued an organisation-validated certificate for paypal-office.com, myaccount-paypal.com and paypal-sign.com that was used on a PayPal phishing site. The certificate was issued to an individual in India, Asha Shaikh, who may be the fraudster behind the phishing site, or perhaps one of the fraudster's victims. The phishing attack is now offline, but the certificate has yet to be revoked by Trustwave at the time of writing.

Rendered contents of phishing site found on www.paypal-office.com. The error message visible at the top of the page is a giveaway: the geo-location of the visitor's IP address failed, and it reveals the location of the files used to power the phishing site.

Certificate authorities typically sell certificates in three broad categories of assurance: domain-validated certificates simply validate control over a domain name; organisation-validated certificates include the identity of the organisation; and Extended Validation certificates increase the level of identity checking done to meet a recognised industry standard.

The difference between DV, OV, and EV certificates is sometimes subtle — many sources of consumer advice do not make the distinction between certificates that provide further identity information and those that only validate domain name ownership. For example, Google Chrome's help page states: "You can tell if a site is real if it has a valid TLS/SSL certificate".

Most certificates with deceptive domain names are domain-validated, though some appear to be organisation-validated. Many of the SSL certificates associated with CloudFlare's "Universal SSL" programme are ostensibly organisation-validated; however, the organisation being validated in this case is CloudFlare itself and not each individual customer.

paypal-office.com certificate

An organisation-validated certificate for paypal-office.com shown in the Windows certificate viewer.

Rather than be processed automatically, as is possible with domain-validated certificates, most higher-assurance certificate requests will be reviewed by a human prior to issuance. This additional level of validation makes it all the more surprising that a request for a certificate containing "paypal" wasn't considered a high risk request, and consequently rejected after being subjected to increased scrutiny.

Trustwave offers a Relying Party warranty with its certificates, covering fraudulent credit card charges made by a Trustwave certificate holder. However, the warranty does not cover other types of fraud, meaning phishing for credentials or fraudulent payments using other payment methods are not covered. As a result, victims of this phishing attack will not be able to claim on this warranty, despite having their PayPal credentials stolen by a fraudster using a Trustwave certificate.

Certificate authorities issue SSL certificates to fraudsters

In just one month, certificate authorities have issued hundreds of SSL certificates for deceptive domain names used in phishing attacks. SSL certificates lend an additional air of authenticity to phishing sites, causing the victims' browsers to display a padlock icon to indicate a secure connection. Despite industry requirements for increased vetting of high-risk requests, many fraudsters slip through the net, obtaining SSL certificates for domain names such as banskfamerica.com (issued by Comodo), ssl-paypai-inc.com (issued by Symantec), and paypwil.com (issued by GoDaddy).

CloudFlare, a content delivery network that provides free "Universal SSL" to its customers, is a hotspot for deceptive certificates, accounting for 40% of SSL certificates used by phishing attacks with deceptive domain names during August 2015. CloudFlare's Universal SSL certificates are provided in partnership with Comodo, and CloudFlare also use GlobalSign certificates for some of its customers. CloudFlare's flexible SSL option also appeals to fraudsters, offering a padlock in victims' browsers without the need for attackers to set up SSL on their web servers.

PayPal phishing site

A screenshot of a PayPal phishing site using a widely trusted SSL certificate valid for www.pay-pal.co.com. The certificate is a CloudFlare Universal SSL certificate issued by Comodo. The certificate has not been revoked; however, the phishing site is no longer available.

Websites that use TLS (the successor to SSL) are marketed as being trustworthy and operated by legitimate organisations. Consumers have been trained to "look for the padlock" in their browser before submitting sensitive information to websites, such as passwords and credit card numbers. While the reality is more nuanced, the data submitted to a phishing site using TLS is protected from eavesdroppers. However, a displayed padlock alone does not imply that a site using TLS can be trusted, or is operated by a legitimate organisation.

NatWest phishing site

A screenshot of a NatWest phishing site using a widely trusted SSL certificate valid for natwestnwolb.co.uk. (nwolb stands for NatWest online banking. The legitimate NatWest online banking service is available at www.nwolb.com.)

