Netcraft Claims Apache Now Runs 2/3rds Of The Web

Mr Bill writes "According to NetCraft the Apache web server now owns over 2/3rds of the web. The jump of 2.8% since last month is mostly due to a number of large domain parking sites switching back to Apache from IIS. 'During 2001 and the first half of 2002 several companies hosting very large numbers of hostnames including Webjump, Namezero, Homestead, register.com and Network Solutions migrated to Microsoft-IIS. Subsequently these businesses have either failed, significantly changed their business model, or reverted to their previous platform, and Microsoft-IIS share is now in line with its long term pre-summer 2001 level of around 20%.' See the full report here."

good

[grosa]

hopefully this will cut down on the number of easily infected web servers. don't want to see another run of iis worms spewing bogus access requests at my apache server.

Re:good

[BuckaBooBob]

Apache doesn't seem to suffer from the Monoculture problems that MS has... But I guess apache hasn't reached a true monoculture yet... But it would seem to \me that IIS could be a dying horse..

Re:good

It might help a bit, but not a lot. Web servers that belong to a domain, say www.slashdot.com, are counted here, but when you have millions of home machines worldwide still running an open web service on windows, that can overwhelm the statistics.

66% of 'real' websites may be apache driven, but when it comes to viral infection, Joe Normal's home windows box on his cable connection counts just as much an infectable web server as the business down the road that runs a real .com

Re:good

[nmg196]

But IIS usage is NOT going down though! The netcraft graph is a graph of relative usage of each system and adds up to 100%. If you look at the bottom the linked page at the second graph, you can see that IIS usage hasn't decreased at all - it's just that Apache usage has gone up quite a bit recently (ie, there are more total servers tested by Netcraft).

Re:good

[Grizzlysmit]

Ummm I think you'll find thats wrong, ok the propotunate loss for IIS is worse, but they've had a notaciable numeric loss too.

Re:good

[Bert64]

Apache is not really a monoculture atall, not compared to IIS... If you encounter a machine running IIS you can pretty much guarantee it`s running on an x86 machine running windows, it might, but this is a 1/1000000 chance or something, be running on windows on an alpha, mips or ppc... but this isnt possible for any version above 5.0
However, with Apache, it could be running on any one of many OS`s, Linux, FreeBSD, Solaris, HPUX, AIX for instance, and on many different hardware architectures.
This is a good reason for promoting systems such as FreeBSD, OSX, and the other risc systems... If the entire world standardises on x86/linux for their webservers, especially a single distribution, then it would be no better than a windows monoculture.

Re:good

[nmg196]

OK - I'm slightly wrong.

MS had 4.92 million sites last month, and it's 4.91 million this month (1.06% down) but my point still stands - it's mainly the fact that Apache has gone up from 13.52 million to 14.37 million active sites ( a gain 846294) that makes the graph show a swing from Apache to Linux. It's not really a change from Apache TO IIS - its mainly just loads more Apache sites. The fall in IIS usage is so insignificant that it doesn't even register on that graph!

If you read the other /. comments - you'll see that graph is misleading many people on here. Many users seem to think that IIS usage is falling rapidly, when in fact it's nearly the highest it's ever been!

Looking at the second graph, gives you a much clearer idea of what's going on - an obvous 'spike' in Apache users - while IIS usage doesn't change by a statistically significant amount (just the usual wobble perhaps).

A few months more data will be needed to draw any conclusions on whether or not IIS usage is actually significantly falling.

I don't think things like the Blaster worm have help Microsoft's image where security is concerned, but favourable independent reports of the security of the new Windows 2003 platform should balance that out in the long term.

Re:good

[Foofoobar]

Monoculture? How so? I happen to work for a company with VERY close ties to MS and they won't let me run Linux... so I run Apache, MySQL and PHP on a windows machine. Works great and I never have any down time.

The key phrase here is cross platform compatibility. That is something that Microsoft has yet to learn.

Re:good

[optikSmoke]

Hmmm, yes by numbers IIS is at its highest ever, however that is an irrevelent statistic. The fact that its percent of market share has decreased is much more useful. It basically means the market size has increased (ie, there are more total servers now) but IIS hasn't kept up.

