Slashdot Mirror

It is now official. Netcraft confirms: *BSD is dying

One more crippling bombshell hit the already beleaguered *BSD community when IDC confirmed that *BSD market share has dropped yet again, now down to less than a fraction of 1 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as fittingly exemplified by failing dead last in the recent Sys Admin comprehensive networking test.

You don't need to be the Amazing Kreskin to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood.

FreeBSD is the most endangered of them all, having lost 93% of its core developers. The sudden and unpleasant departures of long time FreeBSD developers Jordan Hubbard and Mike Smith only serve to underscore the point more clearly. There can no longer be any doubt: FreeBSD is dying.

Let's keep to the facts and look at the numbers.

OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.

Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.

All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS dilettante dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.

Fact: *BSD is dying

As a matter of fact, Netcraft did confirm that BSD is dead: Netcraft 2017 Web Server Survey

I googled how to disable IDN in browsers and it returned an article from 2005 about Firefox disabling support for IDN due to phishing concerns
https://news.netcraft.com/arch...
Netcraft confirmed it.

HPKP allows the operator to declare this certificate or bust to regular users. Certificate transparency offers no such capability.

Certificate transparency only provides "transparency". It doesn't allow operators to set declarative limits on what is acceptable.

We don't need that ability if lack of CT causes the connection to bust. Admittedly we aren't quite there yet, but in the mean time, there's an HTTP header called Expect-CT is implemented in every evergreen browser. (There's DNS CAA, but it's not like a suborned CA will validate CAA, and I'm not aware of any plans to make browsers validate SSL cert against CAA statement, and this all assumes we can secure DNS.)

If your website was gearing up for protest against local dictator and chief and they conspired against you obtaining a MITM cert from your CA and properly logged it to transparency log accordingly that information sure as hell won't do your users any good who are now being rounded up thanks to this ridiculous assertion of equivalence.

In the situation where a single entity has complete packet rewrite ability for the connection to a user at all times, then neither HPKP nor CT will help you.

The situation you described where a dictator suborns a regional certificate authority and publishes to the CT log is indeed a problem. The CT model calls this "getting caught" and doesn't deal with it beyond that. (Presumably Google thinks that if this happens to google.com they could trigger a diplomatic incident. Small guys are not so lucky.)

It's the flip side to another problem though. Suppose that the dictator suborns the regional web host for my site and steals its key. I can set up a host elsewhere but I need to rotate the key. With HPKP, users will reject my new key and continue to use the old key to connect to the dictator-owned system.

In either case, I think the technical solution is working revocation (state of the art being OCSP). I should be able to revoke any key that refers to my domain, through ACME-style proof of domain ownership.

Certificate transparency *IS* a good thing and it is worth doing yet value offered by each approach does not fully overlap. Removal of HPKP only reduces security. It does not improve it.

OK. I think you understand how CT and HPKP work well enough that I don't feel the need to keep arguing. I was mostly upset about "Certificate transparency = Lifelock commercial" (and claim that this move is caused by the NSA, which is a high-school quality calumny) which you've since walked back by stating that CT is good for security.

I agree that the timing of the removal of HPKP is not security-first, I'd rather see full CT enforcement by default before we talk about removing HPKP, and I think the community should have a discussion about the difference, and how we handle those tough cases like the dictator case you suggested.

Chrome claims that it doesn't matter when they remove HPKP because nearly nobody is using it (netcraft claims 4,100 certs in the world).

OpenBSD uses a very primitive form of multicore support called "cooperative multiprocessing" as opposed to modern multiprocessing known as "preemptive" multi-processing. OpenBSDs multitasking is simiilar to what was available on the old Mac 68K machines. The problem with OpenBSD's method is that one misbehaved application can hog all the resources and cause OpenBSD to crash.

