From: mhp@netcraft.com (Mike Prettejohn) To: lwn@lwn.net Subject: March 2002 Netcraft Web Server Survey Date: Mon, 1 Apr 2002 03:21:11 +0100 (BST) The March 2002 Netcraft Web Server Survey is out; http://www.netcraft.com/survey/ Top Developers Developer February 2002 Percent March 2002 Percent Change Apache 22462777 58.43 20492088 53.76 -4.67 Microsoft 11198727 29.13 12968860 34.02 4.89 iPlanet 1123701 2.92 889857 2.33 -0.59 Zeus 837968 2.18 855103 2.24 0.06 Developer February 2002 Percent March 2002 Percent Change Apache 10147402 65.18 9522954 64.37 -0.81 Microsoft 4069193 26.14 3966743 26.81 0.67 iPlanet 283112 1.82 265826 1.80 -0.02 Zeus 177225 1.14 170023 1.15 0.01 Around the Net Microsoft gains almost 2 million sites this month, primarily as a result of [1]register.com and [2]Network Solutions migrating their domain parking facilities to a Windows front end. Network Solutions has been running part of its domain parking system on Windows for some time, and has been moving progressively more of its sites from a Solaris Netscape-Enterprise system at [3]Digex to a Windows based system at [4]Interland. Several hundred thousand sites seem to have moved to this [5]system this month, and the drop in Netscape-Enterprise is largely a result of this. Ironically, many of the sites were hacked a few days later, Newsbytes [6]reports. register.com seems to be partway through a migration to Windows. Presently, the bulk of the page content is still served from [7]Linux, with a Windows platform serving framesets referencing the Linux based page content as on this example [8]site. Crypto Regulations Cast Long Shadow Recently, the strength of SSL key lengths has been the subject of heated [9]debate in security circles, after [10]Nicko van Someren disclosed that he is able to break 512-bit keys in around six weeks, using conventional office computers. The [11]analysis focuses on the key length used for the server's public key (the key which is used to prove the authenticity of the server to web browsers). The longer the key, the harder it is for an attacker to break the key - if this key is broken, it can compromise both past and future secure browsing sessions, and allow the attacker to impersonate the server. Most experts currently recommend a key length of at least 1024 bits as secure and some of the strongest debate has concerned the perceived safety of these 1024 bit keys. However, a more timely aspect to the work is to highlight the number of SSL servers currently in use on the internet, and their geographical location. Although US export restrictions on strong cryptography have been relaxed in recent years, data collected as part of our [12]SSL Server Survey shows that the US export legislation and locally acted legislation to restrict the use of cryptography in countries with repressive or eccentric administrations, does still cast a shadow over the security of ecommerce even years after the acts have been repealed. Internet-wide, around 18% of SSL Servers use potentially vulnerable key lengths. However, these tend to be concentrated in geographical areas outside the United States and its close trading partners. In the US, where over 60% of SSL sites are situated, and Canada only around 15% of sites are using short keys. In most European countries over 25% are still using short keys, and in France, which had laws restricting the use of cryptography until relatively recently, over 40% of sites are using short keys. US export regulations (described in detail by the [13]crypto law survey) have had a discernable impact in slowing use of strong cryptography outside of the States. One reason export grade cryptography remains quite common is that the relative weakness of the server's choice of cryptography is not obvious to the end user, so there is so little pressure to make the change. Browser developers are in a position to help change this, perhaps by displaying a graded indication of key length rather than the present lock symbol displayed on all SSL sessions regardless of strength. Solaris 9 to be released shortly [14]news.com reports that Solaris 9 will ship in the next ninety days. [15]playground.sun.com, usually a staging ground for new Sun operating system releases, is already running a modified TCP/IP stack that we think may be Solaris 9. Conversely [16]www.sun.com seems to have only moved to Solaris 8 in the last month. References 1. http://www.register.com/ 2. http://www.netsol.com/ 3. http://www.digex.com/ 4. http://www.interland.com/ 5. http://www.netcraft.com/whats?site=64.225.154.175 6. http://online.securityfocus.com/news/357 7. http://www.netcraft.com/whats?site=futuresite.register.com 8. http://www.auraweb.net/ 9. http://slashdot.org/article.pl?sid=02/03/25/2125211&mode=thread 10. http://www.ncipher.com/about/mgmt_team.html 11. http://www.ncipher.com/about/news.php 12. http://www.netcraft.com/ssl/ 13. http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm 14. http://news.com.com/2100-1001-865257.html 15. http://www.netcraft.com/whats?site=playground.sun.com 16. http://www.netcraft.com/whats?site=www.sun.com Internet Research from Netcraft. Netcraft does commercial internet research projects. These include custom cuts on the Web Server Survey data, hosting industry analysis, corporate use of internet technology and bespoke projects. All of the data is gathered through network exploration, not teleresearch. sales@netcraft.com Network Security Testing from Netcraft. Netcraft provides automated network security testing of customer networks and consultancy audits of ecommerce sites, Clients include IBM, Hewlett Packard, Deloitte & Touche, Energis, Britannic Asset Management, Guardian Royal Exchange, Lloyds of London, Laura Ashley, etc. Details at http://www.netcraft.com/security/ To unsubscribe from the Netcraft Web Server Survey Announcements list send the message unsubscribe webserver-survey to majordomo@netcraft.com To resubscribe send the message subscribe webserver-survey Mike -- Mike Prettejohn mhp@@netcraft.com Phone +44 1225 447500 Fax +44 1225 448600 Netcraft Rockfield House Granville Road Bath BA1 9BQ England