Netcraft Extension adds credential leak detection
28th August, 2020
The Netcraft Browser Extension now offers credential leak detection for extra protection against shopping site skimmers.
With brick-and-mortar shops around the world closed due to COVID-19, consumers turned to online businesses to fulfil their shopping needs. According to Adobe’s Digital Economy Index report, US online spending in June was $73 billion, up 76% from $42 billion last year. Even with restrictions lifted, research commissioned by Visa suggests that 74% of Britons who shopped online more often during the lockdown will continue to do so.
Now more than ever it is important to protect against JavaScript skimmers. These are snippets of malicious code which criminals upload to compromised shops. Unbeknownst to the store owner or the user, they transmit entered card details directly to the criminal. Unlike scams such as phishing, which can often be avoided by a vigilant internet user, skimmers are invisible to the human eye without a tool such as the Netcraft Extension to expose them.
Netcraft currently blocks over 6,000 shopping sites which contain skimmers, and even large companies such as British Airways, Ticketmaster and Puma have fallen prey to these attacks in the past.
The Netcraft Extension identifying and blocking a skimmer on an online shop
When you visit a shopping site, the Netcraft extension will evaluate all requests made by the web page. If a request is found to be sending credentials to a different domain, the extension will block the request to prevent your data from being stolen. A block screen will notify you about the request and provide information about the malicious behaviour that was detected. Only card number leaks are currently blocked, but other types of credentials may be enabled in future updates.
For example, if you check out using your credit card on exampleshoppingsite.com but your card details are sent to examplebadsite.com, the extension will block the request. This checking is done locally and securely in your browser – no sensitive information is sent to Netcraft.
The extension will also block pages which make requests to malicious domains that are part of JavaScript attacks.
In addition to shopping site skimmers, the Netcraft Extension also protects against other malicious JavaScript, phishing and fake shops, including those related to coronavirus. The extension is available for Chrome, Firefox, Opera and the new Microsoft Edge based on Chromium.
If you already have the Netcraft Extension installed, your browser will update it automatically.
August 2020 Web Server Survey
26th August, 2020
In the August 2020 survey we received responses from 1,230,576,586 sites across 261,821,287 unique domains and 10,349,486 web-facing computers. This represents a loss of 3.65 million sites, but a gain of 1.16 million domains and 128,000 computers.
The number of web-facing computers using nginx increased by 83,000 this month, which means that - for the first time - nginx is in use by more web-facing computers than any other web server, including Apache. This is another milestone for nginx, and reflects its impressive growth in recent years.
Apache still serves more active sites than nginx, and a greater proportion of the top million busiest sites, but this month its decline in these metrics continued. One year ago, among the top million busiest sites, nginx trailed Apache’s market share by 6 percentage points. nginx has since halved this gap, and is now less than 3 percentage points behind. If the current trend continues, it won’t be long before nginx overtakes Apache in this area too.
As well as a marked decrease in total sites this month of 22.14 million (-15.8%), Microsoft also suffered in other metrics this month. The number of domains served using Microsoft software dropped by 8.27 million (-18.4%), and 19,000 fewer web-facing computers (-1.2%) are running Microsoft web servers. Microsoft also lost 633,000 active sites (-7.3%).
New vendor releases
Apache released three new versions of httpd this month. Version 2.4.44 fixed several bugs, version 2.4.45 dropped support for the abandoned HTTP2 Cache Digests proposal, and version 2.4.46 fixed three security vulnerabilities.