Phoronix.com did a comparison of all the BSD and Linux variants and OpenBSD came in last. FreeBSD did marginally better. Although nowhere near as capable as the Linux kernels, the Dragonflybsd put in a very strong showing, beating all the other BSD variants. These days OpenBSD is pretty much a curiosity without a strong Internet presence.

We all can attest to Netcraft's skill in analyzing the operating system landscape. The Netcraft September 2017 Survey is quite frank about the dismal state of BSD. The only mention of any BSD is FreeBSD which they say has fallen to barely registering on real world networks. And everyone knows how far, far behind OpenBSD is from FreeBSD. I

And when everyone is Super, nobody will be. The cost of entry for HTTPS is now zero, so HTTPS is not longer any guarentee of site credentials; on todays internet phising is a far larger threat than packet intercept.

From Netcraft's September 2017 web survey:

Windows and Linux are essentially the "big two" when it comes to web-facing operating systems. FreeBSD was once notorious for its reliability and impressively large uptimes when used as a server platform; indeed, Netcraft's infrastructure made extensive use of it in the past, but it is now a relatively niche operating system compared with its heyday. Today it is used by only 1.3% of web-facing computers, more than half of which are being used to run the Apache web server.

Meanwhile these guys haven't updated their website design since 1998.

Isn't this one of the problems that HTTPs is supposed to fix? The wifi might be bugged, but you can verify you are really talking to the bank and then establish a secure connection over HTTPs and your details are protected.

If it were any other way you would be pretty much screwed because your packets have to pass through many untrusted servers on their way to the bank.

Maybe.

Why hold one CA to a completely different set of standards than every other CA?

Because most other major CAs that offer domain-validated (DV) certificates also offer organization-validated (OV) or Extended Validation (EV) certificates for a higher price. Let's Encrypt does not.

Then go get the CA/Browser Forum to amend their requirements that all CAs and web browser makers follow.

Or write a browser extension to trust DV certificates less. Then you'll get a green bar on Twitter but a warning on Facebook. Comodo's Dragon browser, for example, has included something like this, displaying a warning the first time the user visits a site using a DV certificate. The warning's text begins as follows:

It may not be safe to exchange information with this site

The security (or SSL) certificate for this website indicates that the organization operating it may not have undergone trusted third-party validation that it is a legitimate business. Although the information passed between you and this website will be encrypted, you have no assurance of who you are actually exchanging information with[...]

It is a Chrome specific issue caused by Chrome raising the bar on all EVs. In order to get the Green EV bar in Chrome a certificate needs to be EV, issued by a root authority, and needs Certificate Transparency information (or needs to be issued before 1st Jan 2015).

Unfortunately there's a shitload of CAs out there that didn't get certificate transparency sorted out by 2015.

Some EV certificates are dead and in this case: Netcraft confirms it

Quite frankly if I were paying $1000 for a certificate and it wasn't showing green in Chrome, I would be on Symantec like shit on a blanket. Though currently Chrome is the only browser enforcing this.

The process might in fact be to block all domain-validated (DV) certificates and allow organization-validated (OV) and Extended Validation (EV) certificates. This would parallel the policy implemented by the Comodo Dragon browser, which displays a warning for DV certificates:

The security (or SSL) certificate for this website indicates that the organization operating it may not have undergone trusted third-party validation that it is a legitimate business. Although the information passed between you and this website will be encrypted, you have no assurance of who you are actually exchanging information with, and many websites connected to cyber-crimes use this type of security certificate. Prior to exchanging sensitive information including login/password, personal identity information, or financial details such as credit card numbers with any website that generates this warning, you should find some alternative method of validating this business or consider abandoning the transaction.

3D TV is dead

Hmm mine is still working.

https://searchdns.netcraft.com...

Results for 3d.tv
Found 0 site
Even Netcraft confirms it :/. I assumed it wouldn't!
No-one have even bothered with the domain? Maybe it's too short?

