Instagram forgets to renew its SSL certificate

Instagram's SSL certificate expired at midday GMT on Thursday 30th April 2015 and was not replaced for more than an hour, leaving visitors unable to access the site without seeing browser warnings.

Browser warnings caused by Instagram's expired SSL certificate.

Browser warnings caused by Instagram's expired SSL certificate.

The expired DigiCert-issued certificate that was being served from https://instagram.com/ has now been replaced with a different certificate, valid until 15th October 2015.

Users who ignore the warnings from their browser could be at risk of man-in-the-middle attacks, where a correctly-positioned attacker can surreptitiously steal usernames, passwords and session cookies without the victim's knowledge.

Although the HTTP version of the site redirects to HTTPS, instagram.com does not currently make use of HTTP Strict Transport Security — an HTTP header that permits a site to specify that future visits must be over HTTPS. As a result, customers can bypass the warning message, placing them at risk of man-in-the-middle attacks.

If HSTS had been in use, visitors would correctly not be able to bypass the error message, protecting them from man-in-the-middle attacks, but leaving them without the ability to connect to instagram.com. As HSTS does not protect the user on their first visit, website owners can request to have their HSTS rules embedded into the browser via Chrome's preload list.

instagram-cert-error

The SSL error message in Google Chrome can be bypassed for instagram.com (which does not use HSTS).

paypal-cert-error

In simulating an attack on www.paypal.com (which does use HSTS), Chrome's SSL error message cannot be bypassed.

instagram.com is the 310th most popular website amongst users of the Netcraft Toolbar. The Instagram app does not appear to be affected, as it makes use of a different server at i.instagram.com, which uses a valid certificate.

The SSL certificate used by instragram.com expired at midday UTC

The SSL certificate used by instagram.com expired at midday UTC

Hostinger hosts over 90% of all Steam phishing sites

Netcraft blocked more than 1,400 Steam phishing URLs last month, spread across 331 different websites. Surprisingly, more than 90% of these sites were hosted by just one company: Hostinger.

With more than 125 million active accounts, Steam continues to make an attractive target for fraudsters. The number of phishing attacks targeting Steam rose significantly last month, even though the fraudsters behind these attacks have had to change their tactics a few times. Last year, a popular ruse was to use Steam's own chat client to trick victims into visiting look-alike domain names similar to the genuine steamcommunity.com. This modus operandi continued into 2015, but became less effective after Steam started to remove suspicious links from chat messages.

Consequently, many Steam phishers have abandoned the idea of registering their own look-alike domains (only two were blocked last month), and are instead using subdomains provided by free hosting services such as Hostinger. These allow the fraudsters to host Steam phishing sites with addresses like steamcommuniity.hol.es, steampoweredssuport.esy.es and steamcomcoomity.16mb.com – not quite as convincing as the hostnames used in previous attacks, although the deliberate misspellings are similar.

A Steam phishing site hosted at steamcomcoomity.16mb.com

A Steam phishing site hosted by Hostinger at steamcomcoomity.16mb.com

Lithuania-based Hostinger provides many different second-level domains under which its customers can host a website, and the most common ones used in these attacks were esy.es, besaba.com, 16mb.com, wc.lt, hol.es and pe.hu.

Hostinger displays this content on each of its free hosting  domains. Hostinger covers its costs by offering paid upgrades for those who need  more resources.

Hostinger displays this content on each of its free hosting domains. Hostinger covers its costs by offering paid upgrades for those who need more resources.

Free hosting providers are an obvious choice for fraudsters who wish to carry out phishing attacks without leaving a financial trail. Hostinger's offerings look particularly conducive for phishing, as they do not display ads on their customers' sites, and they provide support for PHP (nearly all phishing kits are written in PHP).

Nonetheless, the incredible popularity of Hostinger within the Steam phishing arena is rather unusual. While Hostinger was used to host over 90% of all Steam phishing URLs, it hosted only 0.6% of all other phishing attacks that were blocked during March.

This preference of using Hostinger could suggest that the fraudsters behind most of these Steam phishing attacks are working together or copying each others' methodologies. In addition, there are examples of phishing sites that have remained up for long periods of time, which makes it an attractive hosting location for phishers. The hostname steamcomcoomity.16mb.com (shown in the earlier screenshot) has been serving a Steam phishing site from Hostinger's infrastructure since last year and is still serving it at the time of writing.

Netcraft provides a Phishing Alerts service for hosting providers and domain registrars who are unwittingly providing facilities for phishing. Brand owners can also use Netcraft's Takedown service to identify phishing attacks against them and get fraudulent sites shut down.

