(Feb 3) Updated openldap packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More…]
| Rank | Performance Graph | OS | Outage hh:mm:ss |
Failed Req% |
DNS | Connect | First byte |
Total |
| 1 | Datapipe | FreeBSD | 0:00:00 | 0.007 | 0.090 | 0.020 | 0.039 | 0.059 |
| 2 | Qube Managed Services | Linux | 0:00:00 | 0.007 | 0.109 | 0.041 | 0.083 | 0.083 |
| 3 | Hyve Managed Hosting | Linux | 0:00:00 | 0.007 | 0.257 | 0.064 | 0.126 | 0.127 |
| 4 | Netcetera | Windows Server 2012 | 0:00:00 | 0.007 | 0.056 | 0.070 | 0.156 | 0.292 |
| 5 | Swishmail | FreeBSD | 0:00:00 | 0.007 | 0.133 | 0.073 | 0.144 | 0.189 |
| 6 | Bigstep | Linux | 0:00:00 | 0.011 | 0.314 | 0.065 | 0.137 | 0.228 |
| 7 | www.uk2.net | Linux | 0:00:00 | 0.011 | 0.152 | 0.069 | 0.142 | 0.224 |
| 8 | Server Intellect | Windows Server 2012 | 0:00:00 | 0.011 | 0.089 | 0.099 | 0.635 | 0.984 |
| 9 | Midphase | Linux | 0:00:00 | 0.015 | 0.262 | 0.120 | 0.243 | 0.444 |
| 10 | Anexia | Linux | 0:00:00 | 0.019 | 0.127 | 0.093 | 0.436 | 0.717 |
All of the top five hosting company sites started the year with only two failed requests each.
The average connection times were used to break the tie for first place.
Managed services provider Datapipe had January’s most reliable hosting company site, with two failed requests and an average connection time of 20ms. Datapipe was the fastest within the top 10, and second overall.
Datapipe provides managed enterprise cloud services via its Stratosphere cloud computing platform; delivered from Datapipe’s global network of data centres in conjunction with Amazon Web Services.
Datapipe acquired Newvem in September which has combined its managed AWS with a cloud optimisation platform.
Datapipe has not had a single outage since 2006, and is only two months away from having 8 years of 100% continuous uptime.
In second place is last month’s number one — Qube Managed Services, followed by UK based Hyve Managed Hosting in third place with average connection times of 41ms and 64ms respectively.
Qube’s hosting services are delivered from data centre facilities in London, New York and Zurich. This month is Qube’s fifth consecutive month in the top 10.
Hyve Managed Hosting, in third place, offers a 100% network uptime guarantee by utilising multiple Tier 1 backbone providers and peering with multiple networks in multiple global locations.
In December Hyve launched SecureShare which allows its customers to host their own encrypted file sharing servers which are protected behind its hardware firewalls, IPS systems and DDoS defense devices provided as part of its SecureCloud services.
Elsewhere in the full table this month Codero received $8M in financing from Silicon Valley Bank (SVB) and Farnam Street Financial.
Codero is planning to deploy new data centres across the U.S. and Europe and expand its hosting portfolio to serve more customers.
FreeBSD powered Datapipe‘s site, at the top of the table, and also corporate email services provider Swishmail in 5th place.
The remaining hosting company sites ran Linux except for two running Windows Server — Netcetera in 4th place and Server Intellect in 8th place.
Netcraft measures and makes available the response times of around forty leading hosting providers’ sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.
From a customer’s point of view, the percentage of failed requests is more pertinent than outages on hosting companies’ own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.
Information on the measurement process and current measurements is available.
The National Institute of Standards and Technology (NIST) is still using SSL certificates signed with the SHA-1 signature algorithm, despite issuing a
Special Publication disallowing the use of this algorithm for digital signature generation after 2013.
“SHA-1 shall not be used for digital signature generation after December 31, 2013.”
— NIST recommendation
The SSL certificate for www.nist.gov is signed using the SHA-1 hashing algorithm, and was issued by VeriSign on 23 January 2014, more than three weeks after NIST’s own ban came into effect.