Results for 3dtv.com
Found 0 site
Oh... last chance:

Results for 3dporn
Found 18 sites
Site Site Report First seen Netblock OS
1. 3dporncomic.net Site Report august 2012 advanced hosters b.v. unknown
2. www.3dporncomics.net Site Report june 2006 serverel linux
3. monsterattack3dporn.com Site Report april 2012 hostiserver ltd unknown
4. comics3dporn.com Site Report april 2009 serverel unknown
5. 3dpornxx.com Site Report december 2009 advanced hosters b.v. unknown
6. www.3dpornxx.com Site Report december 2009 advanced hosters b.v. unknown
7. www.3dpornpic.net Site Report july 2014 serverel linux
8. www.3dporncartoon.net Site Report december 2010 advanced hosters b.v. unknown
9. www.juicy3dporn.com Site Report june 2013 advanced hosters b.v. linux
10. super3dporn.com Site Report september 2010 hostiserver ltd. unknown
11. www.3dpornlinks.com Site Report june 2006 serverel linux
12. thefree3dporn.com Site Report january 2012 serverel unknown
13. 3dporncartoon.net Site Report december 2010 advanced hosters b.v. unknown
14. www.3dporncomic.net Site Report august 2012 advanced hosters b.v. unknown
15. amanda3dporn.biz Site Report may 2009 webazilla unknown
16. 3dpornreviews.com Site Report december 2015 cloudflare, inc. unknown
17. bestfree3dporn.com Site Report january 2012 serverel unknown
18. 3dpornbeast.com Site Report july 2013 serverel unknown
Puhh...
3DTV dead, 3D porn alive.

It's the browser acting as if a self signed certificate is less secure than no certificate.

Browser makers find it important to accurately report the truth of the sense of security. A self-signed certificate used with the https: scheme gives a false sense of security, whereas the http: scheme gives a true sense of insecurity.

Let's encrypt may be better, but it depends on how browsers decide to treat domain-validated certificates.

The only browser I've ever seen that warns for valid domain-validated certificates is Comodo Dragon. Any certificate that isn't at least organization-validated causes Dragon to show the "mixed passive content" icon in the location bar and an amber interstitial, which resembles the red interstitial for an untrusted issuer and has text to this effect:

It may not be safe to exchange information with this site

The security (or SSL) certificate for this website indicates that the organization operating it may not have undergone trusted third-party validation that it is a legitimate business. Although the information passed between you and this website will be encrypted, you have no assurance of who you are actually exchanging information with, and many websites connected to cyber-crimes use this type of security certificate. Prior to exchanging sensitive information including login/password, personal identity information, or financial details such as credit card numbers with any website that generates this warning, you should find some alternative method of validating this business or consider abandoning the transaction.

I'm having some bad troubles accessing Netcraft's web site. http://www.netcraft.com works just swell for me but http://netcraft.com doesn't work at all! Does anyone know what the flaming heck is going on here?! Clearly Netcraft is still around because www.netcraft.com works but something is whacked out with just plain netcraft.com I think or at least it is for me!

I'm having some bad troubles accessing Netcraft's web site. http://www.netcraft.com works just swell for me but http://netcraft.com doesn't work at all! Does anyone know what the flaming heck is going on here?! Clearly Netcraft is still around because www.netcraft.com works but something is whacked out with just plain netcraft.com I think or at least it is for me!

There have been good stories about this, like here: http://news.netcraft.com/archi...

Netcraft confirms it!! (but only for 1 DNS lookup) http://uptime.netcraft.com/per...

Devices running the Comodo Dragon browser visibly distinguish DV from OV certificates. I don't know if it still does, but it at least used to present an interstitial page for DV certificates that resembles other browsers' interstitial for an unknown CA.

It may not be safe to exchange information with this site

The security (or SSL) certificate for this website indicates that the organization operating it may not have undergone trusted third-party validation that it is a legitimate business. Although the information passed between you and this website will be encrypted, you have no assurance of who you are actually exchanging information with, and many websites connected to cyber-crimes use this type of security certificate. Prior to exchanging sensitive information including login/password, personal identity information, or financial details such as credit card numbers with any website that generates this warning, you should find some alternative method of validating this business or consider abandoning the transaction.

