Secure your Network
Advertise on Netcraft
About Netcraft
Join Netcraft
Site Map
Netcraft Home What's that site running?
Web Server Survey
SSL Server Survey
Explore web sites
News
 Netcraft Web Server Survey Reports  Graphs  Mechanics  Developers  Servers  Most Requested Sites  Archive

SSL Survey

Jobs available at Netcraft

The Netcraft Web Server Survey is a survey of Web Server software usage on Internet connected computers. We collect and collate as many hostnames providing an http service as we can find, and systematically poll each one with an HTTP request for the server name.
In the November 2001 survey we received responses from 36,458,394 sites.

Market Share for Top Servers Across All Domains August 1995 - November 2001

Graph of market share for top servers across all domains, August 1995 - November 2001

Top Developers

DeveloperOctober 2001PercentNovember 2001PercentChange
Apache1885135256.892071378156.81-0.08
Microsoft960736328.991084441929.740.75
iPlanet12787203.8613105023.59-0.27
Zeus7754382.348006612.20-0.14

Active Sites

DeveloperOctober 2001PercentNovember 2001PercentChange
Apache778114561.36775027561.880.52
Microsoft361231028.49330720726.40-2.09
iPlanet2494181.974319353.451.48
Zeus1710231.351740521.390.04

Totals for Active Servers Across All Domains June 2000 - November 2001


iPlanet is the sum of sites running iPlanet-Enterprise, Netscape-Enterprise, Netscape-FastTrack, Netscape-Commerce, Netscape-Communications, Netsite-Commerce & Netsite-Communications.

Microsoft is the sum of sites running Microsoft-Internet-Information-Server, Microsoft-IIS, Microsoft-IIS-W, Microsoft-PWS-95, & Microsoft-PWS.

Platform groupings are here.

Around the Net

Unusually, numbers of active sites running on Solaris & Netscape-Enterprise rose this month, primarily because of the extension of facilities on a Network Solutions domain parking system to include simple small html sites as part of the parking facility. Network Solutions is by far iPlanet's largest installation in terms of numbers of hostnames, and the iPlanet active site numbers would fall considerably if they were persuaded to switch. Earlier in the year Network Solutions switched part of their hosting operations to Windows 2000.

By contrast, the principle reason for the fall in active Microsoft-IIS sites this month, was the change in business model at a large hoster of free shared sites Homestead which last month revoked access to many of their users free sites in the hope that they might pay to regain access to their site content.

Security of some significant JSP sites in question

Over the last couple of months we reviewed Microsoft-IIS based ecommerce sites and the significant improvement in their security prompted by the combination of Code Red and Microsoft's first cumulative patch. A reasonable interpretation of the significant fall in the number of vulnerable Microsoft-IIS tested by Netcraft is that Code Red was so disruptive that sites could ignore security no longer, and the cumulative patch gave them a convenient solution whereby addressing the Code Red problem solved several other standard vulnerabilities as well.

One technology that is yet to have this kind of stimulus towards security is Java Server Pages. Although not widely deployed by rank and file sites, JSP is quite a common technology on ecommerce sites that prefer a Sun based solution to the Microsoft platform. Often, users of JSP technology have invested very significant sums in their sites, and their sites often provide core stockbroking, banking, retail, ticketing and ecommerce services to the internet community, where large sums of money can change hands.

On these sites identity theft is a very serious issue, enabling an attacker to, for example, buy goods or transfer money, using the identity and account information of another customer of the site.

In November 2000, Netcraft reported a vulnerability in session IDs generated by a variety of Java Application Servers based on Sun's reference implementation of the Java Servlet Development Kit (JSDK 2.0), including Java Web Server (JWS) from V1.1, IBM WebSphere and ATG Dynamo e-Business Platform. Typically with these systems, each user connecting to the site is issued with a unique session ID, which is then used to identify all subsequent requests made by that user, either encoded in the URLs, or as a cookie. The server can then store data for each user session, for instance the state of a web shopping cart. Session IDs are also often used to control access to sites requiring a login; instead of sending the username/password with every request, the site issues a session ID after the user logs on, which identifies the user for the rest of the session.

The attack demonstrates a way for a person to hijack another customer's session, and complete transactions as if that person. This is fundamental to ecommerce systems, and one might have expected that the advisory would be quickly acted on. Remarkably, a year on from the advisory, there are well over a thousand transactional sites still using predictable session ids on the internet, including several very high profile ones.

If you are using a JSP based system, and are not confident that your session ids are unpredictable, study the advisory, and if you are still not confident, we would be pleased to answer questions.

Netcraft also released an advisory in conjunction with Macromedia earlier this week concerning the JRUN product, which can be induced to reveal the source code of java server pages in some circumstances.

Her Majesty Rocks no more

Two years ago the Queen of England became an unlikely icon for the Linux revolution when her webmaster replaced Solaris as the platform for the Royal Family's site, citing the better price/performance of the Dell/Linux platform over the previous incumbent, Sun/Solaris. The open source community celebrated and speculated on when the Apache web server might receive the "By Royal Appointment" moniker. This week the site has changed platforms again, this time to Microsoft-IIS.

The Queen launched the updated site yesterday, remarking that the new site took advantage of changes in internet technology, including Flash and DHTML, but so far as we can tell, made no comments about the relative merits of the underlying platforms.

Buckingham Palace told Netcraft that the site's new designers were responsible for the decision to change platforms. The Palace have thoughtfully provided a contact information page for people with questions about the site, as there is sure to be a lot of interest in the change at what has been an icon of Linux's progress into the establishment and a Red Hat reference site.

Exodus sold to Cable & Wireless

Today, Exodus was sold to Cable & Wireless for a total of around $850M. The sale can not have come a moment too soon for creditors, as around 20% of Exodus' customers have departed since the company entered Chapter 11 during the summer.

Reports and Interactive Queries

Reports are provided showing server usage for the Internet as a whole, and for selected domains, with links to all the sites responding to the survey. A facility for you to check what server a particular site is running now is also available. The same form can be used to ensure that a particular site is included in future surveys. A directory of sites running in developer domains is also provided, while the sites discovered by the survey can be explored.

Fair Use, Copyright

Excerpts from this survey may be reproduced if Netcraft and the url http://www.netcraft.com/survey/ are attributed.

 Netcraft Web Server Survey Reports  Graphs  Mechanics  Developers  Servers  Most Requested Sites  Archive
Your comments and suggestions are most welcome webmaster@netcraft.com © Netcraft 2001