|Having trouble reading this email? Read online, Follow us on Twitter & Facebook, or Subscribe via RSS|
In the March 2017 survey we received responses from 1,760,630,795 sites and 6,271,146 computers, reflecting a loss of 31 million sites, but a gain of 34,000 computers.
nginx was the only major web server vendor to increase its market shares in all four metrics this month. Its share of websites grew by 0.49 percentage points, reaching nearly 20%, and its share of web-facing computers grew by 0.39 p.p. to 19.6%. The latter gain was driven by a 31,000 growth in the number of computers running nginx, which was by far the largest computer growth in the survey.
Microsoft suffered the largest loss in March, falling by 70 million sites and taking its share down by more than 3 percentage points. This drop paved the way for Apache to claw back 0.91 points with its gain of 9.4 million sites. Microsoft's market share of sites now stands just below 40%, though this remains nearly as much as Apache and nginx combined.
Microsoft also suffered the largest and only loss of active sites among the major vendors, reducing its total count of active sites by 421,000. Microsoft's active sites share is now less than 9%, far behind nginx's share of 19.7% and Apache's 45.8%.
nginx was the only major vendor to increase its presence within the top million sites, increasing its count by 1,592, while Apache lost 3,502 and Microsoft lost 746.
Microsoft web servers
Among the 704 million sites that are powered by Microsoft web server software, Windows Server 2008 is still the most commonly used platform. The original version of this operating system shipped with Microsoft IIS 7.0 as its web server, while the subsequent Windows Server 2008 R2 release included IIS 7.5. More than half a billion websites are hosted on Windows Server 2008 computers (including R2), which accounts for 72% of all Windows-hosted websites.
Although its R2 version was released more than 7 years ago, Windows Server 2008 is likely to remain prevalent for several more years. Last year's launch of the Windows Server Premium Assurance program allows customers to extend Windows Server 2008's support period from 10 to 16 years, giving access to security updates (as well as "critical" and "important" bulletins) until January 2026.
A further 185 million sites are still running on Windows Server 2003 computers, which are not covered by the Windows Server Premium Assurance program. The extended support period for Windows Server 2003 ended on July 14, 2015, so unless site operators have a special agreement in place, Microsoft will no longer be issuing security updates for any version of Windows Server 2003. US-CERT warned that these unsupported installations of Windows Server 2003 are exposed to an elevated risk of cybersecurity dangers, such as malicious attacks or electronic data loss.
Microsoft's newest operating system, Windows Server 2016, may still seem in its infancy, but it is now starting to show promising growth. 80,200 sites are now being served from Windows Server 2016 machines, which is nearly 20,000 more than last month. The number of web-facing computers running Windows Server 2016 also grew by 2,509, while Windows Server 2008 lost 2,316.
Windows Server 2016's computer growth was outpaced only by Window Server 2012, which gained 7,100 computers this month. Windows Server 2012 now accounts for 463,000 web-facing computers, which is nearly half as many as Windows Server 2008, but it is used to host far fewer websites – just 22 million compared with the 535 million sites hosted on Windows Server 2008 computers.
For more information see Active Sites
Brazilian and Laotian government websites were found collaborating in an unusual Apple ID phishing attack today.
The Brazilian government education WordPress site at http://ead.go.gov.br/, and the Laotian government Department of Posts and Telecommunications site at https://dpt-km.gov.la — which runs Joomla — have evidently been compromised in this attempt to steal Apple ID credentials.
The most unusual thing about this particular incident is that both government sites are being used to carry out the same phishing attack: The spoof Apple ID login form is hosted on the Brazilian government site, while the Laotian government site hosts a script that redirects visitors to the spoof form on the Brazilian site.
In a separate spate of attacks, an Alibaba phishing site was also discovered on another Brazilian government site this week at http://cmrn.mg.gov.br, and a LinkedIn phishing site was found on the Pakistani government health information website at http://dhiskp.gov.pk/. The Laotian government site was also used to host a redirect to another phishing attack against a Greek bank last month.
While it is common for phishing sites to be hosted on compromised web servers, it is often assumed that government websites would be more secure than average; but this is not always the case, as empirically demonstrated by this week's attacks, and also by previous attacks hosted on Malaysian, Nigerian and Thai government websites.
However, this is the first time Netcraft has seen two different governments' websites working together to take part in the same phishing attack.
Popular news websites, hotels, pharmacies, gaming sites, and many online banking sites are among millions of websites that are now explicitly flagged as "not secure" by some of the most commonly used browsers.