As a simple (and exageratted) example, let's say the market increased by a million servers, but IIS only got 100 more. Yes, they would be at their "highest ever", but in reality they would have a much smaller presence in the market.

Numbers don't matter, its numbers relative to the competition (ie, market %). So, the graph is not really misleading, since it shows a useful statistic (market share) rather than a not-so-useful one (number of servers).

That's Just Crazy

Who would've believed that a non-proprietary and free webserver would be so popular when Microsoft gives you the opportunity to lock yourself into monopoly driven endless licensing upgrade cycle?

What the hell is this world coming to?

Re:That's Just Crazy

[Dionysus]

It has a monopoly on Windows web servers.

What a bizarre statement. Isn't that like saying RedHat has a monopoly on RedHat Linux servers? Or Debian has monopoly on Debian GNU/Linux servers?

Re:That's Just Crazy

[BasharTeg]

That's certainly a monopoly. There are other, free options, but "nobody does" so it is a monopoly.

This is why I don't agree with the Windows monopoly concept. We all know there are easily a hundred other free operating systems out there. Plus many more that aren't free but aren't from Microsoft. If Microsoft is the operating system of choice, even if the choice is watered down since most people get Windows free (or not free but seemingly so while paying for it in OEM costs) and prefer it, even if that choice is made out of laziness, how is that forcing their hand?

The simple truth nobody in the open source community wants to think about is this: Most computer users today don't give a damn about Microsoft's monopoly, and even if their computer didn't come with Windows and even if they were informed of Linux, BSD, and other alternatives, they would still CHOOSE to go buy a copy of Windows and install it. Rant and rave, like it or not, Windows is the operating system most people in the world would choose. They don't need to strong arm anybody. I'm not saying they don't, I'm saying blaming their current success on that is a piss poor excuse. The truth is, they have a product that does what many people want.

Re:That's Just Crazy

[squiggleslash]

If you switch from Windows IIS to Windows Apache, you lose nothing. You can still interoperate. IE doesn't become incompatable with your website. You're fine.

If you switch from Windows on your Desktop to Linux, you lose access to many applications only available under Windows. Those apps cannot be easily ported. In addition to losing functionality, you lose interoperability, because many of those applications provided access to data and other resources.

So yeah, I'd agree Microsoft has no monopoly in the web services arena, but I'd disagree about the operating system. In the late 1800s you had a choice of oil supplier, but thanks to Standard Oil's corrupt contracts with railroad companies, the only affordable oils were their's. Throughout the 20th Century, you could always use mail, radio, and a host of other services instead of the Bell System, to communicate. But that hardly meant they weren't a monopoly. "Choices" that are effectively worthless for the majority of people do not undermine a monopoly.

Re:That's Just Crazy

[lone_marauder]

If anything, apache is closer to a monopoly (though both IIS and apache are far from it)

Monopoly != popularity. Monopoly is taking market share by force rather than by normal market behavior. If Apache had extensions that didn't work right for any other browser besides, say, Mozilla, you might have something.

Please turn the next page in your pamphlet and post accordingly.

Re:That's Just Crazy

[jc42]

How can this be true when many people run Apache on Windows?

Funny thing about this: On many occasions, I've found myself looking at a group trying to install IIS (or the Netscape server or some other commercial server), and getting more and more frustrated over the problems getting it to work.

So, while they're fighting with it, I sit down at an idle machine, point the browser at apache.org, download the latest apache for that platform, and ask them questions while I twiddle the configuration. Within 10 to 20 minutes, depending on how much configging is needed, I fire up the server, and it runs the first try. I invite them to check it out from the other test machines, and they find that it's working. We copy a few web pages to that machine, and they work

The result in almost all cases is that they decide to go with apache "for a while". It's just an interim measure, you understand, until they can get the real web server running. But meanwhile, they have a web server that they can put online. The web developers aren't sitting around idle; they're building the web site.

In the ensuing months or years, I occasionally prod them with "You know, we really should try to get the officially-mandated web server running." The response is usually to put it off until they can get through the huge pile of stuff that they need to put online.

In a few cases, management has gotten upset, and created a team to get the officially-mandated server running. This often succeeds after a few weeks. Then they put that server online, and it's a real disaster. It crashes repeatedly, produces a flood of complaints from baffled customers along the lines of "How the @#&$^%*& do I order things from you now? Your online ordering pages are broken."

