More than 850,000 websites still rely on the outdated TLS 1.0 and TLS 1.1 protocols that are scheduled to be blocked by the majority of web browsers this month. These older versions of the Transport Layer Security protocol, which date back to 1999 and 2006, are vulnerable to numerous practical attacks that have been resolved in later versions. Among the sites still using these outdated setups are major banks, governments, news, and telecoms companies. Big and small alike, such websites are about to be derailed by full-page browser warnings, with the added prospect of getting blocked entirely later on.
This all comes despite more than a year’s notice. Back in late 2018, the four largest browser vendors — Mozilla, Google, Apple, and Microsoft — jointly announced the deprecation of TLS 1.0 and 1.1, with support to be removed from their browsers in March 2020 or shortly thereafter. But a number of notable sites have not heeded these warnings, and have so far failed to switch to a version of TLS more modern than 1.0.
Included in the list is Huawei, which is already under fire for its less than reassuring security practices. But it’s not just Huawei that’s letting TLS 1.0-only servers slip through the cracks — the UK’s largest mobile network, O2, uses a TLS 1.0-based redirect services on https://o2.co.uk. Governmental websites are also no exception, including the South Africa Justice department, justice.gov.za, and the California Tax Service Center, taxes.ca.gov. Usage of TLS 1.0 is also particularly prevalent on less popular sites or internal services — places where browser security warnings may go unnoticed for some time.
|4||New York Internet (NYI)||FreeBSD||0:00:00||0.000||0.548||0.054||0.108||0.108|
|6||CWCS Managed Hosting||Linux||0:00:00||0.000||0.315||0.079||0.160||0.160|
In February 2020 Choopa.com had the most reliable hosting company site. This month, all 10 of the top 10 hosting company sites responded to all of Netcraft's requests and so were separated by average connection time. Choopa.com provides cloud hosting, dedicated servers, colocation and managed services from its primary data centre in Piscataway, New Jersey, and also has facilities in Los Angeles, Amsterdam and Tokyo.
In the February 2020 survey we received responses from 1,260,909,305 sites across 254,192,929 unique domains and 9,564,965 web-facing computers. This reflects a loss of 35.1 million sites and 11,900 computers, but a gain of 4.57 million domains.
The largest swings this month were seen for nginx. Despite losing 28.7 million sites and 64,500 web-facing computers, nginx excelled in other metrics this month, including a 3.06 million increase in unique domain count and a 675,000 increase in active sites count, building upon its rapid growth from last month.
Apache increased its share of the sites market this month by 0.53 percentage points, owed largely to the aforementioned drop in sites for nginx. This comes despite a drop of 1.77 million sites for Apache. Apache also lost 187,000 domains and 97,500 active sites this month. Apache did, however, gain an extra 6,400 web-facing computers. Apache is presently the most commonly used web server in terms of domains, active sites, and computers, and also has the greatest portion of the top one million busiest sites. The only metric in which it is currently beaten is the relatively unstable total count of sites (hostnames), for which nginx currently holds first place.
Microsoft saw modest growth in its counts of active sites (+193,000), web-facing computers (+9,890), and domains (+536,000). Microsoft saw a reduction of 2.65 million sites, but, like Apache, was left with an increase in its market share overall.
Apache released versions 7.0.100, 8.5.51, and 9.0.31 of its Tomcat Java Servlet software. The updates, which are largely the same across the major versions, include fixes, improvements, and some refactoring. Coyote, the HTTP connector component of Apache Tomcat, was found serving around 325,000 domains this month.
NGINX released an update for NGINX Unit, their open source dynamic application server, adding support for Ruby 2.7 and addressing a number of bugs.
|Developer||January 2020||Percent||February 2020||Percent||Change|
Posted in Web Server Survey
|4||Hyve Managed Hosting||Linux||0:00:00||0.000||0.170||0.074||0.148||0.149|
|10||New York Internet (NYI)||FreeBSD||0:00:00||0.005||0.528||0.054||0.108||0.108|
GoDaddy had the most reliable hosting company site in January 2020, with no failed requests and an average connection time of 4ms. This is the second consecutive month that GoDaddy has topped the table. GoDaddy provides a wide range of hosting and domain registration services, including its widely used website builder software, which gives customers a simple way to create a web presence.
In the January 2020 survey we received responses from 1,295,973,827 sites across 249,618,033 unique domain names and 9,576,845 web-facing computers. This reflects a gain of 27.7 million sites, 5.86 million domains, and 146,000 computers.