Bank of America phishing site

A screenshot of a Bank of America phishing site using a widely trusted SSL certificate valid for banskfamerica.com.

The following table lists some examples of deceptive SSL certificates that have been used to conduct phishing attacks, along with their Domain Registration Risk scores:

Hostname Phishing Target Certificate Authority Assurance Risk Score Revoked
halifaxonline-uk.com Halifax GlobalSign (CloudFlare) OV* 10.0 No
emergencypaypal.net PayPal Comodo (CloudFlare) OV* 9.17 Yes
blockchaín.info (xn--blockchan-n5a.info) Blockchain GlobalSign (CloudFlare) OV* 8.52 No
blockachain.info Blockchain Comodo DV 8.42 No
itunes-security.net Apple iTunes Symantec DV 8.08 No
phypal.com PayPal Symantec DV 6.61 No
btintranert.com BT GoDaddy DV 5.56 Yes

* The certificates that CloudFlare issues to its customers are ostensibly organisation-validated, as they contain CloudFlare's company name and address. However, the customer domains themselves are only domain-validated.

The CA/Browser Forum's Baseline Requirements – a set of rules that publicly-trusted certificate authorities are expected to follow – require that high-risk domain names that may be used for fraud or phishing are subjected to additional verification:

High Risk Certificate Request: A Request that the CA flags for additional scrutiny by reference to internal criteria and databases maintained by the CA, which may include names at higher risk for phishing or other fraudulent usage.
The CA SHALL develop, maintain, and implement documented procedures that identify and require additional verification activity for High Risk Certificate Requests prior to the Certificate’s approval.

Despite this requirement, many major certificate authorities issue SSL certificates for deceptive domains used in phishing attacks. Notable exceptions include DigiCert and Entrust, neither of which issue domain-validated certificates.

A pie chart showing SSL certificates containing a deceptive domain name that were used in phishing attacks during August 2015, split by certificate authority. CloudFlare and non-CloudFlare certificates are shown separately.

Certificate authorities commonly provide SSL certificates at three different levels of assurance:

  • Domain validated (DV)
    Certificate authorities only have to check that the certificate's applicant controls the domain name contained in a DV certificate. These certificates are typically the cheapest option, and can be had for free or be purchased for less than $10. Let's Encrypt is planning to offer free, automatically-issued DV certificates starting later in 2015.
  • Organisation validated (OV)
    In addition to validating the domain name in the certificate, the identity of the person or organisation applying for an OV certificate is also verified by the certificate authority and included in the certificate. Most browsers do not treat OV certificates any differently to DV certificates.
  • Extended validation (EV)
    Like OV certificates, the identity of the organisation applying for an EV certificate is verified by the certificate authority. However, the verification is more stringent. EV certificates also receive different treatment in major web browsers – the address bar is either partially or completely coloured green and the requesting organisation's name and country are displayed next to the padlock. The requirements for EV certificates in Chrome are changing, with many certificate authorities caught out by recent changes to require Certificate Transparency.

The requirement to perform additional verification of high risk certificate requests applies to all levels of assurance. However, DV certificates are often issued completely automatically within minutes, making it easy for fraudsters to obtain DV certificates for deceptive domain names.

Several certificate authorities offer free trial certificates with shorter validity periods. For example, Comodo offers free 90 day certificates, which have been used by a number of SSL phishing attacks. Symantec also offers free 30 day certificates through its GeoTrust brand. The short validity periods are ideal for fraudsters as phishing attacks themselves typically have short lifetimes.

Netcraft's Domain Registration Risk service automatically identifies deceptive domain names constructed using such tricks. The service calculates a risk score between 0 (low risk) and 10 (high risk) for each domain name, which represents the likelihood that the domain name will be used to carry out a phishing attack. Certificate authorities can make use of the service to determine if a domain name is likely to be used for fraudulent purposes before issuing the certificate.

