(Sep 7) Updated java-1.5.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical [More…]
(Sep 7) Updated java-1.4.2-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 Supplementary. The Red Hat Security Response Team has rated this update as having critical [More…]
In the September 2012 survey we received responses from 620,132,319 sites, a decrease of 8M sites since last month’s survey.
A large portion of this drop was caused by a large network of linkfarmed domains disappearing from under the .com TLD, causing Apache numbers to suffer the most, with a loss of 10M sites. This resulted in a small drop in Apache’s market share to 58%. Google also saw losses of 1M sites, but both Microsoft and nginx gained, with 840k and 1.5M new domains respectively.
Server headers for IIS 8.0 – the latest version of Microsoft’s server software – were returned by 1,723 sites this month. This is an increase of 1,445 sites (+519%) over the six months since the public beta release of Windows Server 2012 in April, which uses IIS 8.0 as its default web server. However, only twelve of the million busiest sites were found to be using the software, seven of which are within Microsoft’s own iis.net.
Amazon reached a significant milestone this month, with its strong and continued growth in the web hosting market now making it the world’s largest hosting location by number of web-facing computers. The previous leader was China Telecom, which now has 116k web-facing computers against Amazon’s 118k.
Netcraft’s hosting provider server count uses a set of heuristics to identify individual computers, regardless of how many web-facing IP addresses each may have, or how many websites they serve.
Amazon has nearly doubled its count of web-facing computers within the past year, and this growth does not look set to slow down any time soon. The majority of these computers are located in the US (77%) and Ireland (13%), although smaller numbers of servers have started popping up in other locations within the past year, including the Netherlands, Singapore, Brazil, and Japan.
Although Amazon has the largest number of web-facing computers, these are used to host a relatively modest sum of 6.8M websites. 2.9M of these sites are served by nginx, which is closely followed by 2.3M served by Apache. A further 410k are served by Polyvore Web Server, which is used by sites within the Polyvore fashion social-commerce network. Only 2.4% (163k) of the sites hosted at Amazon are running Microsoft IIS.
Although Amazon’s scalable, pay-as-you-go EC2 service supports Microsoft Windows, Linux is by far the most popular operating system to be found amongst all of its web-facing computers, including those used by CloudFront and S3. Nearly 97% of Amazon’s web-facing computers were running Linux during September’s survey.


Developer | August 2012 | Percent | September 2012 | Percent | Change |
---|---|---|---|---|---|
Apache | 373,069,751 | 59.39% | 362,714,083 | 58.49% | -0.90 |
Microsoft | 96,529,586 | 15.37% | 97,368,803 | 15.70% | 0.33 |
nginx | 72,429,976 | 11.53% | 73,976,009 | 11.93% | 0.40 |
22,561,854 | 3.59% | 21,576,233 | 3.48% | -0.11 |

Developer | August 2012 | Percent | September 2012 | Percent | Change |
---|---|---|---|---|---|
Apache | 106,374,535 | 54.96% | 104,999,959 | 54.98% | 0.02 |
Microsoft | 22,837,911 | 11.80% | 23,421,605 | 12.26% | 0.46 |
nginx | 23,821,399 | 12.31% | 23,067,926 | 12.08% | -0.23 |
15,633,265 | 8.08% | 15,241,811 | 7.98% | -0.10 |
For more information see Active Sites

Developer | August 2012 | Percent | September 2012 | Percent | Change |
---|---|---|---|---|---|
Apache | 598,150 | 60.05% | 596,589 | 59.98% | -0.07 |
Microsoft | 133,038 | 13.36% | 134,978 | 13.57% | 0.21 |
nginx | 114,377 | 11.48% | 112,991 | 11.36% | -0.12 |
31,737 | 3.19% | 26,117 | 2.63% | -0.56 |
The length of an RSA public key gives an indication of the strength of the encryption — the shorter the public key is; the easier it is for an attacker to brute-force. An attacker, armed with a compromised private key derived from a short public key, would be able to decrypt both past and future SSL-secured connections if she were able to incept the encrypted traffic. She could also impersonate the organisation to which the SSL certificate was issued if she has the opportunity to manipulate DNS lookups. Both the CA/B Forum (a consortium of certificate authorities (CAs) and major browser vendors) and NIST [PDF] (the agency which publishes technical standards for US governmental departments) have recommended that sub-2048-bit RSA public keys be phased out by the end of 2013.
According to the CA/B Forum’s own Baseline Requirements [PDF] — effective 1st July 2012 — member certificate authorities are required to reject a request to sign an RSA public key shorter than specified in the following table:
Certificate expiry date | Minimum RSA public key length |
---|---|
On or before 31st December 2013 | 1024 |
After 31st December 2013 | 2048 |
Nevertheless, these key sizes are not guaranteed as several CA/B Forum members have issued several non-compliant SSL certificates since 1st July 2012. Trustwave, Symantec, KEYNECTIS, and TAIWAN-CA have all signed certificates which fall foul of their organisation’s requirement of 2048-bit RSA public keys for certificates expiring after 2013, demonstrating that the key length requirement is being treated as a guideline (which by definition is neither binding nor enforced), rather than a rule.
They are by no means the only CAs signing short RSA public keys: more than 10 years after Netcraft’s first blog post on the topic and 12 years after RSA-155 [PDF], 512-bit RSA public keys are still appearing in SSL certificates. A 512-bit RSA public key was signed as recently as July 2012 by Swisscom.
Most, but not all, of the major browser and operating system vendors either disallow access or display a warning message when accessing a website using an SSL certificate with a 512-bit RSA public key. The latest versions of Safari (although not the mobile version on iOS 5.1), Opera, Google Chrome, and Internet Explorer (via an update to Windows; planned to be rolled out in October 2012). Notably, Mozilla Firefox does not yet reject such certificates.
What’s Changed
[*] Major security enhancements.