Netcraft confirms it! Er... wait... Alexa confirms it!

With Windows running only 27% of the Internet's web servers*, calling it "severely limit[ing]" is more than a little hyperbolic.

* source: http://news.netcraft.com/archi...

> Who runs Apache any more? Every serious Linux webserver is running Nginx now.

I don’t know if you’re trying to start another "BSD Is Dying" thing but

http://news.netcraft.com/archi...

Nginx is certainly making headway but it's still only half Apache's market share of the million busiest sites, and 30% among all active sites.

Yeah, I can't wait to hear how this is spun I to a tale of how great OSS is.

Wait no more!

The article states that the analysts have identified 8,867 infected IP addresses. In April 2014, Netcraft confirmed that there were roughly 958,919,789 sites on the web at that time. Independently of them, W3Techs state that nearly 68% of servers are running some form of Unix, and the vast majority of those can be safely assumed to be running Linux.

So let's say, then, that better than half a billion sites are potentially vulnerable to this exploit, but in practical terms, over the course of years, a mere 8,867 of them actually were infected by this exploit. That means that, uh... carry the 9... somewhere around, oh... 0.0017734% of all vulnerable Linux sites have been compromised by a hitherto unknown and unmitigated active exploit.

Clearly this debacle is indisputable proof that Linux security is a shambolic, shameful charade that needs to be stopped before the world collapses into chaos.

You can see it on Netcraft's "what's that site running?" -> http://toolbar.netcraft.com/si... & for showing what academic institutions run what (that could also be done for the Fortune 100/500 & really *ANY* type of servers out there).

I've used here a few years back to see for myself:

http://news.slashdot.org/comme...

& yes, to prove that very point WITH VALID DATA FROM A REPUTABLE SOURCE (2 of them, CNN list of Fortune 500 + NetCraft)...

All that happened vs. it was downmods and ad hominem attacks (the last resort of "defeated trolls", lol, & invalid proving my points all the more).

It works & since you demand it? Take a look for yourself there... get a list of the Fortune 100/500 & see what you see nowadays I suppose. That's only on servers though. There's millions of PC's out there vs. servers. What do PCs run the MOST (94++% of them worldwide as a KNOWN fact? Windows!)... you can't win on that note alone.

Facts used that way work, & I've used that before here, to shut fools up on that very account + face it: The ONLY real reason say, Linux, gets used, is to keep per unit costs down (on servers AND smartphones)

+

Face this about that much: ALL THOSE YEARS OF "Windows != Secure, Linux = Secure" is falling apart around your ears here - ANDROID, yes a Linux, proves it for me (& I love it + hate lying bullshitters/deceivers - not because I hate Linux, I don't & ADMIRE it actually as a socio-technological phenomenon that proves folks CAN & DO work together globally doing nice things for free).

You bullshitters don't realize 2 things: Your deceits shoot you in the foot, I make SURE it does (lol) & you can't EVER ever get the best of me - you don't HAVE what it'd take in truth & facts.

APK

P.S.=> However, the "noobies" inexperienced youthful stupid view here isn't aware of the fact C/C++ have been hugely successful on ALL platforms and have gained a gigantic following & momentum that other languages just do not have since time + success will do that for me (selling itself better than bs & "pr spin" that goes on around here like mad, lol, that's for sure ala my "Linux = Secure, Windows != Secure" b.s. that went on here for years)... apk

(un)paid advertizement:

I love to dump on Microsoft as much as the next guy, but honestly SQL Sever 2000 on is pretty damn good.

Now, if SQL server is "honestly" so good, why are the one million busiest sites slowly migrating away from Microsoft?

http://news.netcraft.com/archi...