The service can be provided as an API that mimics a Certificate Transparency log server for ease of integration with your existing certificate issuance process. The same API can also be used with Netcraft's certificate compliance checking service, which can identify certificates before they are issued that do not conform with the CA/B Forum's Baseline Requirements or its EV Guidelines.

eBay phishing sites hosted by… eBay

Fraudsters are stealing eBay usernames and passwords using phishing pages hosted on eBay's own infrastructure. One of these pages, targeting German users, is shown below:

An eBay phishing form hosted on eBay's own infrastructure. The form contents are submitted to an external domain in Russia.

An eBay phishing form hosted on eBay's own infrastructure. The form contents are submitted to an external domain in Russia.

The convincing appearance of the spoof login form is bolstered by the fact that it is hosted on a genuine eBay domain, ebaydesc.com. This domain is ordinarily used to host descriptions for eBay listings which are displayed within iframes on eBay listing pages.

In this case, the corresponding eBay listing has already been deleted, although the phishing content within the listing's description can still be viewed by browsing directly to the relevant URL on vi.vipr.ebaydesc.com. Consequently, the attack is still live and capable of stealing credentials from eBay users.

The URL of the credential-stealing script is only momentarily visible in the address bar before the victim is redirected to the genuine eBay site.

The URL of the credential-stealing script is only momentarily visible in the address bar before the victim is redirected to the genuine eBay site.

When a victim enters his username and password into the form, both values are submitted to a PHP script hosted on a server in Russia. After stealing the credentials, this script then redirects the victim to the genuine ebay.de login page, which reports that the username or password was incorrect.

After the victim's credentials are stolen, he is redirected to the real eBay login page. Note that the username field has been automatically populated with the username stolen by the fraudster.

After the victim's credentials are stolen, he is redirected to the real eBay login page. Note that the username field has been automatically populated with the username stolen by the fraudster.

This error message might cause the victim to become suspicious enough to look at the browser's address bar, to check he is on the right website; but it will already be too late at this point – his credentials will have already been stolen, and because his browser will now be showing ebay.de in the address bar, he may not even realise that his credentials have just been sent to a web server in Russia. There is consequently little chance of the victim reacting by changing his password, allowing the fraudster to take full advantage of the stolen credentials at his leisure.

The website involved in collecting the stolen credentials has also been used to host other phishing attacks targeting German-speaking consumers, including sites impersonating PayPal, Apple, and mobile.de.

In an attempt to evade detection by eBay and others, the fraudster has obfuscated the HTML source of his eBay phishing form. This makes it impossible to find such a listing by searching for any of the words that appear in the description, yet the rendered results appear as normal when viewed in a web browser.

The obfuscated HTML source used by the phishing content hosted by eBay.

The obfuscated HTML source used by the phishing content hosted by eBay.

Allowing anyone to insert arbitrary HTML and malicious scripts into a listing's description gives plentiful opportunities to would-be fraudsters, particularly as this weakness has been exploited to carry out similar attacks against eBay users in the past. Last year, Netcraft reported on fraudsters injecting malicious JavaScript into eBay listings to set up man-in-the-middle attacks against car buyers, and similar JavaScript redirection techniques have continued to be exploited throughout 2015.

These phishing methods can be much more successful than traditional phishing attacks (where content is hosted solely on an unrelated domain). The techniques employed in these latest attacks are not permitted under eBay's HTML and JavaScript policy; however, a fraudster intent on stealing passwords is not going to be deterred by words alone.

Thousands short-changed by EV certificates that don’t display correctly in Chrome

Certificate authorities have sold thousands of Extended Validation (EV) certificates that do not display correctly in Google Chrome. Over 10,000 EV certificates (5% of all EV certificates) fail to receive the green EV indicator in the latest desktop version of Google Chrome.

Certificate authorities market EV, and justify its cost, by highlighting the increased trust instilled by the green bar containing the company's name. Without the green EV bar, visitors will struggle to distinguish a $1,000 EV certificate from a $10 domain-validated certificate.