After management notices the loss of income from IIS or whatever, they grudgingly agree to go back to apache "until the problems can be worked out."

Does this sound familiar to anyone?

Re:That's Just Crazy

[overunderunderdone]

Monopoly != popularity. Monopoly is taking market share by force rather than by normal market behavior.

No, monopoly means "exclusive control by one group of the manufacture, or production, or selling of a comodity" whether that monopoly was gained by the popularity of the product or by "force" is irrelevant. The behaviour you are talking about isn't "monopoly" it is the abuse of a monopoly, or in anti-trust law "unfair business practices". Also, those business practices are only "unfair" IF you have a monopoly. So Microsoft was perfectly fine writing those "lock in" contracts with OEM's before they had a monopoly. It was perfectly fair to sign exclusive contracts in an attempt to lock out the competition and gain market-share. It is even fine for them to have become a monopoly, but once they are they are forbiden such practices which used to be perfectly legal.

Microsoft does have overwhelming marketshare, their network of exclusive sales contracts, when it was fully in force, probably made them a monopoly by virtue of the fact that they had something close enough to exclusive control of the sale of operating systems. I think such a virtual monopoly was sufficient for anti-trust law to kick in and forbid their use of otherwise legal practices. But strictly speaking Microsoft isn't a monopoly in the sense that DeBeers or OPEC are, or Standard Oil was.

Re:That's Just Crazy

[jc42]

Well, yes; sometimes it feels that way. ;-)

Actually, of course, it's just normal American corporate management practices that I'm talking about here. I keep getting the feeling that it's not outsourcing to cheaper parts of the world that we should be worried about. If any other part of the world ever invents a rational scheme for organizing companies, they'll wipe out our economy overnight.

Fortunately, there seems little danger of this threat materializing.

The funniest case was a few years back, when the project's management decreed the Netscape server as the standard. We tried several times. But the same thing always killed the effort: This server can be configured only through its web interface. Invariably, we would make some config mistake that turned the server into a zombie. At that point, there was no way to correct the problem because we couldn't change the configuration any more. We'd wipe the server's directories, reinstall -- and it would happen again. Sometimes we'd get it running for a few days, but every config change carried with it the possibility that we'd have to wipe the server and start over.

You'd think that people would understand why you can't trust a web server to handle changing its own config files. But the managers couldn't be convinced that there was a fundamental problem here. And we never found a way to get at those files with a plain editor. They just didn't make sense, and weren't documented anywhere that we could find.

I've long argued that one of apache's real strengths is its plain-text config file (with lots of good comments in the text). The commercial guys don't seem to be able to figure out why this is a good idea.

Not necessarily a good measurement

[taliver]

Numbers that are much harder to get but would be significantly more valuable would be the fraction of web traffic handled by the type of server. Just because I have a hosting company that has 3 sites doesn't mean that I'm getting traffic in the same amount that some other individuals. And MS(make that M$ so I don't get modded down) would tell you that there servers are deployed on the larger installations, the ones that need to higher performance.

(And, I'd expect that if we looked at a graph of traffic, you'd see the GWS getting a significant share.)

Re:Not necessarily a good measurement

[tolan's+my+name]

Lots of the _really_ big sites don't use Apache or IIS but use things like IBM_HTTP_Server (which, to be fair, IS Apache) with a Websphere backend. Also those really big site are all load balanced, portalled etc, so its hard to determin what is truely doing the serving.

Re:Not necessarily a good measurement

[Peer]

This argument was already used before. That's why Smutcraft.net
uses a better method to measure market share.

They rate Apache even higher.

NCSA

[chill]

Netcraft really needs to drop the NCSA line on the charts that don't stretch back before 2000.

The only thing that straight orange line at 0 does is give the Sun ONE guys something to point and laugh at. And it looks like they need it.

Re:NCSA

[madprof]

What do you then incorporate it into?
'Other' perhaps?
Incidentally, it's not 0. Oxford Brookes Univesity in the UK still use it, hilariously.

Re:NCSA

I like it. It helps me find the bottom of the graph.

That's very bad for Microsoft...