In 2008, 20% of the million busiest websites used Microsoft, now only 12% do, and the decline slowly continues.

When we talk about these installations, we talk about very heavy loads, very much data and very high requirements on reliability and availability.

So why does the high-end "enterprise" systems move away from that "pretty damn good" platform? The Microsoft apologists on this thread constantly tell me who licensing costs don't matter and how good all Microsoft products are ("honestly"!) - but exactly in the one area where licensing costs really don't matter (the one million busiest sites) Microsoft is also losing it. So why then?

Maybe it's not as "pretty damn good" as some anonymous internet commentators claim? Honestly?

The cited examples that he gives lead to a 404 error, so that's not really helping his point.

It would if it was hosted on a Mac OS X server somewhere...

http://toolbar.netcraft.com/site_report/?url=Wozniak.ca - nope, Linux on Amazonaws. Of course.

But Netcraft confirms 47% market share http://news.netcraft.com/archi...

I would be curious to see how Azure is impacting Windows Server market share

As this is slashdot, the appropriate response would be to turn to Netcraft to confirm it...

http://news.netcraft.com/archi...

Which was from February, and should be read in the context of the February Web Server Survey:

http://news.netcraft.com/archi...

I would be curious to see how Azure is impacting Windows Server market share

As this is slashdot, the appropriate response would be to turn to Netcraft to confirm it...

http://news.netcraft.com/archi...

Which was from February, and should be read in the context of the February Web Server Survey:

http://news.netcraft.com/archi...

The other graphs on Netcraft pretty much answer this:

Web server developers: Market share of active sites = looks like MS is on a slight downward trend.

Web server developers: Market share of the top million busiest sites = looks like MS is on a slight downward trend.

And in both of those graphs, Apache is far and away holding the biggest share, *and* Nginx is ahead of MS. But let's face it, we all knew that anyway.

From TFA [1]:

Apache's position is much stronger when considering only Active Sites — it retains an absolute majority of 52.3%, and second place is held by nginx (14.4%), rather than Microsoft (11.3%). By excluding much of the automatically-generated content present on the internet, the Active Sites metric better reflects web server market share amongst human-maintained web sites. (emphasis by me)

[1] http://news.netcraft.com/archi...

Please mod parent up.

What a load of PR bullshit this article is. If people actually care reading the netcraft results [1], you will see that in ACTIVE WEBSITES the Microsoft webserver is falling below 12% during the last two years, while Apache has been well over 50%, despite all other webservers gaining place (Nginx for example).

[1] http://news.netcraft.com/archi...

Instead of guessing, why don't you finally read the article this statistic came from?

Our most recent SSL Survey found that the heartbeat extension was enabled on 17.5% of SSL sites, accounting for around half a million certificates issued by trusted certificate authorities.

So not only do those of us responsible for web servers need to generate new server certs for all of our servers... pretty much every current web server cert in existence also needs to be revoked. Are the CAs even willing/able to do something on that scale in a short amount of time?

Netcraft actually has an interesting article about that very situation.

Obviously, the CAs don't really have a choice in the matter, but I can't imagine they really have capacity issues in regards to the actual revoking/signing as that's all automated. If things get crazy busy, they can always queue things -- for most admins it doesn't really matter if the new cert is issued immediately or after 15 minutes.

Human-verified certs like org-verified and EV certs might have a bit of delays, but domain-validated certs should be quick to reissue.

Of course, revocation checking for browsers is really bad. Ideally, all browsers would handle revocation checking in real-time using OCSP and all servers would have OCSP stapling enabled (this way the number of OCSP checks scales as the number of certs issued, not the number of end-users). Stapling would help reduce load on CA OCSP servers and enable certs to be verified even if one is using a network that blocks OCSP queries (e.g. you connect to a WiFi hotspot with an HTTPS-enabled captive portal that blocks internet traffic until you authenticate; without stapling there'd be no way to check the revocation status of the portal).