The lack of EV indicator for these certificates reflects Google's policy requiring EV certificates to be delivered with Certificate Transparency information. Up to half of an affected site's visitors may be affected, given Chrome's significant market share. Most CAs have sold this type of flawed EV certificate; however, the extent to which each CA's certificates are affected varies significantly.

chrome-vs-firefox

The Lloyds Bank login page, as viewed in Chrome 44 (above) and Firefox (below). The SSL certificate, issued by Symantec in June 2015, fails to receive the green EV indicator in Chrome.

Advertising

Certificate marketing page advertising the "green bar" indication.

Certificate marketing page advertising the "green bar" indication.

Almost universally, CAs advertise their EV products as (unconditionally) triggering browsers' green bars:

Such advertising underlines one of the primary reasons to purchase an EV certificate over a cheaper option — the green bar that is visible in the address bar.

This additional assurance comes at a price: EV certificates command a significant premium over the cheapest type of certificate. For example, Symantec's EV certificates cost $995 per year, almost $600 more than its cheapest directly advertised option. If you include its other brands, a Symantec DV certificate can be had for $10.95 per year.

Extended Validation

PayPal's EV certificate in Google Chrome

PayPal's EV certificate in Google Chrome. The address bar features a green indicator, and also displays the company name and location (highlighted in red). The presence of valid Certificate Transparency information is indicated (highlighted in blue).

The guidelines for issuing Extended Validation certificates were first published by the CA/Browser Forum in June 2007, motivated by the lack of a well-defined standard for high-assurance identity verification. As well as validating control over the requested domain names, CAs identify the requesting organisation. Major browsers typically display the validated organisation's name in a green box in the address bar. The cheapest type of certificate, domain-validated, does not include this additional information and does not trigger the green box.

Merely issuing a certificate following the EV guidelines is not sufficient for the certificate to trigger the browser's special treatment: the CA's root certificate must be embedded in the browser; the CA must be specifically approved to issue EV certificates; and the certificate must conform to any additional policies set by the browser. Certificate authorities are periodically audited against these requirements, and are required to publish audit statements, though many audited CAs still issue non-compliant certificates.

All major browser vendors are members of the CA/Browser Forum that defines the EV guidelines, and most maintain an independent CA inclusion policy that can be more or less strict than the published minimum requirements. For example, Mozilla, Google, Microsoft, and Apple maintain separate EV policies and CAs must apply to each individually to obtain EV treatment in their browser.

Certificate Transparency

Google has recently added the additional condition that in order to be treated as EV in Chrome, the certificate must be present in a Certificate Transparency log and be bundled with a timestamp (an SCT) signed by the log. This policy for EV certificates is intended to be a trial run for requiring Certificate Transparency for all certificates.

Certificate Transparency is motivated by incidents like DigiNotar, mis-issuance from CNNIC, TURKTRUST, ANSSI, and TrustWave's issuance of a MiTM certificate. By requiring newly issued certificates to be logged in publicly-auditable databases, Google hopes to make it easy to monitor domains for rogue certificates, and to enable regular and post-incident analysis of CA issuance practices.

The signed timestamps (SCTs) can be delivered to the browser in three ways: embedded in the certificate itself, delivered via a stapled OCSP response, or included in a custom TLS extension by the web server. Only the first option is currently practical according to Google as it does not require the certificate holder to update their server software. The second option requires support from the CA in its OCSP responder software, and the client must enable OCSP stapling. Almost three-quarters of all SSL certificates were delivered without a stapled OCSP response in the August 2015 Netcraft SSL Server Survey. The TLS extension, on the other hand, does not require CA support at all, but server-side support is not yet widely available.

Chrome's policy only applies to EV certificates issued after 1st January 2015. At the start of 2015, Google produced a whitelist of existing EV certificates: certificates were included if they were present in at least one qualifying CT log and didn’t otherwise already comply. EV certificates that are not included in the whitelist must comply with the new policy. While it is possible for pre-2015 non-whitelisted certificates to comply — using a stapled OCSP response or in the TLS extension — it is not trivial to configure.

Netcraft's Site Report tool can be used to inspect the SCTs (if any) presented by a given website and whether or not the certificate is present in Google's whitelist.