Also issued this year, NIST’s “Secure File Transfer Service” at xnfiles.nist.gov uses a SHA-1 certificate.
An attacker able to find SHA-1 collisions could carefully construct a pair of certificates with colliding SHA-1 hashes: one a conventional certificate to be signed by a trusted CA, the other a sub-CA certificate able to be used to sign arbitrary SSL certificates. By substituting the signature from the CA-signed certificate into the sub-CA certificate, certificate chains containing the attacker-controlled sub-CA certificate will pass browser verification checks. This attack is, however, made more difficult by path constraints and the inclusion of unpredictable data into the certificate before signing it.
The increasing practicality of finding SHA-1 hash collisions could make it possible for a well-funded attacker to impersonate any HTTPS website. With a practical attack against SHA-1 (using cloud computing resources) estimated to cost $2.77M in 2012, falling to $700k by 2015, it may attract government agencies.
The SSL certificate for www.nist.gov with the signature algorithm and issuance date highlighted.
Along with NIST itself, many US Government institutions have continued to generate new SSL certificates with SHA-1 signatures. Examples include the certificate for donogc.navy.mil, issued on 3 January 2014, and several United States Bankruptcy Court document filing systems (each state has its own site and uses its own SHA-1-signed SSL certificate). Despite receiving widespread criticism for a number of other security problems last year, the ObamaCare exchange at healthcare.gov also saw fit to deploy a new SSL certificate in January which uses the SHA-1 hashing algorithm.
NIST and the rest of the US government are far from alone, however, as more than 92% of all certificates issued this year use the SHA-1 hashing algorithm.
Although the recommendations from the National Institute of Standards and Technology have been prepared for US federal agencies, the cryptographic weaknesses of SHA-1 should concern anyone who relies on SHA-1 to generate or validate digital signatures. Microsoft shares these concerns and has announced plans to
deprecate the use of SHA-1 in both SSL and code signing certificates by the end of 2016.
The NSA-designed SHA-2 family (which includes SHA-224, SHA-256, SHA-384 and SHA-512) now provides the only cryptographic hash functions approved by NIST for digital signature generation. Whilst SHA-2 shares some similarities with SHA-1, there are significant structural differences: SHA-2 does not share the SHA-1’s mathematical weakness. All of the SHA-2 algorithms have much longer digests: SHA-1 only produces a 160-bit digest, whereas the most common digest length for SHA-2 is 256-bits.
In total, more than 98% of all SSL certificates in use on the Web are still using SHA-1 signatures. Netcraft’s February 2014 SSL Survey found more than 256,000 of these certificates would otherwise be valid beyond the start of 2017 and, due to the planned deprecation of SHA-1, will need to be replaced before their natural expiry dates.
SHA-256 is the most commonly used signature algorithm from the SHA-2 family, but it is used by only 1.86% of the valid certificates in Netcraft’s February 2014 SSL Survey; nonetheless, this share has more than doubled in the space of 4 months, suggesting that some certificate authorities are starting to take the issue seriously. So far in 2014, more than 61% of the new certificates signed with SHA-256 were issued by a single certificate authority, Go Daddy. SHA-512 is the only other SHA-2 family algorithm to be seen used in SSL certificates, albeit deployed on only 4 websites so far.
The CA/B Forum – which comprises of both certificate authorities and web browser vendors – put forward Ballot 111 last year, which motions to take advantage of the deprecation of SHA-1 by accelerating the forum’s planned move to shorter maximum certificate lifetimes. The deprecation alone will mean that some five-year certificates that are valid today will not be usable for their entire lifetime.
In practice, it is likely to be Microsoft’s plans to deprecate the use of SHA-1 signatures by the end of 2016 which will force the mass adoption of SHA-2 by certificate authorities, although allowing three years for this to happen might seem generous. The majority of end users are unlikely to be affected by the change, and most website administrators will probably have to renew their SSL certificates within this period anyway, but certificates which are reissued with SHA-1 signatures run the risk of being unsupported by other browsers in the future.