Also, browsers should treat an OCSP failure as a show-stopper (though with the option for advanced users to continue anyway, similar to what happens with self-signed certificates).

Sadly, that's basically the opposite of how things work now. Hopefully things will change in response to Heartbleed.

So not only do those of us responsible for web servers need to generate new server certs for all of our servers... pretty much every current web server cert in existence also needs to be revoked. Are the CAs even willing/able to do something on that scale in a short amount of time?

Netcraft actually has an interesting article about that very situation.

Obviously, the CAs don't really have a choice in the matter, but I can't imagine they really have capacity issues in regards to the actual revoking/signing as that's all automated. If things get crazy busy, they can always queue things -- for most admins it doesn't really matter if the new cert is issued immediately or after 15 minutes.

Human-verified certs like org-verified and EV certs might have a bit of delays, but domain-validated certs should be quick to reissue.

Of course, revocation checking for browsers is really bad. Ideally, all browsers would handle revocation checking in real-time using OCSP and all servers would have OCSP stapling enabled (this way the number of OCSP checks scales as the number of certs issued, not the number of end-users). Stapling would help reduce load on CA OCSP servers and enable certs to be verified even if one is using a network that blocks OCSP queries (e.g. you connect to a WiFi hotspot with an HTTPS-enabled captive portal that blocks internet traffic until you authenticate; without stapling there'd be no way to check the revocation status of the portal).

Also, browsers should treat an OCSP failure as a show-stopper (though with the option for advanced users to continue anyway, similar to what happens with self-signed certificates).

Sadly, that's basically the opposite of how things work now. Hopefully things will change in response to Heartbleed.

Microsoft evidently relies on Linux servers a decent amount. A Microsoft dev is also apparently a top contributor to the Linux kernel.

Maybe those credentials were posted on github by devels and then scraped from there. Or from google, there is a bunch of id_rsa that pop up with trivial searchs.

Anyway, 25.000 linux/unix servers looks like a very low number, considering the 500.000.000 servers running apache or nginx, even with multiple domain hosted in a lot of them.

Is that "better"? That were over a million Linux servers defaced in 2010, most of them actually rooted.

Maybe those credentials were posted on github by devels and then scraped from there. Or from google, there is a bunch of id_rsa that pop up with trivial searchs.

Anyway, 25.000 linux/unix servers looks like a very low number, considering the 500.000.000 servers running apache or nginx, even with multiple domain hosted in a lot of them.

Because, you know, this is slashdot. We won't believe something is dead until netcraft reports it...

Didn't RFA, summery saying; " Unity is proprietary just like Flash was — 'don't worry, we'll be around forever!"

They all think that way

http://www.cnn.com/WORLD/9709/...
The Funeral of Princess Diana
Elton John performs "Candle in the Wind"
4 min. VXtreme streaming video

This maybe available with WMP, but I've never allowed that program to run (many reasons).

But I'm going to say it's dead as a VXtreme search on http://www.netcraft.com/ crashes the browser window taking me to about:blank (Opera 12), or just takes the page away (FireFox 27.0.1), flash enabled.

Mod this up! It's really significant. See: http://www.netcraft.com/active...

The global (unfiltered) figures are useless. The spike could be one IIS server with a mass of IPv6 IPs pointing at it.

Netcraft.com: "In the February 2014 survey we received responses from 920,102,079 site"

W3tech.com: "Usage of web servers for websites .. Apache: 62.5%, Nginx: 18.2%, Microsoft-IIS: 14.4%"

http://toolbar.netcraft.com/si... Unk, Unk, There's no name on it! (Tuco Benedicto)

Most retails outlets have freezes on any production changes from after Thanksgiving until at least January

As others have pointed out, Thanksgiving isn't really "a thing" in Australia, however, taking your premise that changes should not be made in the run-up to Christmas, Myer doesn't seem to have followed your suggestion. Myer changed their externally facing hosting technologies on November 27.