Widespread failures

ev-ct-per-ca-2

DigiCert includes its recently acquired roots that previously belonged to Verizon Business.

Many CAs have issued EV certificates that do not meet Google's requirements, which has resulted in over 10,000 certificates not receiving the EV indicator in the current version of Chrome. Of these certificates, 42% were issued after 1st January 2015, whilst the remaining 58% were issued pre-2015 but are missing from the whitelist and do not otherwise qualify.

Chrome's Address Bar EV Notes
Yes Normal EV display in Google Chrome
No Normal non-EV display in Google Chrome

Expected behaviour for SSL certificate display in Google Chrome's address bar.

Certificate Authority Chrome's Address Bar EV Issued Notes
Symantec Yes Jun 29 2015 No SCTs received
DigiCert (Verizon) Yes Mar 16 2015 No SCTs received
DigiCert Yes Aug 22 2014 Not in Google's whitelist
GoDaddy Yes Jun 25 2015 Too few SCTs for validity period
Entrust Yes Apr 10 2015 Malformed signatures in SCTs
GlobalSign Yes Feb 24 2015 No SCTs received
StartCom Yes Jun 29 2015 No SCTs received
WoSign Yes Jul 6 2015 No SCTs received

Actual behaviour of SSL certificate display in Google Chrome's address bar.
†This certificate should have been included on the whitelist; however, a bug in Google's whitelist meant it was incorrectly excluded.

hhhh

A GlobalSign certificate that despite having undergone EV validation, fails to trigger the green bar in Chrome.

Whilst most CAs have issued at least some EV certificates with embedded SCTs, others have not embraced Certificate Transparency at all.

WoSign has never issued an EV certificate that contains embedded SCTs and it does not support the second-most-prevalent method for delivering SCTs — via its OCSP responses. This is also the case for StartCom, where almost 100% of EV certificates issued by StartCom so far in 2015 fail to receive EV treatment in Chrome. Some StartCom EV certificates are receiving the EV indicator as a result of Google's one-off whitelist, and a single post-2015 certificate is being used on a server that supports sending SCTs via the TLS extension. WoSign and StartCom are not alone, however, as several other CAs have issued EV certificates without embeddeding SCTs, including Certplus (OpenTrust/KEYNECTIS).

Although Google produced a whitelist of existing EV certificates at the start of 2015, a significant number of pre-2015 certificates lost their EV treatment after Google Chrome started enforcing its CT policy. CAs had the opportunity to inspect Google's draft whitelist; however, many certificates were not submitted to a CT log in time. As well as omissions by the CAs, there were also errors in the mechanism used by Google to generate the whitelist.

The second type of failure to be included in the whitelist, bugs in Google's implementation, can be demonstrated by examining a DigiCert certificate (serial number 0ae01c52bf4917b4527c20bae5e2cd82): it is present in at least one Google CT log with a timestamp indicating it was first logged on 28th August 2014:

Log: https://ct.googleapis.com/pilot
Entry ID: 4867084
Timestamp: 2014-08-28 11:56:54 GMT
Certificate Serial Number: 0ae01c52bf4917b4527c20bae5e2cd82

Despite being logged in accordance with Google's policies, it does not appear in Google's whitelist. In this case, a bug in Google's whitelisting code meant it was incorrectly excluded.

Some CAs offer the option to their customers to not include SCTs in their EV certificates, where inclusion in a public log would leak DNS names the customer would rather keep private. However, all of the certificates in this analysis were found on public-facing HTTPS services by Netcraft's SSL survey, or were included in CT logs.

Google's latest policy update in May 2015 could mean that 7,000 more EV certificates will lose the green bar treatment in Chrome. Certificates must now be delivered with SCTs from independent logs — i.e. at least one Google log and one non-Google log. Certificates that do not meet this new requirement still receive the green bar in Chrome, but are anticipated to stop working when Chrome's code catches up with the new policy. It is not clear whether certificates issued before the policy update will be whitelisted or subjected to the new policy.