This month nginx released updates for three of its products. nginx 19.1.2 mainline was released on 11 August with a few minor optimizations and several bugfixes. On the same day, njs 0.4.3 was released, adding support for the querystring module. On 13 August nginx Unit 1.19.0 was released, which introduced several new features, improved performance, and fixed a number of bugs.
| Developer | July 2020 | Percent | August 2020 | Percent | Change |
|---|---|---|---|---|---|
| nginx | 451,156,878 | 36.55% | 448,602,806 | 36.45% | -0.10 |
| Apache | 314,054,523 | 25.45% | 318,307,245 | 25.87% | 0.42 |
| Microsoft | 140,264,332 | 11.36% | 118,126,662 | 9.60% | -1.77 |
| 44,290,430 | 3.59% | 44,326,227 | 3.60% | 0.01 |
Most Reliable Hosting Company Sites in July 2020
4th August, 2020
| Rank | Performance Graph | OS | Outage hh:mm:ss |
Failed Req% |
DNS | Connect | First byte |
Total |
|---|---|---|---|---|---|---|---|---|
| 1 | Webair | Linux | 0:00:00 | 0.000 | 0.332 | 0.070 | 0.139 | 0.140 |
| 2 | Swishmail | Linux | 0:00:00 | 0.000 | 0.258 | 0.081 | 0.162 | 0.162 |
| 3 | ServerStack | Linux | 0:00:00 | 0.000 | 0.259 | 0.084 | 0.167 | 0.167 |
| 4 | Multacom | Linux | 0:00:00 | 0.000 | 0.319 | 0.118 | 0.237 | 0.237 |
| 5 | New York Internet (NYI) | FreeBSD | 0:00:00 | 0.005 | 0.566 | 0.056 | 0.110 | 0.110 |
| 6 | Hyve Managed Hosting | Linux | 0:00:00 | 0.005 | 0.186 | 0.075 | 0.149 | 0.149 |
| 7 | CWCS Managed Hosting | Linux | 0:00:00 | 0.005 | 0.326 | 0.079 | 0.160 | 0.160 |
| 8 | Bigstep | Linux | 0:00:00 | 0.010 | 0.236 | 0.076 | 0.153 | 0.153 |
| 9 | www.dinahosting.com | Linux | 0:00:00 | 0.010 | 0.321 | 0.092 | 0.185 | 0.185 |
| 10 | krystal.uk | Linux | 0:00:00 | 0.014 | 0.251 | 0.092 | 0.182 | 0.182 |
Webair had the most reliable hosting company site in July 2020. The top four hosting company sites each responded to all of Netcraft's requests in July and were separated by average connection time. Webair provides a range of services including managed hosting solutions and high performance cloud environments, with colocation available in North America, Europe and Singapore.
Swishmail appeared in second place and provides business email services alongside hosting solutions. ServerStack and Multacom complete the top four in third and fourth place respectively. ServerStack has now appeared in the top 10 for the last six consecutive months and offers managed and dedicated hosting solutions from its three data centres across the US and Europe. Multacom operates in Los Angeles, and focuses on providing custom dedicated servers, colocation services and cloud solutions.
Netcraft phishing and cybercrime protection app for iOS available globally
3rd August, 2020
Netcraft has released a new version of its phishing and cybercrime protection app for iOS. The app protects users around the world from online threats including phishing, JavaScript skimmers, fake shops, and coronavirus scams. The Netcraft app is available for download today on iOS, Android, and Amazon devices:
Our iOS app protects against online threats, with new attacks blocked within 15 minutes of being identified as fraudulent by Netcraft. It offers a 28-day free trial of all features, after which a monthly or annual subscription can be purchased for $1.99 or $9.99 (£1.99 or £9.99).
You can use the app without a subscription to report suspicious sites to Netcraft with just a few taps, and automatically report URLs in SMS and iMessages from unknown senders.
Wherever you are, the app defends against phishing attacks targeting regional services such as governments and banks. In addition, it protects users against other types of online threat such as JavaScript skimmers on eCommerce sites, fake shops imitating well-known brands, new threats such as coronavirus scams, and attacks targeting global entities – such as cloud services, financial institutions, and social media.
July 2020 Web Server Survey
27th July, 2020
In the July 2020 survey we received responses from 1,234,228,567 sites across 260,658,118 unique domains and 10,221,919 web-facing computers. This represents a gain of 9.47 million sites and 180,000 computers, but a loss of 1.75 million domains.