Current stable versions of Google Chrome and Mozilla Firefox now display a "not secure" warning in the URL bar if a webpage served over an unencrypted HTTP connection requests a user's password – even if the password is usually submitted to a secure (HTTPS) site. This is because an attacker could modify the non-secure HTTP form and cause the user's credentials to be sent elsewhere.
This security feature was first introduced in Firefox 51, which was released on 24 January, and then in Chrome 56, which was rolled out in the weeks following 25 January. Chrome also displays the warning on pages that contain fields for entering credit card numbers.
Banks failing to protect their customers
Surprisingly many banks have failed to react to the new browser behaviour. For example, Santander's Chilean website at http://www.santander.cl can be accessed over an unencrypted HTTP connection, but it displays an online banking login form regardless.
The contents of the login form are submitted to a secure URL on https://www.santander.cl/, which uses an SSL certificate issued by GeoTrust. This secure connection is therefore protected against man-in-the-middle attacks, but crucially, this security is undermined by www.santander.cl serving its login form over an unencrypted HTTP connection — a man-in-the-middle attacker can simply siphon the customer's credentials from this page before they are even submitted to the secure site.
A few other examples of banking websites that are now marked as "not secure" (and this is not an exhaustive list by any means) include Eagle Bank, Community Bank of Fitzgerald, Diamond Bank, Flora Bank & Trust and Bank of Hamilton.
Ironically, some of these examples display padlock icons on their online banking login forms, despite serving them over unencrypted HTTP connections. This gives a misleading impression of security, although the risks are now made apparent to any user of Firefox 52.
Pharmacy logins exposed
CVS pharmacy — the largest pharmacy chain in the United States, with a parent company that is #7 in the Fortune 500 — also displays its login form over an insecure connection. Interacting with this form in Firefox 52 will cause the "not secure" warning to be displayed much more prominently, beneath whichever field has focus. This is much harder to miss than just the crossed padlock icon in the address bar of Firefox 51.
A customer who signs in to CVS can manage their family's prescriptions online, so any security weakness that potentially exposes their login credentials could raise some regulatory eyebrows. To maintain the privacy and security of Electronic Protected Health Information (EPHI), the HIPAA Security Rule lays out a set of administrative, physical and technical safeguards. The latter is intended to protect communications being intercepted by anyone other than the intended recipient.
Why are browser vendors doing this?
Such attacks are entirely plausible, especially with the prevalence of mobile computing. The attacker does not need to infiltrate an ISP or be part of a spy agency in order to view a victim's network traffic – he can simply turn up to a coffee shop and use his phone or laptop to offer a free Wi-Fi network that other customers are likely to use. This would allow him to view and alter the contents of any HTTP form without detection.
The warning feature was previously made available in development releases of both browsers. When it was added to Firefox 46 Developer Edition in January 2016, Mozilla stated that there were no plans to add it to general releases, since developers were ultimately the ones who need to make logins more secure on the sites they build.
While the warnings are now displayed to all users of Firefox and Chrome, they are still intended to encourage web designers to update their sites to ensure that sensitive information is always requested over HTTPS. Although the warnings are only shown in a limited set of circumstances, Chrome's warnings represent a step towards Google's long-term plan to flag all HTTP sites as "not secure".
The new browser behaviour could encourage faster migration to HTTPS by naming and shaming offending websites to their own users. The warnings shown in Firefox 51 and Chrome 56 are rather subtle and could easily be overlooked or not understood by regular users, but the inline warnings now shown in Firefox 52 are easier to interpret and much harder to miss. Chrome 57 is expected to have a similar feature when it is released on March 14. Many websites are therefore expected to react to their "not secure" status in the coming days and weeks.
How many sites are now "not secure"?
Netcraft's Active Sites dataset contains millions of examples where websites serve password fields over unencrypted HTTP connections. All of these sites will be flagged as "not secure" in the latest stable versions of Firefox and Chrome.
Prior to the release of Firefox 51 and Chrome 56, the affected sites would not have caused any warnings to be shown in the URL bar, giving the impression that there were no problems. In contrast, an HTTPS website that uses an expired SSL certificate would display prominent, unmissable warnings, regardless of whether it serves any password fields – even though the connection would arguably be more secure than an unencrypted HTTP connection.
A wide variety of sites are affected by the new behaviour of Chrome and Firefox, including some of the most popular news websites. This is arguably a good thing, as being affected will encourage them to adopt better security measures.