Comodo is the CA most affected by the May 2015 policy update, with almost 6,000 EV certificates at risk if Google's new policy is applied from 1st Jan 2015. Comodo has recently issued certificates with SCTs from too few independent logs: for example, Comodo issued a certificate on 3rd August 2015 that is missing a non-Google SCT.

Before they were eventually deployed in March 2015, CAs had known for over a year that the changes to Chrome's EV behaviour were coming. Google's intention was for CAs to ensure that all issued certificates were meeting the requirements before the effective date. This was not the case for most CAs, however, and many non-compliant certificates remain in existence now that Chrome is enforcing the requirements. Worse still, many CAs are continuing to sell EV certificates that will not receive the indicator in Chrome.

Identifying non-compliant certificates

Using data from its SSL Survey, Netcraft's certificate compliance checking service can promptly identify, and bring to the attention of CAs, all kinds of non-compliant certificates, including those that are not receiving the EV indicator in Chrome. The service also identifies certificates that will stop receiving the EV indicator as soon as Google's May 2015 policy update becomes effective. By using Netcraft's service to identify these certificates, CAs will be in a position to re-issue them such that they should once again receive the green EV indicator.

Netcraft's service can also be used by CAs to test their certificates for compliance issues before issuance, by submitting pre-certificates or certificates to Netcraft and only releasing to customers those that are found to be fully compliant. Non-compliant certificates can then be revoked without ever being deployed.

Millions still running the risk with Windows Server 2003

More than 600,000 web-facing computers — which host millions of websites — are still running Windows Server 2003, despite it no longer being supported.

The number of web-facing computers running Windows Server 2003 has been on a gradual decline since its peak usage in 2011, but many servers are still using it. Mainstream support for Windows Server 2003 ended in July 2010.

The number of web-facing computers running Windows Server 2003 has been on a gradual decline since its peak usage in 2011, but many servers are still using it. Mainstream support for Windows Server 2003 ended in July 2010.

Extended support for Windows Server 2003 ended on July 14, 2015. Crucially, this means that Microsoft will no longer be issuing security updates for any version of Windows Server 2003. US-CERT warns that these unsupported installations of Windows Server 2003 are exposed to an elevated risk of cybersecurity dangers, such as malicious attacks or electronic data loss.

Windows Server 2003 was originally launched over 12 years ago, with the latest major update being released 8 years ago in the form of Service Pack 2. This update was particularly beneficial for web servers, as it added the Scalable Networking Pack (SNP), which allowed for hardware acceleration of network packet processing.

Fifth of the internet still running Windows Server 2003

Netcraft's July 2015 Web Server Survey found 175 million websites that are served directly from Windows Server 2003 computers. These account for more than a fifth of all websites in the survey, making the potential attack surface huge.

Most of these sites (73%) are served by Microsoft Internet Information Services 6.0, which is the version of IIS that shipped with Windows Server 2003 and the 64-bit edition of Windows XP Professional; however, it is rare to see the latter being used as a web server platform.

The remaining Windows Server 2003-powered sites use a variety of web server software, with GSHD 3.0, Safedog 4.0.0, Apache 2.2.8 (Win32), kangle 3.4.8, NetBox Version 2.8 Build 4128 and nginx/1.0.13-win32 being amongst the most commonly seen Server headers. While vulnerabilities in these software products can be addressed by applying patches or updates, future vulnerabilities in the underlying Windows Server 2003 operating system may never be fixed.

14 million of the sites did not send a Server header at all, so it was not apparent whether the web server software used by these sites could be updated, but the underlying computers could still be identified as running Windows Server 2003. Netcraft determines the operating system of a remote web server by analysing the low-level TCP/IP characteristics of response packets, and so it is independent of whichever server software the site claims to be running.

Backend servers might also be exploitable

In addition to the 175 million websites that are served directly from Windows Server 2003 computers, a further 1.7 million sites served from other operating systems sent the Microsoft-IIS/6.0 Server header. This indicates the presence of backend Windows Server 2003 machines behind load balances and similar devices that are not running Windows.