Most of the major server vendors saw gains in total sites this month: Apache gained 9.8 million sites after a loss of roughly the same size last month, while Microsoft and nginx gained 5.4 million and 2.5 million sites respectively. LiteSpeed continued to see strong growth, gaining 1.95 million new sites this month. Although it makes up 2.17% of the market, this represents strong growth from 1.62% at the start of the year.
nginx showed the highest growth in terms of domains, gaining 200,000. Losses of 1.1 million domains for Microsoft and 998,000 for Apache have further boosted nginx’s lead in this metric, and it now stands around 30 million domains ahead with a 29.8% (+0.27 pp) market share.
nginx also showed the highest growth in web-facing computers, with an increase of 97,000 taking its total to 3.5 million and leaving it just 9,000 computers (0.09 pp of market share) shy of Apache, the current leader. Apache has consistently had the highest number of web-facing computers since Netcraft began tracking the metric in 2007, but has slowly been losing market share – primarily to nginx. Microsoft trails in third position with a total of 1.6 million web-facing computers, around half that of nginx and Apache.
New vendor releases
LiteSpeed announced the first release candidate of LiteSpeed Web Server 6.0 on 17 July. This release brings several major new features such as support for conditionals in Apache configuration files, asynchronous execution of the mod_security Web Application Firewall, and sandboxed execution environments for PHP and CGI scripts. It also adds support for the latest HTTP/3 specification, draft 29. LiteSpeed has historically been fast to adopt new draft versions of HTTP/2 and HTTP/3, often implementing support within a month of a new draft’s release.
nginx 1.19.1 mainline was announced on 7 July with a few minor changes and bugfixes – mainline being the release stream which receives new feature updates. Alongside this, nginx released version 0.4.2 of njs, a custom subset of JavaScript which allows nginx’s functionality to be extended. This release adds new regular expression and filesystem methods to the language, in addition to bugfixes.
| Developer | June 2020 | Percent | July 2020 | Percent | Change |
|---|---|---|---|---|---|
| nginx | 448,673,487 | 36.63% | 451,156,878 | 36.55% | -0.08 |
| Apache | 304,288,405 | 24.84% | 314,054,523 | 25.45% | 0.60 |
| Microsoft | 134,874,928 | 11.01% | 140,264,332 | 11.36% | 0.35 |
| 43,449,240 | 3.55% | 44,290,430 | 3.59% | 0.04 |
Thousands of shop, bank, and government websites shut down by EV revocation
13th July, 2020
More than two thousand sites using Extended Validation certificates stopped working this weekend and remain inaccessible today (Monday), including those run by banks, governments, and online shops. The EV certificates used by these sites were revoked on Saturday, and have yet to be replaced. Most visitors using modern web browsers are completely locked out: this certificate error cannot be bypassed in Chrome, Firefox, Safari, or Microsoft Edge.
Chrome’s unbypassable revoked certificate interstitial on online.anz.com. ANZ is one of the"big four" Australian banks.
The first batch of revocations happened this weekend. While most of the certificates revoked on Saturday 11th July have been correctly replaced and reinstalled, many have not.
On Monday morning, Netcraft found 3,800 sites still using EV certificates issued by the affected sub-CAs. Of these 3,800, more than 2,300 were still using a revoked EV certificate, completely disabling the sites for users in modern browsers, which handle EV revocation more robustly than other types of certificate. The remainder are yet to be revoked.
Many organisations appear to have been caught unawares, continuing to use revoked EV certificates, including The State Bank of India, Rackspace, Authorize.net, ANZ Bank, and Telegram.
Authorize.net using a revoked EV certificate
The New Zealand government using a revoked EV certificate
Wirecard, the beleaguered German payment processor, briefly had its main site, www.wirecard.com, displaying a certificate warning early on Monday, but the certificate has since been replaced with a working non-EV certificate. There are still a number of Wirecard domains with revoked certificate warnings.