[Zocalo]

...and great for Apache. The underlying message seems to be that switching from Apache to IIS will either cause your company to fail outright, or at best cost you a huge chunk of resources while you switch to and from. That fact that Network Solutions is on the list is even better, because for many managers and users NetSol is *the* .com company, and if they can't make IIS work...

Re:That's very bad for Microsoft...

I would bet that a year ago someone at Microsoft came up with an idea to increase IIS standings at Netcraft: pay a couple of domain parking companies to switch. They probably paid them for a year only, and since the year has finished, the companies in question have decided to switch back, presumably because IIS had more expensive TCO than Apache. Microsoft's original idea would have been to gain momentum for IIS and indicate it was gaining rapidly over Apache, helping it's .Net initiative look like it was going somewhere.

Re:That's very bad for Microsoft...

[You're+All+Wrong]

Very insightful post.

A little bit of greasing of palms is a fairly common business practice. MS have probably seen that all that did, rather than
persuade the rest of the world to move over to IIS, was cost MS
money. So what comes next? I reckon the future will be MS playing
dirtier. They'll buy up companies which have trivial web patents,
and will sue every hosting company under the sun for "serving dynamically created content based on the user's prior browsing history" or something inane like that. (I made that one up.)

They have to start playing dirty now. Therefore they will.

YAW.

Apache 2.0

[g_arumilli]

Netcraft seems to show every site that I've looked at running Apache 1.3.x, and none of them running Apache 2.0.x. Is this just Netcraft being weird in attempting to determine what version of Apache a server is running (or perhaps an equivalence in transmitted data between 1.3.x and 2.0.x), or a more significant sign of the "stability" that major servers require?

Re:Apache 2.0

The Apache version comes directly from the server signature. This is changed easily enough (we find 3K Apache 7.x sites) but most people don't bother.

This month, we found

• 26.3M Apache 1.x hostnames
• 1M Apache 2.x hostnames
• 3M Unknown Apache hostnames

Magnus at netcraft dot com

Re:Apache 2.0

[madprof]

This seems about right. Apache 2.0 is still not as complete as Apache 1.3.x when it comes to support from surrounding software.
I'm waiting for Apache::Request to be ported properly.

Re:Apache 2.0

[Nevyn]

FWIW, the server name is transmitted in a standard HTTP/1.1 response so it's trivial to work out what kind of server something is running. As a simple test, run 'telnet [host] 80' and type 'GET / HTTP/1.1' and hit enter a few times. You'll get a response (usually an error saying invalid HTTP/1.1 request) which includes a server version.

To be pedantic, that should really be... "A server name is trans ... what kind of server something says it's running."

Re:Apache 2.0

[horza]

Until there is an announcement on the PHP homepage stating that PHP is totally stable under Apache 2, and that moving to Apache 2 will offer far greater performance, I don't see the ratio changing in the near future. The last advice I read was "don't use mod_php under Apache 2", and haven't heard anything to the contrary recently.

Phillip.

Re:Apache 2.0

[Mr+Bill]

Apache 2.0 has a lot more going for it than just better windows support.

One of the most useful features is the new Filter architecture. This allows you to send you HTML through multiple stages for processing. In other words, you could have a page that is parsed by PHP, then mod_perl, and then mod_include! Although that is a contrived example and no one would want to write a dynamic page using three languages, it does explain the possibilities. A useful example of a filter in Apache2 is mod_deflate which compresses content on the way out to the client. Also, it would be simple to write a filter in mod_perl that grabbed all the response headers and printed them to a file for debugging.

The new MPM (Multi-Processing Modules) , which has allowed for the improvement of windows support, also gives you choices on Unix in allowing you to use threaded models, or process models, or a combination of both...

But you are absolutely right in your observation that most admins are more than happy with what Apache 1.3.x provides for them.

I think Apache is one of the great success stories in the internet age.

Re:Apache 2.0

[fferreres]

PHP is pretty stable on Apache 2, at least for me. I was a bit scared at first, but after running a relatively large and badly written PHP site with not problems at all for about 3 month, I feel confident now. But yes, better wait for PHP to declare it stable.

Don't know what other people experiences are...

F

I remember previous news...

that many large companies started using IIS.
I got a bit nervous, but looks like using IIS is the best cure.
It's like pi**ing against electric fences.
You'll never do it again.

Mono-cultures not good!!!!!