Cryptographic weaknesses in SHA-1 have been discussed for several years. A notable better-than-brute-force attack was announced nine years ago, demonstrating a SHA-1 hash collision that could be achieved within 269 calculations, as opposed to the 280 that would be required by a brute-force approach.
More recently, the best public cryptanalysis of SHA-1 estimated that a full collision can be achieved with a complexity of around 261, while a near-collision can be achieved in 257.5. These attacks have been implemented in the HashClash framework, which provides differential path construction attacks against SHA-1, as well as chosen prefix collisions against the even-weaker MD5 algorithm. The CA/B Forum recommends that all certificate serial numbers should exhibit at least 20 bits of entropy, which would mitigate chosen-prefix collision attacks for non collision resistant hash functions, although such measures are not thought to be necessary for SHA-2 at the current time.
Windows XP has supported SHA-256, SHA-384 and SHA-512 since the release of Service Pack 3 in 2008, and Windows Server 2003 can also support SHA-2 if the KB938397 hotfix has been installed. Deprecating SHA-1 could therefore also have some other indirect security benefits: anyone still using Windows XP before Service Pack 3 will be unable to make effective use of the web as SHA-2 certificates gain prominence.
The SHA-1 algorithm is also used in all versions of the
TLS cryptographic protocol, and only the latest version (TLS 1.2) introduces SHA-256 as a replacement for the MD5/SHA-1 combination for both the pseudorandom function and the finished message hash. Microsoft’s SHA-1 deprecation policy will only apply to applications which call the CertGetCertificateChain API to build and validate a certificate chain, so older browsers and hardware devices which do not yet support TLS 1.2 will be unaffected.
cPanel & WHM software version 11.36 has reached End of Life.
In accordance with our EOL policy [http://docs.cpanel.net/twiki/bin/view/AllDocumentation/InstallationGuide/LongTermSupport],11.36 will continue functioning on servers. The last release of cPanel & WHM 11.36, being 11.36.2.13, will remain on our mirrors indefinitely. You may continue using this last release, but no further updates, such as security fixes and installations, will be provided for 11.36. Older releases of cPanel & WHM 11.36 will be removed from our mirrors.
We strongly recommend that all customers migrate any existing installations of cPanel & WHM 11.36 to a newer version (either 11.38 or 11.40).
If your server setup complicates the process of migrating to a newer version of cPanel & WHM (for example, an out-of-date operating system), then cPanel is here to help. Simply open a support ticket at https://tickets.cpanel.net/submit so that our knowledgeable support team can provide recommendations, migration assistance, and more.
About cPanel, Inc.
Since 1997, cPanel, Inc. has been a leading innovator and developer of control panel software for the web hosting industry. cPanel builds software that allows web host professionals to transform standalone servers into fully automated, point-and-click web hosting platforms. cPanel-licensed software allows server and website owners, along with resellers and developers, to optimize their technical resources and replace tedious shell-oriented tasks with dynamic, intuitive web-based interfaces. For more information, visit http://cpanel.net.
For the PGP-signed message, see 11.36-EOL.
cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.
cPanel has rated these updates as having security impact levels ranging from Minor to Important.
Information on cPanel’s security ratings is available at http://go.cpanel.net/securitylevels.
If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.
RELEASES
The following cPanel & WHM versions address all known vulnerabilities:
* 11.42.0.4 & Greater
* 11.40.1.10 & Greater
* 11.38.2.16 & Greater
The latest public releases of cPanel & WHM for all update tiers are available at http://httpupdate.cpanel.net.
SECURITY ISSUE INFORMATION
The cPanel security team and independent security researchers identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time.
Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses 67 vulnerabilities in cPanel & WHM software versions 11.42, 11.40, and 11.38.
Additional information is scheduled for release on February 5th, 2014.
For information on cPanel & WHM Versions and the Release Process, read our documentation at:
http://go.cpanel.net/versionformat
For the PGP-signed message, see TSR-2014-0001-Announcement
60 queries. 8.5 mb Memory usage. 1.305 seconds.