For example, if the TCP/IP characteristics of a web server's response indicate that it is running Linux, but the HTTP Server header reports it is using Microsoft-IIS/6.0, then the Linux machine is likely to be acting as a reverse proxy to a Windows Server 2003 machine running IIS 6.0. Although the Windows Server 2003 machine is not directly exposed to the internet, it may still be possible for a remote attacker to exploit certain Windows and IIS vulnerabilities.

How many Windows Server 2003 installations are exposed to the web?

Netcraft has developed a technique for identifying the number of unique computers that act as web servers on the internet. The 175 million sites that use Windows Server 2003 make use of 1.6 million distinct IP addresses. However, an individual computer running Windows Server 2003 may have multiple IP addresses, which makes this an unsuitable metric for determining how many installations there are.

Further analysis of the low-level TCP/IP characteristics reveals a total of 609,000 web-facing computers running Windows Server 2003. This is over 10% of all web-facing computers, and shows the true potential cost of migration, as software licensing is typically charged on a per-machine rather than per-IP address basis.

Who's still using Windows Server 2003?

China and the United States account for 55% of the world's Windows Server 2003 computers (169,000 in China and 166,000 in the US), yet only 43% of all other web facing computers.

Within China, more than 24,000 of these computers are hosted by Alibaba Group. Nearly half of these are hosted by HiChina, which was acquired by Alibaba in 2009, while 7,500 are hosted at its rapidly growing cloud hosting unit, Aliyun.

Aliyun still allows its customers to create Windows Server 2003 virtual machines.

Aliyun still allows its customers to create Windows Server 2003 virtual machines.

One of the most prominent companies still using Windows Server 2003 on the internet is LivePerson, which is best known for the live chat software that allows its customers to talk to their visitors in realtime. Its main site at www.liveperson.com uses Microsoft IIS 6.0 on Windows Server 2003, and several other sites related to its live chat functionality — such as sales.liveperson.net — also appear to use IIS 6.0 on Server 2003, but are served via F5 BIG IP web-facing devices.

Even some banks are still using Windows Server 2003 and IIS 6.0 on their main sites, with the most popular ones including Natwest, ANZ, and Grupo Bancolombia. These sites rank amongst the top 10,000 in the world, and hundreds of other banking sites also appear to be using Windows Server 2003.

ING Direct and Caisse d'Epargne are also using IIS 6.0, but these sites appear to be served through F5 BIG-IP or similar devices, rather than having Windows Server 2003 machines exposed directly to the internet. Even some security and antivirus software vendors are still running IIS 6.0 on public-facing sites, including Panda Security and eScan.

While Microsoft does not officially offer any support beyond the extended support period ("Once a product transitions out of support, no further support will be provided for the product"), reports suggest that some companies who have not migrated in time have arranged to pay millions of dollars for custom support deals.

PCI compliance: Automatic failure

Companies still using unsupported operating systems like Windows Server 2003 in a cardholder data environment should migrate immediately. All organisations and merchants who accept, transmit or store cardholder data must maintain a secure PCI compliant environment.

The Payment Card Industry Data Security Standard (PCI DSS) provides a baseline of technical and operational requirements designed to protect cardholder data and sensitive authentication data. PCI DSS Requirement 6.2 requires all system components and software to be protected from known vulnerabilities by installing vendor-supplied security patches. This will not be possible with Windows Server 2003, as no more security updates will be made available by Microsoft.

Additionally, merchants and service providers who handle a large enough volume of cardholder data must have quarterly security scans by a PCI SSC Approved Scanning Vendor (such as Netcraft) in order to maintain compliance. ASVs are required to record an automatic failure if the merchant's cardholder data environment uses an operating system that is no longer supported.

In some cases, the PCI SSC can allow for risks to be mitigated through the implementation of suitable compensating controls, but these are unlikely to be sufficient for an unsupported web-facing operating system – especially one which will become less secure as time goes by, as new vulnerabilities are discovered.

