Secure your Network
Advertise on Netcraft
About Netcraft
Join Netcraft
Site Map
Netcraft Home What's that site running?
Web Server Survey
SSL Server Survey
Explore web sites
News
 Netcraft Web Server Survey Reports  Graphs  Mechanics  Developers  Servers  Most Requested Sites  Archive

SSL Survey

Jobs available at Netcraft

The Netcraft Web Server Survey is a survey of Web Server software usage on Internet connected computers. We collect and collate as many hostnames providing an http service as we can find, and systematically poll each one with an HTTP request for the server name.
In the August 2001 survey we received responses from 30,775,624 sites.

Market Share for Top Servers Across All Domains August 1995 - August 2001

Graph of market share for top servers across all domains, August 1995 - August 2001

Top Developers

DeveloperJuly 2001PercentAugust 2001PercentChange
Apache1838230858.731787475758.08-0.65
Microsoft809975725.88814637226.470.59
iPlanet13455664.3013215444.29-0.01
Zeus7935872.548114062.640.10

Active Sites

DeveloperJuly 2001PercentAugust 2001PercentChange
Apache731457760.53715684960.33-0.20
Microsoft337234127.91335636328.290.38
iPlanet2825172.342756192.32-0.02
Zeus1848951.531810981.530.00

Totals for Active Servers Across All Domains June 2000 - August 2001


iPlanet is the sum of sites running iPlanet-Enterprise, Netscape-Enterprise, Netscape-FastTrack, Netscape-Commerce, Netscape-Communications, Netsite-Commerce & Netsite-Communications.

Microsoft is the sum of sites running Microsoft-Internet-Information-Server, Microsoft-IIS, Microsoft-IIS-W, Microsoft-PWS-95, & Microsoft-PWS.

Platform groupings are here.

Around the Net

Absolute number of sites found falls

The total number of sites in the survey actually fell this month, as a result of failures and business model changes at several mass hosting companies. Microsoft continues its recent gains, with a further half a per cent rise, due in part to the remainder of a large domain hosting system at Network Solutions completing a migration to Windows 2000, and in part because it has far less exposure to the mass hosting companies than Apache. Our data was collected at the start of the month, and we will have a clearer picture of whether Code Red has caused any significant movement away from Microsoft-IIS in September.

Code Red - the catalyst for internet security

The combination of the Code Red worm and the first cumulative patch for Microsoft-IIS has significantly improved the security of Microsoft-IIS systems on the internet. Figures are shown below are for the vulnerability of Microsoft-IIS sites tested for the first time by our security services over the last year. This is typically in the range of a few hundred systems in each month.

  Oct-00 Nov-00 Dec-00 Jan-01 Feb-01 Mar-01 Apr-01 May-01 Jun-01 Jul-01 Aug-01
Administration pages accessible 27.38% 31.61% 23.16% 25.49% 25.58% 20.93% 17.33% 23.08% 35.71% 11.76% 10.26%
Cross-site scripting 80.95% 82.58% 73.68% 67.65% 76.74% 67.44% 65.33% 73.08% 57.14% 36.47% 19.23%
URL decode bugs 5.95% 33.55% 28.42% 31.37% 40.70% 39.53% 24.00% 34.62% 42.86% 32.94% 16.67%
Sample pages and scripts 26.19% 37.42% 26.32% 26.47% 33.72% 30.23% 14.67% 15.38% 28.57% 14.12% 16.67%
Server paths revealed 50.60% 52.26% 48.42% 35.29% 44.19% 34.88% 32.00% 36.54% 50.00% 22.94% 6.41%
Viewing script source code 19.64% 16.77% 25.26% 16.67% 20.93% 18.60% 21.33% 25.00% 21.43% 11.18% 3.85%
WebDAV configuration 0.60% 1.94% 5.26% 3.92% 4.65% 20.93% 41.33% 30.77% 50.00% 47.65% 43.59%
IIS .printer overflow 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 23.08% 21.43% 10.00% 2.56%
Code Red Vulnerable 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 14.29% 34.71% 2.00%
root.exe installed 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 5.77% 7.14% 10.00% 12.82%

% of Vulnerable Microsoft-IIS SSL Sites
Vulnerabilities

The table demonstrates in part the deep set complacency regarding security amongst ecommerce sites, and in part the difficulties in maintaining a reasonable level of security without the benefit of regular external testing. The high visibility of Code Red induced many ecommerce sites running Microsoft-IIS to patch their systems for the first time, and the availability of a cumulative patch has eliminated a lot of earlier vulnerabilities from many sites.

Note that the patch does not necessarily remove the root.exe facility installed by both sadmind/IIS and Code Red II. root.exe allows anyone on the internet to have commands on the machine executed with web server privileges, and can typically be used to set up logging of credit card information and other sensitive data on SSL servers. This has created a new class of ecommerce site which has been correctly patched for known server vulnerabilities, but have a live backdoor facility enabling attackers to continue to remain in control of the machine. Currently around 12% of SSL sites running Microsoft-IIS tested for the first time are in this state.

Self-interest dictates we mention that Netcraft's business includes automated penetration testing, site audits, and site monitoring.

Itanium systems available shortly, and likely to extend the momentum of Intel Architecture in Ecommerce

This week Microsoft announced that Windows Advanced Server is available for the new processor, and will start shipping within the next month. Broadly similar announcements have been made by Red Hat, Covalent, Zeus. One of the key early adopter markets for the Itanium will be SSL sites, as the Itanium has on chip crypto instructions that provide a disproportionate improvement in the performance of SSL transactions. One anticipates that all the Intel based system vendors will quickly target this market as one of the most compelling ways of selling the initially highly priced Itanium systems. Hewlett Packard's whitepaper extolling the SSL performance of HP-UX and the Zeus web server is likely be the start of a feeding freenzy of Intel-based vendors hungry for upgrade revenue from their own userbase, and conversions of Solaris based ecommerce sites.

Ashok Kumar of Piper Jaffray writing in an article published on news.com argues that "Sun will be a big loser [with] ... a significant loss of share within two to three years to Itanium supporters such as HP, IBM and Compaq." Broadly speaking, unless Sun produces something exceptional, the advent of the Itanium is likely to amplify the trends of the last two years, with Solaris slowly but steadily losing share to Intel Architecture systems running both Linux and Microsoft operating systems. The real skill is in picking the winners amongst the different Intel aligned hardware and software vendors.

Dogfood

Brian McWilliams of Newsbytes reports finding that WebTV runs Solaris 8 on several servers, while researching an article. Conversely Link Exchange, which ran FreeBSD for a long time after their acquisition by Microsoft now runs Windows 2000.

Reports and Interactive Queries

Reports are provided showing server usage for the Internet as a whole, and for selected domains, with links to all the sites responding to the survey. A facility for you to check what server a particular site is running now is also available. The same form can be used to ensure that a particular site is included in future surveys. A directory of sites running in developer domains is also provided, while the sites discovered by the survey can be explored.

Fair Use, Copyright

Excerpts from this survey may be reproduced if Netcraft and the url http://www.netcraft.com/survey/ are attributed.

 Netcraft Web Server Survey Reports  Graphs  Mechanics  Developers  Servers  Most Requested Sites  Archive
Your comments and suggestions are most welcome webmaster@netcraft.com © Netcraft 2001