Everybody, please disregard with that idiot says in comment #45628817.

nginx is NOT the "second most used web-server". For crying out loud, son, EVEN NETCRAFT CONFIRMS YOU'RE WRONG! Just look at their December 2013 web server survey results. It is just barely in third place, well, well below Apache, and even well below IIS. nginx isn't even seeing the growth it used to have, and has in fact even been losing marketshare now and then over the past year.

Being wrong on a basic fact like that means you're even more wrong on all of your other claims. Even though nginx's use is a small fraction of Apache's or IIS's, we essentially NEVER see errors like this from them. But we see it ALL THE TIME when it comes to nginx.

There isn't something magical about Apache or IIS admins. In fact, there's a much greater proportion of them who are bad as compared to nginx admins, given how much more Apache is used than nginx. So we should be seeing many more errors when using sites served by Apache and IIS, according to your misguided and wrong-headed logic. YET WE DON'T!

Currently, 44% of web servers are running Apache. 24% are running IIS. Only 14% are running nginx. There are THREE TIMES AS MANY websites using Apache as there are using nginx. No matter how you try to spin it, we don't see three times as many errors from sites running Apache. We see completely the opposite! We see one or no sites giving errors when using Apache, in the same time period that we've seen five or maybe even ten instances of those errors from sites running on nginx.

You're going to need to try again if you want to try to convince us that nginx isn't at fault somehow. All of the evidence is not in its favor.

I'm be more interested to know if they shared their private key for SSL/TLS. Since Apple's Safari (to the best of my knowledge) does not support perfect forward secrecy (PFS), someone recording the encrypted session could later decode the session contents if they ever acquired the private key at any point in the future. The conversation might go like this:

....

I should point out that IE doesn't support PFS either, so Microsoft could be in the same boat. I think Chromium and Opera support PFS, but I'm not 100% certain.

(This is not my field of study, so if I have this wrong, I'd appreciate a correction.)

PFS is dependent on the cipher suite that is used. Safari and IE both *do* support some PFS suites, but not all PFS capable cipher suites. And for those they do like, they seem to prefer them less than some non PFS cipher suites. Safari seems to be better than IE at this as they support more suites but the non-elliptic-curve ones are used only as a last resort. So, the problem is web servers respecting the browser's preferences will end up selecting a non-PFS cipher suite even if the web server itself does support some PFS cipher suites.

So Safari/IE need to start favoring the PFS ones and/or web servers need to start only accepted the PFS suites.

Netcraft has some good research on the area.

supposedly, it's behind akamai :

http://toolbar.netcraft.com/site_report?url=http://www.healthcare.gov

Actually, it does seem close. At least according to netcraft. Scroll down to the graph (20M as of Jan2012)

https://ssl.netcraft.com/ssl-sample-report/

Apache isn't below 50%. What counts, are "active sites", not parked domains or similar (see Netcraft). Numbers for active sites fluctuate much less and show us a more realistic picture. Apache is still at 53,62%.

And no, IIS is not the winner, but a distant second with only 11,78% market share. Considering, IIS had once 38% (october 2007), IIS is the biggest looser so far.

The Netcraft article does have statistics that exclude parked domains, and here IIS doesn't look to have an increasing trend at all. The only webserver with a steadily increasing trend is nginx. In the graph of the top million busiest sites, nginx is again growing the fastest, though "other" is also a growing category.

Netcraft's report shows the percentages for all domains as well as for active domains.

This article is a bit sensationalistic - no surprise. As a percentage of all domains, Microsoft is at 23% (Apache's at 47%). Looking at just non-parked domains, they're at 12% (versus 54% for Apache). Not really much of a "Apache vs. IIS" story there...

If there's any news at all, it's that servers other than Apache and IIS have managed to gain significant traction over the past couple of years. I remember when it had really turned into a two horse race, and gains by one exactly mirrored losses by the other. But now it's a bit more of a healthy competition.