From: mhp@netcraft.com (Mike Prettejohn) To: lwn@lwn.net Subject: November 2001 Netcraft Web Server Survey Date: Sat, 1 Dec 2001 08:17:22 GMT The November 2001 Netcraft Web Server Survey is out; http://www.netcraft.com/survey/ Top Developers Developer October 2001 Percent November 2001 Percent Change Apache 18851352 56.89 20713781 56.81 -0.08 Microsoft 9607363 28.99 10844419 29.74 0.75 iPlanet 1278720 3.86 1310502 3.59 -0.27 Zeus 775438 2.34 800661 2.20 -0.14 Active Sites Developer October 2001 Percent November 2001 Percent Change Apache 7781145 61.36 7750275 61.88 0.52 Microsoft 3612310 28.49 3307207 26.40 -2.09 iPlanet 249418 1.97 431935 3.45 1.48 Zeus 171023 1.35 174052 1.39 0.04 Around the Net Unusually, numbers of active sites running on Solaris & Netscape-Enterprise rose this month, primarily because of the extension of facilities on a Network Solutions domain parking system to include simple small html [1]sites as part of the parking facility. Network Solutions is by far iPlanet's largest installation in terms of numbers of hostnames, and the iPlanet active site numbers would fall considerably if they were persuaded to [2]switch. Earlier in the year Network Solutions switched part of their hosting operations to Windows 2000. By contrast, the principle reason for the fall in active Microsoft-IIS sites this month, was the change in business model at a large hoster of free shared sites [3]Homestead which last month revoked access to many of their users free sites in the hope that they might pay to regain access to their site content. Security of some high profile JSP sites in question Over the last couple of [4]months we reviewed Microsoft-IIS based ecommerce sites and the significant improvement in their security prompted by the combination of Code Red and Microsoft's first cumulative patch. A reasonable interpretation of the significant fall in the number of vulnerable Microsoft-IIS tested by Netcraft is that Code Red was so disruptive that sites could ignore security no longer, and the cumulative patch gave them a convenient solution whereby addressing the Code Red problem solved several other standard vulnerabilities as well. One technology that is yet to have this kind of stimulus towards security is Java Servlet Pages. Although not widely deployed by rank and file sites, JSP is quite a common technology on ecommerce sites that prefer a Sun based solution to the Microsoft platform. Often, users of JSP technology have invested very significant sums in their sites, and their sites often provide core stockbroking, banking, retail, ticketing and ecommerce services to the internet community, where large sums of money can change hands. On these sites identity theft is a very serious issue, enabling an attacker to, for example, buy goods or transfer money, using the identity and account information of another customer of the site. In November 2000, Netcraft reported a [5]vulnerability in session IDs generated by a variety of Java Application Servers based on Sun's reference implementation of the Java Servlet Developers Kit (JSDK 2.0), including Java Web Server (JWS) from V1.1, IBM WebSphere and ATG Dynamo e-Business Platform. Typically with these systems, each user connecting to the site is issued with a unique session ID, which is then used to identify all subsequent requests made by that user, either encoded in the URLs, or as a cookie. The server can then store data for each user session, for instance the state of a web shopping cart. Session IDs are also often used to control access to sites requiring a login; instead of sending the username/password with every request, the site issues a session ID after the user logs on, which identifies the user for the rest of the session. The attack demonstrates a way for a person to hijack another customer's session, and complete transactions transactions as if that person. This is fundamental to ecommerce systems, and one might have expected that the advisory would be quickly acted on. Remarkably, a year on from the advisory, there are well over a thousand transactional sites still using predictable session ids on the internet, including several very high profile ones. If you are using a JSP based system, and are not confident that your session ids are unpredictable, study the [6]advisory, and if you are still not confident, we would be pleased to answer [7]questions. Netcraft also released an [8]advisory in conjunction with Macromedia earlier this week concerning the JRUN product, which can be induced to reveal the source code of java server pages in some circumstances. Her Majesty replaces Linux Two years ago the Queen of England became an unlikely icon for the Linux revolution when her webmaster replaced Solaris as the platform for the [9]Royal Family's site, citing the better price/performance of the Dell/Linux platform over the previous incumbent, Sun/Solaris. The open source community [10]celebrated and speculated on when the Apache web server might receive the "By Royal Appointment" moniker. This week the site has changed platforms [11]again, this time to Microsoft-IIS. The Queen [12]launched the updated site yesterday, remarking that the new site took advantage of changes in internet technology, including Flash and DHTML, but so far as we can tell, made no comments about the relative merits of the underlying platforms. Buckingham Palace told Netcraft that the site's new designers were responsible for the decision to change platforms. The Palace have thoughtfully provided a contact information [13]page for people with questions about the site, as there is sure to a lot of interest in the change at what has been an icon of Linux's progress into the establishment and a Red Hat reference site. Exodus sold to Cable & Wireless Today, [14]Exodus was sold to Cable & Wireless for a total of around $850M. The sale can not have come a moment too soon for creditors, as around 20% of Exodus' customers have departed since the company entered Chapter 11 during the summer. Internet Research from Netcraft. Netcraft does commercial internet research projects. These include custom cuts on the Web Server Survey data, hosting industry analysis, corporate use of internet technology and bespoke projects. All of the data is gathered through network exploration, not teleresearch. sales@netcraft.com Network Security Testing from Netcraft. Netcraft provides automated network security testing of customer networks and consultancy audits of ecommerce sites, Clients include IBM, Hewlett Packard, Deloitte & Touche, Energis, Britannic Asset Management, Guardian Royal Exchange, Lloyds of London, Laura Ashley, etc. Details at http://www.netcraft.com/security/ References 1. http://100milliondollarclub.com/ 2. http://www.netcraft.com/cgi-bin/Survey/whats?host=100milliondollarclub.com 3. http://anything.homestead.com/ 4. http://www.netcraft.com/Survey/index-200110.html 5. http://www.netcraft.com/security/public-advisories/2001-01.1.html 6. http://www.netcraft.com/security/public-advisories/2001-01.1.html 7. mailto:webmaster@netcraft.com 8. http://www.netcraft.com/security/public-advisories/2001-11.1.html 9. http://www.royal.gov.uk/ 10. http://slashdot.org/article.pl?sid=99/11/04/1716225&mode=thread 11. http://www.netcraft.com/cgi-bin/Survey/whats?host=www.royal.gov.uk 12. http://www.royal.gov.uk/output/Page790.asp 13. http://www.royal.gov.uk/output/Page855.asp 14. http://www.exodus.net/ To unsubscribe from the Netcraft Web Server Survey Announcements list send the message unsubscribe webserver-survey to majordomo@netcraft.com To resubscribe send the message subscribe webserver-survey Mike -- Mike Prettejohn mhp@@netcraft.com Phone +44 1225 447500 Fax +44 1225 448600 Netcraft Rockfield House Granville Road Bath BA1 9BQ England