![[LWN Logo]](/images/lcorner.png) |
|
![[LWN.net]](/images/Included.png) |
From: mhp@netcraft.com (Mike Prettejohn)
To: lwn@lwn.net
Subject: November 2001 Netcraft Web Server Survey
Date: Sat, 1 Dec 2001 08:17:22 GMT
The November 2001 Netcraft Web Server Survey is out;
http://www.netcraft.com/survey/
Top Developers
Developer October 2001 Percent November 2001 Percent Change
Apache 18851352 56.89 20713781 56.81 -0.08
Microsoft 9607363 28.99 10844419 29.74 0.75
iPlanet 1278720 3.86 1310502 3.59 -0.27
Zeus 775438 2.34 800661 2.20 -0.14
Active Sites
Developer October 2001 Percent November 2001 Percent Change
Apache 7781145 61.36 7750275 61.88 0.52
Microsoft 3612310 28.49 3307207 26.40 -2.09
iPlanet 249418 1.97 431935 3.45 1.48
Zeus 171023 1.35 174052 1.39 0.04
Around the Net
Unusually, numbers of active sites running on Solaris &
Netscape-Enterprise rose this month, primarily because of the
extension of facilities on a Network Solutions domain parking system
to include simple small html [1]sites as part of the parking
facility. Network Solutions is by far iPlanet's largest installation
in terms of numbers of hostnames, and the iPlanet active site numbers
would fall considerably if they were persuaded to [2]switch. Earlier
in the year Network Solutions switched part of their hosting
operations to Windows 2000.
By contrast, the principle reason for the fall in active Microsoft-IIS
sites this month, was the change in business model at a large hoster
of free shared sites [3]Homestead which last month revoked access to
many of their users free sites in the hope that they might pay to
regain access to their site content.
Security of some high profile JSP sites in question
Over the last couple of [4]months we reviewed Microsoft-IIS based
ecommerce sites and the significant improvement in their security
prompted by the combination of Code Red and Microsoft's first
cumulative patch. A reasonable interpretation of the significant fall
in the number of vulnerable Microsoft-IIS tested by Netcraft is that
Code Red was so disruptive that sites could ignore security no longer,
and the cumulative patch gave them a convenient solution whereby
addressing the Code Red problem solved several other standard
vulnerabilities as well.
One technology that is yet to have this kind of stimulus towards
security is Java Servlet Pages. Although not widely deployed by rank
and file sites, JSP is quite a common technology on ecommerce sites
that prefer a Sun based solution to the Microsoft platform. Often,
users of JSP technology have invested very significant sums in their
sites, and their sites often provide core stockbroking, banking,
retail, ticketing and ecommerce services to the internet community,
where large sums of money can change hands.
On these sites identity theft is a very serious issue, enabling an
attacker to, for example, buy goods or transfer money, using the
identity and account information of another customer of the site.
In November 2000, Netcraft reported a [5]vulnerability in session IDs
generated by a variety of Java Application Servers based on Sun's
reference implementation of the Java Servlet Developers Kit (JSDK
2.0), including Java Web Server (JWS) from V1.1, IBM WebSphere and ATG
Dynamo e-Business Platform. Typically with these systems, each user
connecting to the site is issued with a unique session ID, which is
then used to identify all subsequent requests made by that user,
either encoded in the URLs, or as a cookie. The server can then store
data for each user session, for instance the state of a web shopping
cart. Session IDs are also often used to control access to sites
requiring a login; instead of sending the username/password with every
request, the site issues a session ID after the user logs on, which
identifies the user for the rest of the session.
The attack demonstrates a way for a person to hijack another
customer's session, and complete transactions transactions as if that
person. This is fundamental to ecommerce systems, and one might have
expected that the advisory would be quickly acted on. Remarkably, a year
on from the advisory, there are well over a thousand transactional sites
still using predictable session ids on the internet, including several
very high profile ones.
If you are using a JSP based system, and are not confident that your
session ids are unpredictable, study the [6]advisory, and if you are
still not confident, we would be pleased to answer [7]questions.
Netcraft also released an [8]advisory in conjunction with Macromedia
earlier this week concerning the JRUN product, which can be induced to
reveal the source code of java server pages in some circumstances.
Her Majesty replaces Linux
Two years ago the Queen of England became an unlikely icon for the
Linux revolution when her webmaster replaced Solaris as the platform
for the [9]Royal Family's site, citing the better price/performance
of the Dell/Linux platform over the previous incumbent, Sun/Solaris.
The open source community [10]celebrated and speculated on when the
Apache web server might receive the "By Royal Appointment" moniker.
This week the site has changed platforms [11]again, this time to
Microsoft-IIS.
The Queen [12]launched the updated site yesterday, remarking that the
new site took advantage of changes in internet technology, including
Flash and DHTML, but so far as we can tell, made no comments about the
relative merits of the underlying platforms.
Buckingham Palace told Netcraft that the site's new designers were
responsible for the decision to change platforms. The Palace have
thoughtfully provided a contact information [13]page for people with
questions about the site, as there is sure to a lot of interest in the
change at what has been an icon of Linux's progress into the
establishment and a Red Hat reference site.
Exodus sold to Cable & Wireless
Today, [14]Exodus was sold to Cable & Wireless for a total of around
$850M. The sale can not have come a moment too soon for creditors, as
around 20% of Exodus' customers have departed since the company
entered Chapter 11 during the summer.
Internet Research from Netcraft.
Netcraft does commercial internet research projects. These include
custom cuts on the Web Server Survey data, hosting industry analysis,
corporate use of internet technology and bespoke projects. All of the data
is gathered through network exploration, not teleresearch.
sales@netcraft.com
Network Security Testing from Netcraft.
Netcraft provides automated network security testing of customer networks
and consultancy audits of ecommerce sites, Clients include IBM,
Hewlett Packard, Deloitte & Touche, Energis, Britannic Asset Management,
Guardian Royal Exchange, Lloyds of London, Laura Ashley, etc.
Details at http://www.netcraft.com/security/
References
1. http://100milliondollarclub.com/
2. http://www.netcraft.com/cgi-bin/Survey/whats?host=100milliondollarclub.com
3. http://anything.homestead.com/
4. http://www.netcraft.com/Survey/index-200110.html
5. http://www.netcraft.com/security/public-advisories/2001-01.1.html
6. http://www.netcraft.com/security/public-advisories/2001-01.1.html
7. mailto:webmaster@netcraft.com
8. http://www.netcraft.com/security/public-advisories/2001-11.1.html
9. http://www.royal.gov.uk/
10. http://slashdot.org/article.pl?sid=99/11/04/1716225&mode=thread
11. http://www.netcraft.com/cgi-bin/Survey/whats?host=www.royal.gov.uk
12. http://www.royal.gov.uk/output/Page790.asp
13. http://www.royal.gov.uk/output/Page855.asp
14. http://www.exodus.net/
To unsubscribe from the Netcraft Web Server Survey Announcements list
send the message
unsubscribe webserver-survey
to majordomo@netcraft.com
To resubscribe send the message
subscribe webserver-survey
Mike
--
Mike Prettejohn
mhp@@netcraft.com Phone +44 1225 447500 Fax +44 1225 448600
Netcraft Rockfield House Granville Road Bath BA1 9BQ England