Apache, nginx, and Microsoft all saw increases in their totals for number of domains in January 2020, although nginx demonstrated substantially the largest growth (+2.53 million), bringing its market share up to 25.8% and its total to 64,391,621 domains. The growths this month for Apache (+80,900) and Microsoft (+66,300) were much smaller in comparison. An additional 2.18 million domains identified themselves as Cloudflare servers, an 11.3% increase since December, bringing the Cloudflare-exclusive server platform up to 21.4 million domains. LiteSpeed usage grew by 96,500 domains — a fairly consistent and strong 2.5% growth — giving it a new total of 3.97 million.
Looking instead over the span of the past year, Microsoft's domain count decreased by 12.1 million (-20.8%), whilst nginx grew by 12.5 million (+24.0%), partly due to a swing from Microsoft to nginx at GoDaddy seen in March. Apache's count of domains is largely the same as it was a year ago, only having shrunk slightly by 1.79 million domains (-2.4%).
The gains and losses in domains were also met with similar trends in active sites. The number of active sites seen by Netcraft in January 2020 increased to 189 million, up from 183 million since the previous month. Around 1.99 million of the increase came from nginx, and 1.12 million from Cloudflare, increasing their respective totals by +5.7% and +6.6%. Apache and Microsoft, on the other hand, remained fairly stable this month, but overall lost out over the course of a year. LiteSpeed's active site count also continues to grow steadily, increasing by 149,000 (+3.1%) this month to reach 4.95 million.
By count of web-facing computers, Apache, nginx, and Microsoft all demonstrated gains, with nginx showing the most significant gain of 83,700 additional computers since December. Over the past year, nginx has grown by 771,000 computers (+33.2%), far in excess of Apache's 192,000 (+6.1%) and Microsoft's 105,000 (+6.8%) growths.
Windows Server 2008 End-of-life
On January 14, 2020 Microsoft ended support for Windows Server 2008 and Server 2008 R2. As a component of the operating system, versions of Microsoft's IIS (Internet Information Services) are tightly bound to the Windows versions they run on, with IIS/7.5 being the version integrated into Windows Server 2008 R2. As such, IIS/7.5 is similarly end-of-life, receiving no further security fixes. Despite forward notice, and the availability of more modern versions, there is often a great deal of inertia preventing companies from upgrading operating system software before it falls out of support. As of January 2020, Netcraft counted 887,000 web-facing computers running Windows Server 2008 and 2008 R2, making them the most popular versions of Windows employed in the webserver market. Furthermore, over half of all counted Windows computers ran some end-of-life version of the Windows family of operating systems.
Turning to the use of IIS specifically, Netcraft found almost 2.85 million active sites running on IIS/7.5 - 32.5% of all active sites running on some version of IIS. Approximately 940,000 active sites run on even older versions of IIS. Within the top one million sites, 25,700 of the 77,800 sites running on IIS use an outdated version.
LiteSpeed Technologies released versions 1.6.5 and 1.5.11 of their open source OpenLiteSpeed web server. The updates introduce improvements to caching performance, security, and stability. The updates also see OpenLiteSpeed move to version 2.8.3 of lsquic, LiteSpeed's C implementation of the experimental QUIC and HTTP/3 transport protocols.
Nginx released version 1.14.0 of their Nginx Unit dynamic application server, providing additional features and bug fixes. Nginx also released a minor bugfix update for the open source edition of the main nginx web server product.
The Apache Tomcat project has released updated versions for each supported release of its Java HTTP server and Servlet container software. Versions 9.0.30, 8.5.50 and 7.0.99 include various fixes and updates.
|Developer||December 2019||Percent||January 2020||Percent||Change|
Posted in Web Server Survey
|2||New York Internet (NYI)||FreeBSD||0:00:00||0.000||0.495||0.054||0.109||0.109|
|4||Hyve Managed Hosting||Linux||0:00:00||0.000||0.141||0.074||0.148||0.148|
|5||CWCS Managed Hosting||Linux||0:00:00||0.000||0.275||0.079||0.160||0.160|
GoDaddy had the most reliable hosting company site in December 2019, with no failed requests and the fastest average connection time. In 2019, GoDaddy had one of the top 10 most reliable hosting company sites nine times. GoDaddy provides a wide range of hosting and domain registration services, including its widely used website builder software, which gives customers a simple way to create a web presence.
Your link here? Advertising on the Netcraft Blog