[hughk]

Apache is cool and this is good for open source. However it would be better is there were more variety (perhaps Zope or others). Each approach has its own advantages or disadvantages.

Luckily many people use different Apache versions or even platforms and certainly different modules, i.e., mod-perl or php so this isn't as bad for a risk factor. I would still like to see more variety and thus hopefully better security.

Re:Mono-cultures not good!!!!!

[jalet]

Problem with Zope is that it's often installed behind Apache which serves as proxy/urlrewriter and so Netcraft may only see Apache some times. (it correctly detects Zope for my own website though)

OpenSSL...

[admbws]

Take a look at the article below. It's incredibly worrying how many sites are still using vulnerable versions of OpenSSL.

Re:OpenSSL...

[Przepla]

Indeed, but:

However, relying on version numbers to determine the number of vulnerable OpenSSL sites is flawed because vendors backport security patches. So a site using OpenSSL on a Red Hat 9 system will likely report itself as OpenSSL 0.9.7a even though it isn't vulnerable to any of the issues mentioned and the situation is similar for SuSE, Debian, Mandrake, and most of the Linux distributions. Additionally, many of the vendor distributions of Apache have recently started supressing all the extra module information by default, so newer distributions (ones that are not vulnerable) are less likely to be listed.

I'd just add, that FreeBSD does the same thing.

More useful measures

[wizrd_nml]

They could do a lot with the numbers they already have that could be more insightful: - Show statistics by type of domain (.org, .com, .net, etc.) - Show statistics about known companies/orgnisations that would be of interest to users (Forbes 500 companies, IT companies) Maybe some kind of statistical tool can be added to Apache (perhaps as a module) that can be optionally loaded that allows netcraft and similar sites to poll Apache and get interesting information like: hits, max load, throughput, type of machine it's running on...

I wonder if MS stopped there secret free license?

[Pond823]

It seems odd that the two largest parking hosts switched away from IIS at roughly the same time, when they also changed to IIS around the same time too. Maybe Microsoft made them an IIS offer they couldn't refuse, but have since changed that policy.

Isn't it ironic...

[Kj0n]

... that this article appears directly above the article "Lies, Damned Lies, And [Gaming] Statistics"?

The monocrop argument

[goombah99]

We often here that mono cropping leaves one open to rapidly spreading global viruses. The poster child for this is the windows operating sytem and its suceptibility to rpc and outlook and active-X infections.

The yarn goes that MS products are not so badly written, that IS II is no worse that apache, that outlook is no worse than XXXX, its just that windows runs on 95% of the worlds computers so its a target and when its infected it gets noticed.

this apache story sort of gives a lie to this. if it runs 80% of the web servers it is the largest target by definition. Of course it does get attacked but you dont hear about this being a viral thing, spreading throught the mono crop.

I guess one can counter this argument by saying that bussinesses that run web servers maintain their patches better thsn the devil spawned endusers. But this doesn't really wash. If bussinesses had to patch as often as Windows users did they would be screaming bloody murder since while it only costs the end user free time, it cost the bussinesses actual operating expesnes.

Re:The monocrop argument

[cperciva]

Apache isn't quite as much of a monocrop as it might seem at first. While a newly discovered security hole is likely to affect a large proportion of the world's web servers, differences in how Apache is linked and loaded will mean that any exploit is going to be specific to one operating system. For example, there was an Apache/FreeBSD worm some time back; the security hole existed in all (unpatched) Apache installations, but the worm was only able to exploit it on FreeBSD.

Re:Microsoft running on Linux?

From Netcraft's FAQ:

""
Why do you report impossible operating system/server combinations ?

Webservers that operate behind a caching system, load balancer, reverse proxy server or a firewall may sometimes report the operating system of the intermediate machine. Hence reports of 'Microsoft/IIS on Linux' may indicate that either the web server is behind a Linux server that is acting as a reverse proxy, or has configured the Akamai caching system such that the first request to the site goes to one of Akamai's servers [which run Linux], or as in the case of www.walmart.com has been configured to send a misleading signature.
""

RTFM :-)

Why all of the fussiness?

[illuminata]

With Apaches controlling this much of the internet and damn near all of the U.S. casinos, what the hell are they still bitching about?

Who cares if you don't have the land anymore, you're filthy fucking rich!