April 2015 Web Server Survey

In the April 2015 survey we received responses from 849,027,856 sites and 5,228,046 web-facing computers. Despite the sustained decline in the total number of sites, the number of web-facing computers has continued to grow, increasing by over 35,000 this month.

This month's loss of web sites was felt by each major web server vendor; however, some were hit harder than others. Microsoft once again suffered the largest loss (9.2 million web sites), followed by Apache (3.9 million) and nginx (917,000). Despite both Apache and Microsoft's shrinking numbers of sites, Apache's lead over Microsoft grew by one percentage point, to more than 11%.

Nginx continues to be the only major vendor consistently increasing in market share amongst the million busiest sites, gaining over 2,000 sites this month. It is now used by 21.43% of the top million sites, 9 percentage points more than Microsoft. Apache remains resilient, keeping its number-1 position with 49.19% of the top million sites, but continues its slow decline after losing nearly 1,600 sites.

The total number of web-facing computers found increased by more than 35,000 this month, with the growth split mostly between nginx and Apache, which gained 19,000 and 17,000 computers each. After a gain of 23,000 computers last month, Microsoft IIS gained only 804 computers, resuming its long-term decline in market share.

This month, there were a total of 433 new gTLDs with at least one website, 23 more than in March. The new gTLDs are now used by 1.5% of all sites seen in the survey. The largest increase was seen in .property which grew by more than 35,000 sites, overtaking the plural TLD .properties which has just under 10,000 sites. The new .property sites are mostly short premium domain names which have been registered for some time, and have now started advertising themselves for sale.

The decision by the ICANN New gTLD Program Committee to allow both plural and singular forms of the same word has been a controversial one, the Governmental Advisory Committee recommended reviewing it, but "after careful consideration" ICANN decided that no changes were needed in order to address the potential consumer confusion. The decision should, however, lead to increased competition, with .property being run by Uniregistry, Corp while .properties is run by Donuts Inc.

Total number of websites

Web server market share

DeveloperMarch 2015PercentApril 2015PercentChange
Apache337,175,53638.39%333,285,74139.25%0.87
Microsoft245,496,53327.95%236,288,84327.83%-0.12
nginx127,191,69614.48%126,274,77814.87%0.39
Google20,097,7022.29%20,051,4332.36%0.07
Continue reading

Google’s April Fool’s prank inadvertently broke their security

As part of its traditional series of April Fool's day jokes, Google used its own .google gTLD to launch a backwards version of its home page from the domain com.google on 1st April.

However, this year's joke inadvertently undermined an important security feature on Google's real homepage, which made it vulnerable to user interface redressing attacks such as click-jacking. This vulnerability would have allowed a remote attacker to change a user's search settings, including turning off SafeSearch filters.

The backwards content displayed on com.google

The backwards content displayed on com.google on 1 April 2015

The issue stemmed from the way com.google used an iframe to display backwards content from google.com. This would not normally be possible, as google.com uses the X-Frame-Options HTTP response header to prevent other websites from displaying itself within an iframe. But for the purpose of the April Fool's joke, Google stepped around this problem by passing the parameter "igu=2" to google.com, which not only told it to display the content backwards, but also instructed the server to omit the X-Frame-Options header entirely.

com.google uses an iframe to display a backwards search page from google.com. Also not the reversed text in the HTML comment, revealing that it is an April Fool's day joke.

com.google used an iframe to display a backwards search page from google.com. Also note the reversed text in the HTML comment.

A remote attacker could also have leveraged this "feature" to display the Google Search Settings page in an iframe on an external domain, and trick his victims into unwittingly changing those settings. A carefully constructed clickjacking attack could have gone unnoticed by each victim until it was too late and the settings had already been changed.

To highlight the different responses, the following was an ordinary response from Google's Search Settings page at https://www.google.com/preferences?hl=en&fg=1. Note the presence of the X-Frame-Options header:

HTTP/2.0 200 OK
Alternate-Protocol: 443:quic,p=0.5
Cache-Control: private
Content-Encoding: gzip
Content-Length: 35486
Content-Type: text/html; charset=UTF-8
Date: Wed, 01 Apr 2015 09:54:14 GMT
Expires: Wed, 01 Apr 2015 09:54:14 GMT
Server: gws
Set-Cookie: [redacted]
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Firefox-Spdy: h2-15

Conversely, with the igu=2 parameter appended, the X-Frame-Options header was omitted from the response, allowing the page to be displayed in a frame on an attacker's own website:

HTTP/2.0 200 OK
Alternate-Protocol: 443:quic,p=0.5
Cache-Control: private
Content-Encoding: gzip
Content-Length: 33936
Content-Type: text/html; charset=UTF-8
Date: Wed, 01 Apr 2015 09:58:30 GMT
Expires: Wed, 01 Apr 2015 09:58:30 GMT
Server: gws
Set-Cookie: [redacted]
X-XSS-Protection: 1; mode=block
X-Firefox-Spdy: h2-15
Google's Search Settings being successfully displayed within an iframe on a Netcraft domain

Google's Search Settings being successfully displayed within an iframe on a Netcraft domain on 1 April 2015 (this content is not served backwards).