Fox News visitors (foxnews.com) currently receive the warning when logging in. Although Fox News credentials are ordinarily submitted to a secure server at https://signin.foxnews.com, the login form itself is served over an unencrypted HTTP connection, and so there is an opportunity for a man-in-the-middle attacker to steal any credentials entered on this page:
Some of the news websites that make use of Gigya for customer identity management are also flagged as not secure. This includes the Irish Examiner, the Independent, and the Express. Again, although Gigya's service only accepts credentials via a secure login URL similar to https://accounts.us1.gigya.com/accounts.login, the pages that send these credentials are not secure.
Chinese search engine Baidu is one of the most frequently visited HTTP sites that is now marked as "not secure" by Chrome and Firefox. Unlike Google, its homepage does not use HTTPS by default, and so a significant number of users are likely to see http://www.baidu.com/ flagged as being "not secure" when they try to log in.
Not all Baidu users will be vulnerable, however, as any visit to its HTTPS site at https://www.baidu.com/ will cause Baidu's HTTP Strict Transport Security policy to kick in. This will force the user's browser to use HTTPS for all subsequent visits for at least the next two days, thus ensuring that the login form will be served over a secure connection.
Unfortunately, Baidu's 2-day HSTS policy can only take effect after the user has visited the HTTPS site, rendering all new and infrequent users vulnerable to MITM attacks. This weakness could be resolved by adding baidu.com to Chromium's HSTS preloaded list, which would cause most modern browsers to always use HTTPS, even if the site has never been visited before.
Other high-profile sites that are currently "not secure"
The FIFA website at http://www.fifa.com is instantly flagged as being insecure, even before the login form is made visible to the user. Although this login form submits to a secure URL at https://secure.fifa.com/theclub/login.htmx, the form itself is of course vulnerable to man-in-the-middle attackers who could divert the user's credentials elsewhere.
Tagged and hi5 are popular social networking sites that are flagged as insecure despite having login forms that are served over secure HTTPS connections. This is because each secure login form is displayed inside an iframe that is displayed by an HTTP site. If the HTTP site were to be man-in-the-middled, the attacker could instead cause this frame to show a spoof login form instead of the intended secure content.
A few other high profile sites also flagged as "not secure" include those operated by the global lodging company Marriott, Scandinavia's largest airliner SAS, parcel delivery companies Parcelforce and DPD, online gaming sites Miniclip and Bigpoint, and some sites that use Salesforce (e.g. avid.force.com).
What do the affected websites need to do?
Chrome and Firefox will only display the new warnings when they encounter password fields that are served over unencrypted HTTP connections, so the fix is quite straightforward: Make sure these pages are served over HTTPS (using a valid SSL certificate, of course).
While this course of action will make the warning messages disappear, it will not on its own eliminate all types of man-in-the-middle attacks. For instance, most HTTPS sites are vulnerable to trivial connection hijacking attacks that can be exploited whenever a user inadvertently tries to access the secure site over HTTP. This "SSL stripping" vulnerability can easily be resolved by implementing an appropriate HTTP Strict Transport Security (HSTS) policy, yet only a small percentage of HTTPS sites actually do this.
Further protection can be sought by using HSTS preloading, which ensures that a site's HSTS policy is distributed to supported browsers before the user's first visit. Going a step further, HTTP Public Key Pinning can prevent fraudsters using mis-issued SSL certificates to carry out man-in-the-middle attacks, but incredibly few sites have dared to use this feature – partly because it can backfire spectacularly if website administrators get it wrong.
Users of Chrome 56 and Firefox 51 also might not notice the subtle "not secure" warnings displayed by these versions, and so an attacker who has man-in-the-middled a login form may still be able to carry out a viable attack as long as the login form continues to be served over HTTP.
However, Firefox 52 (and soon Chrome 57) will make the warnings much easier to notice, and this is likely to drive the security of the web in the right direction. Directly naming and shaming insecure websites to their own users is potentially one of most powerful ways of encouraging companies to make better use of HTTPS, which will ultimately make it harder for hackers to carry out man-in-the-middle attacks.
Netcetera had the most reliable hosting company site in February, successfully responding to all of Netcraft’s requests. Netcetera has maintained an uptime of 99.994% over the last year, and 99.96% over the last 12 years. The company is based on the Isle of Man and provides carbon-neutral shared, dedicated, and cloud hosting.
Qube Managed Services took second place with only a single failed request. This is Qube's fifth consecutive month in the top two positions of the most reliable hosting company websites table. Qube recently partnered with Level 3 to provide a new DDoS protection service.
In third place is Krystal Hosting Ltd, which successfully responded to all but three of Netcraft's requests. The UK-based company offers 100% SSD cloud VPS and hosting.