Consequently, many merchants still using Windows Server 2003 is likely to be noncompliant, and could face fines, increased transaction fees, reputational damage, or other potentially disastrous penalties such as cancelled accounts.

Microsoft advises that any datacenter still using Windows Server 2003 needs to protect its infrastructure by planning and executing a migration strategy. Some possible options suggested by Microsoft include switching to Windows Server 2012 R2, Microsoft Azure or Office 365. To help customers migrate, Microsoft has provided an interactive Windows Server 2003 Migration Planning Assistant, which, incidentally, is hosted on Microsoft Azure.

Finding out more

Netcraft's techniques provide an independent view with a consistent methodology on the number of web-facing computers at each hosting location worldwide. For more information, see our Hosting Provider Server Count, or contact us at sales@netcraft.com for bespoke datasets.

For more information about Netcraft's Automated Vulnerability Scanning for PCI Compliance, please contact us at security-sales@netcraft.com.

Counting SSL certificates

The SSL/TLS protocol — used to protect sensitive communication across the internet — combines encryption with authentication, providing a private connection to the intended recipient. To achieve this, SSL certificates bind together a cryptographic key and a domain name, and are digitally-signed by a trusted certificate authority (CA). Commercial CAs compete to sell certificates to the general public and account for the bulk of the SSL certificates seen on the internet.

Netcraft's SSL Server Survey has been running since 1996 and has tracked the evolution of this marketplace from its inception — there are now more than one thousand times more certificates on the web now than in 1996. As CAs issue certificates, and most charge (or not charge) accordingly, the number of certificates issued becomes the natural unit of measurement. Our survey therefore counts valid, trusted SSL certificates used on public-facing web servers, counting each certificate once, even if used on multiple websites.

certs

Two types of certificates make the distinction between counting sites and certificates most apparent: multi-domain certificates and wildcard certificates. These two types now account for almost a quarter of all certificates found.

  • Multi-domain certificates (or UCC certificates) use the Subject Alternative Name extension to specify additional hostnames for which this certificate is valid — CloudFlare uses this technique heavily, having dozens of unrelated sites share the same certificate.
  • Wildcard certificates are valid for all possible subdomains of a domain, for example *.netcraft.com would be valid for www.netcraft.com, host-a.netcraft.com, host-b.netcraft.com, etc. Our methodology counts a wildcard certificate once, no matter the number of sites for which it is valid.

Netcraft also counts certificates used by subdomains. For example, if foo.example.com, bar.example.com and baz.example.com are all using different SSL certificates, Netcraft will count all three certificates that have been issued.

Although the global SSL ecosystem is competitive, it is dominated by a handful of major CAs — three certificate authorities (Symantec, Comodo and GoDaddy) account for three-quarters of all issued SSL certificates on public-facing web servers. The top spot has been held by Symantec (or VeriSign before it was purchased by Symantec) ever since the survey began, with it currently accounting for just under a third of all certificates. To illustrate the effect of differing methodologies, amongst the million busiest sites Symantec issued 44% of the valid, trusted certificates in use — significantly more than its overall market share.

However, nothing ever stays still forever — Let's Encrypt could shake up the market for SSL certificates later on this year by offering free certificates with a simplified installation process. Whilst free certificates and automated tools are nothing new, the open approach and the backing of Mozilla, IdenTrust, the EFF, and Akamai could change the SSL ecosystem forever.

Beyond counting certificate numbers, Netcraft's SSL Survey also tracks the list and reseller prices of the most popular certificate authorities. This provides another useful market share metric, as it allows us to estimate the total monthly and annual revenue of each certificate authority attributable to public SSL issuance.

As each type of certificate — multi-domain, wildcard, or Extended Validation for example — is available at a distinct price point, the estimated revenue of a CA can vary significantly, despite initially appearing similarly sized by the total number of certificates. For example, GlobalSign comes in third-place when considering its estimated annual revenue (by list price) in 2014, despite accounting for approximately 6% of all currently valid publicly-visible SSL certificates.

For additional information or details on how to purchase Netcraft’s SSL Server Survey please contact us at sales@netcraft.com or visit our web site.