Re:Is this correct?

The oddity is caused by Microsoft's use of Akamai's mirroring services.

Web Hosts are actively recommending Linux ...

[leoaugust]

When I hosted some of my earlier sites, web hosting resellers were advocating Windows hosting. They charged more for it, and also most of the technical help they had was for Windows and IIS ...

After the worm season of Microsoft, I actually had the same resellers begging me not to buy Windows hosting but go for Linux, even though it was cheaper (and hence their margins lower). Most of them were putting forward the reasoning that it was cheaper (but that was never a selling point earlier) and they said that there are so many free goodies available with it ... Finally one of the ladies confided ... "My techies are going nuts just keeping up with the patches after patches .. so please, go for Linux .... please .."

It's anecdotal ... .but I think very widespread ..

Re:Web Hosts are actively recommending Linux ...

[Walles]

go for Linux, even though it was cheaper (and hence their margins lower)

Why would their margins be lower because Linux is cheaper for the customer? The margin is the difference between what the customer pays and what it costs them to provide it. If Linux is cheaper for them, their margins can very well be higher for Linux, even though it is cheaper for the customer.

This way, everybody benefits (except for Microsoft).

Define 2/3rds of the Web

[winkydink]

I offer that 2/3rds of all web servers and 2/3rds of the Web are far from the same thing. While I have no firm idea how to accurately measure the Web, I'd offer that either total content or total content that is actually viewed would make for a far more intersting statistic.

Whether this makes Apache's percentage larger or smaller, I have no idea there either. I think that the claim as written is inaccurate.

Intriguing...

[larien]

Subsequently these businesses have either failed

Would it be overly obvious to say that there's a link between using IIS and failing? ;)

with the rise of webservices...

[jlemmerer]

...apache will spread even farther. i do a lot of web service programming myself, and i have to say that the axis project maintained by a fraction of the apache group made my life a whole lot easier. i don't think that a similar framework exists in the microsoft world (yeah, i know there is .NET, but i mean in the "real" java web service world that is truly portable cross platform)

And remember....

[Kakemann]

This popularity is the ONLY reason for the TERRIBLE security track record of Apache compared to, say, IIS.

Oh, wait..

Re:That's Netcraft with a LOWER CASE 'c'

[gunix]

If Netcraft would use an upper case 'C', Blizzard would send them a theratening cease and desist letter (http://www.freecraft.org/).

Re:Microsoft running on Linux?

[PowerBert]

Ummm, could it be because it's their Unix. Hp push Linux too, and their website runs HPUX. All vendors use their own OS to run their websites. Can you imagine all the flack they would get if they didn't?

Funnily enough SCO are the only ones that don't run their own OS on their webservers. The run Linux, whats wrong with OpenServer???

Who really stands behind their products?

IBM run IBM/Apache on AIX

HP run Apache on HP-UX

SGI run Netscape Enterprise on Irix

Sun run SunONE webserver on Solaris

Apple run Apache on MacOS-X

FreeBSD run Apache on FreeBSD

NetBSD run Apache on Net/OpenBSD

OpenBSD runs Apache on Solaris? I'm sure thats because a uni hosts it.

Microsoft got scared at the last worm outbreak and now hide
2003 behind a Linux webcache farm ;-)

The one to beat them all.............

SCO run Apache on Linux

httpd versus Tomcat?

[ewg]

According to their platform groupings, they lump Apache Coyote together with Apache httpd.

Since Coyote is the Connector component that allows Tomcat to function as a standalone webserver, I wonder how many of "Apache" sites are running Tomcat versus httpd.

Re:Couldnt this also be interpreted as...

[Diplo]

Where I work we've slowly migrated from extremely reliable but very expensive HP hardware (running HP-UX) to cheap LINUX boxes. However, we've also had to do some Windows web development, since certain clients insist on us using ASP, .NET, SQL Server etc. which necesitates using IIS on Windows 2000.

Would anyone be suprised to learn that we are in the farcical situation of haveing to schedule the Win2K server to be rebooted twice a day, because otherwise it dies so badly that major work is needed to restart the damn thing? By comparison some of are *NIX webservers have been up for literally years...