Nine of February's ten most reliable hosting company sites were running Linux, with Swishmail being the only company which uses FreeBSD. Swishmail came in seventh with five failed requests. Swishmail, Webair and CWCS all successfully responded to the same amount of Netcraft's requests, so their average connection times were used to determine the ranking between them.
Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.
From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.
Information on the measurement process and current measurements is available.
In the February 2017 survey we received responses from 1,792,104,054 sites and 6,236,791 web-facing computers, reflecting a loss of 7.9 million sites and 91,200 computers.
nginx gains sites and computers
nginx had the largest growth of both sites and web-facing computers amongst the major vendors this month, enjoying a gain of 31 million sites and 13,400 computers, while hefty losses by Microsoft and Apache led to the overall losses seen in this month’s survey. Microsoft lost 48 million sites and 9,900 computers, while Apache lost 13 million sites and 85,700 computers.
Much of the loss of web-facing computers using Apache is the result of declining numbers of Western Digital My Cloud personal storage devices being found in Netcraft's survey. These devices allowed consumers to access their files remotely using public hostnames under the wd2go.com domain. This disappearing act might have been influenced by the three My Cloud firmware updates that were released in December – the first of these changed how files are accessed from the My Cloud web and mobile apps, and the other two resolved a security vulnerability related to remote access.
Despite suffering the largest loss, Microsoft web servers power 43.2% of all sites on the internet, more than twice Apache's share. Meanwhile, nginx's growth has increased its own count to 348 million, bringing it to within striking distance of Apache. This highlights a dramatic change in fortunes for Apache, which was comfortably in first place a year ago, but is now under threat of falling into third place.
In terms of web-facing computers, Apache continues to fare well. While its 3% decline is significant in the space of a month, Apache's 2.7 million computers still give it the lion's share of the market (44.1%). This is followed by Microsoft's 1.5 million computers (24.7%), and nginx's 1.2 million (19.2%).
nginx was also the only major vendor to make a gain within the top million busiest sites. Its share grew slightly to 28.34%, while Apache suffered the largest loss of 0.21 percentage points, taking its share down to 41.41%, though Apache maintained its first-place position with a lead of 13.1 percentage points over nginx.
Apache still strong in active sites
Despite its losses elsewhere, Apache gained 887,000 active sites this month. nginx made the second largest gain, with an increase of 757,000 active sites. The active sites metric is more appropriate for some applications, as it counts websites but excludes those that contain automatically generated content such as domain holding pages.
Apache also has the largest share of this market (45.8%), with its total number of active sites now reaching almost 80 million – comfortably ahead of nginx, which takes up second place with 34 million active sites.
LiteSpeed 5.1.13 addresses DDoS vulnerability
February saw some new releases of the LiteSpeed web server. Most notably, version 5.1.13 was released on 17 February, after some LiteSpeed Enterprise customers reported service disruptions. These were caused by a surge of distributed denial of service (DDoS) attacks that specifically targeted a bug in LiteSpeed servers earlier that day. Rather impressively, it took LiteSpeed less than two hours to identify the heap buffer overflow that was responsible for the problem, push a bug fix build of 5.1.12, and release 5.1.13.
Looking ahead, it is likely that the first release in the 5.2 branch of LiteSpeed will support HTTP/2 Server Push, which could speed up some websites by allowing the server to send resources to clients before the browser has requested them. This feature has already been implemented in the second release candidate (5.2RC2), which was made available on 13 February.
LiteSpeed gained 42 million sites this month as a large number of sites under the .science gTLD reappeared. This did not have a positive impact on its computer count, however, which fell by 666 to 23,240.
Other new releases from web server vendors
Apache 2.2.32 was released on 13 January. This is the latest version in the 2.2 legacy branch, which now enforces a stricter HTTP request grammar, corresponding to RFC 7230 for request lines and request headers. This addresses a security vulnerability (CVE-2016-8743) that might have allowed malicious clients or downstream proxies to carry out response splitting and cache pollution attacks. This release also mitigates the "httpoxy" (CVE-2016-5387) issues that were already addressed in the 2.4 stable branch.
New stable and mainline versions of nginx were also released in the past month. nginx 1.10.3 stable was released on 31 January, followed by nginx 1.11.10 mainline on Valentine's Day. Both versions include several bugfixes, while the mainline release also introduces a few new features.
Meanwhile, documentation for the Microsoft IIS Administration API is now available. This REST API allows IIS instances to be configured with any HTTP client, using tools such as the one available at manage.iis.net. The rationale for providing the API is to have an open and standard interface that can be used from any platform, unlike AppCmd.exe, which can only be run on Windows.
For more information see Active Sites
Copyright © Netcraft Ltd 2017. All Rights Reserved.