Changes made to the above settings via the iframe would persist across the user's session when they subsequently used google.com in a normal window. Netcraft reported this issue to Google and it has since been resolved — the method described in this article can no longer be used to display the settings page within an iframe on an external domain.

Critical Windows vulnerability affects at least 70 million websites

The race is on to patch nearly a million Windows web servers, following the publication of code that can identify the presence of a serious vulnerability announced by Microsoft on Tuesday.

The critical vulnerability lies within Microsoft's HTTP protocol stack, known as HTTP.sys. The maximum security impact, according to Microsoft Security Bulletin MS15-034, is remote code execution — by sending a specially crafted HTTP request to a vulnerable server, a remote attacker can execute arbitrary code on that server.

An ongoing scan for this vulnerability suggests that the test performed by the published code is inconclusive, as it might erroneously give the all-clear to a server that returns non-static content, even if it is in fact vulnerable.

However, Netcraft's latest Web Server Survey shows more than 70 million websites could be vulnerable, including Microsoft IIS servers that sit behind non-Windows load balancers. The total number of servers involved in hosting these sites stands at around 900,000, which is more than a sixth of all web-facing computers in the world.

The affected versions of Windows includes Windows Server 2008 R2, 2012 and 2012 R2. Windows 7, 8 and 8.1 are also vulnerable, but are not commonly used to host websites. Microsoft's security bulletin does not include Windows Server 2003 in the list of affected versions, so the 130 million sites that run IIS 6.0 on this older operating system would appear to be safe (at least from this particular issue).

Given the swift publication of code that could potentially be developed into a practical exploit, it is essential that all Windows server administrators apply the necessary security updates as a matter of urgency.

Microsoft has already released a security update for this vulnerability, so don't delay, apply today!

Most Reliable Hosting Company Sites in March 2015

Rank Performance Graph OS Outage
hh:mm:ss
Failed
Req%
DNS Connect First
byte
Total
1 Bigstep Linux 0:00:00 0.000 0.113 0.063 0.127 0.128
2 Netcetera Windows Server 2012 0:00:00 0.000 0.056 0.084 0.168 0.168
3 Datapipe Linux 0:00:00 0.004 0.090 0.012 0.024 0.032
4 Qube Managed Services Linux 0:00:00 0.004 0.096 0.038 0.077 0.077
5 EveryCity SmartOS 0:00:00 0.004 0.082 0.066 0.133 0.133
6 Codero Citrix Netscaler 0:00:00 0.004 0.157 0.095 0.228 0.423
7 Swishmail FreeBSD 0:00:00 0.009 0.117 0.063 0.126 0.160
8 XILO Communications Ltd. Linux 0:00:00 0.009 0.190 0.067 0.135 0.135
9 iWeb Linux 0:00:00 0.009 0.125 0.072 0.143 0.143
10 SingleHop Linux 0:00:00 0.009 0.208 0.075 0.152 0.152

See full table

Bigstep had the most reliable hosting company website in March, responding to all of our requests. This is the 13th time that Bigstep has appeared in the top 10 since Netcraft began monitoring its website in March 2013, and the first time it has topped the ranking. Bigstep offers "full metal" cloud services from data centres in the UK and Germany, providing bare metal hosting with the flexibility of the cloud.

Netcetera's website also responded to all of our requests in March, placing second due to a slightly slower average connect time. Netcetera run a carbon neutral data centre on the Isle of Man and offers shared, dedicated and cloud hosting services.

Four websites responded to all but one request in March, Datapipe, Qube Managed Services, EveryCity and Codero. Datapipe is ranked in third place based on its shorter average connect time, having taken one of the top three spots in four of the past five months. Datapipe boasts a 100% Network Uptime Guarantee, and has kept this promise on its own site, with 100% uptime for the past 9 years.

Linux remains the most popular operating system in the top 10 with six of the hosting companies choosing to use the OS for their websites. The four other websites all use different operating systems: Windows Server 2012, SmartOS, Citrix Netscaler and FreeBSD.

Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.