Re:Apache doesn't OWN anything

[Little+Brother]

Um what I think the article is saying is that 2/3 of the sites on the World Wide Web are run by Apache software. In the English Language this is equivalant to saying "Apache [Software] Runs 2/3 Of the [World Wide] Web."

The article doesn't claim that Apache is neccicary for the web, simply that it is well utilized.

Going beyond the article however, without Apache there would be a fairly noticable difference in the Web to the users. Fewer low-end sites would have the capasity for advanced features as there are few other free (as in Beer, although Apache qualifies by both meanings of the word) Web Servers with the advanced features Apache can incorperate. Thus, the sites that wouldn't be able/willing to shell out for commercial web server software would use less-featured servers and have to redo their pages in a less sophisitacated form to run.

Re:Microsoft running on Linux?

[aDc_73]

Well actually I know that not everyone eats their own dogfood all the time:

HP using NT4

SGI using Linux

Sun using Netscape Enterprise instead of SunONE

Apple moved part of their backend from MacOSX to Solaris

My point was while IBM where encouraging other companies there are still using AIX themselves. Do they know which product they are pushing? ... On the other hand I tend to agree with Quazion's point ;-)

Factual post : most secure server is NOT apache

This valuable informative post got modded down to -1 even though it is nothing but 100% informative, and I rarely ever post it. Therefore I will post it three times in case the apache-fanboy mods it down to -1 again

I in 400 SECURE servers is still a classic Mac Os host even cccording to netcraft !

Because no mac in the history of the internet hosting a web server has ever been rooted or defaced remotely.

Why?

Because not one version of Mac OS has ever had a single exploitable hole ever discovered. (classic mac os now up to version 9.2.2 on currenlty sold g4 tolwers). OpenBSD has had no less than 5 holes (not one) in the default install in the last two years. Mac OS has had ZERO in over 7 years, even when paired up with its preferred web server app.

The Army (www.army.mil) has used Webstar for years on macs for security.

In fact in the entire SecurityFocus (BugTraq) database history there has never been a Mac exploited over the internet remotely. Scan it yourself.

For years, except, for a couple months ago, the army has always used MacOS and has never had a break-in on a Mac. Unlike their other MS defacements.

http://uptime.netcraft.com/up/graph?site=www.arm y. mil

That is why the US Army gave up on MS IIS and got a Mac for a web server, sometimes it is a honeypot for OSX testing, and US ARmy use regular Mac OS on other internal servers

I am not talking about FreeBSD derived MacOS X (which already had a more than a 50 exploits and potential exploits in BugTraq database) I am talking about current Mac OS 9.x and earlier which are highly sophisticated abstract-OS models.

Why is is hack proof? These reasons :

1> No command shell. No shell means no way to hook or intercept the flow of control with many various shell oriented tricks found in Unix or NT. Apple uses an object model for procces to process communication that is heavily typed and "pipe-less"

2> No Root user. All mac developers know their code is always running at root. Nothing is higher (except undocumented microkernel stufff where you pass Gary Davidian's birthday into certain registers and make a special call). By always being root there is no false sense of security, and programming is done carefully.

3> Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes. The mac avoids C strings historically in most of all of its OS. In fact even its roms originally used Pascal strings. As you know pascal strings are faster than C (because they have the length delimiter in the front and do not have to endlessly hunt for NULL), but the side effect is less buffer exploits. Individual 3rd party products may use C stings and bind to ANSI libraries, but many do not. In case you are not aware of what a "pascal string" is, it usually has no null byte terminator.

4> Macs running Webstar have ability to only run CGI placed in correct directory location and correctly file "typed" (not mere file name extension). File types on Macs are not easily settable by users, expecially remotely. Apache as you know has had many problems in earlier years preventing wayward execution.

5> Macs never run code ever merely based on how a file is named. ".exe" suffixes mean nothing! For example the file type is 4 characters of user-invisible attributes, along with many other invisible attributes, but these 4 bytes cannot be set by most tool oriented utilities that work with data files. For example file copy utilities preserve launchable file-types, but JPEG MPEG HTML TXT etc oriented tools are physically incapable by designof creating an executable file. The file type is not set to executable for hte hackers needs. In fact its even more secure than that. A mac cannot run a program unless it has TWO files. The second file is an invisible file associated with the data fork file and is called a resource fork. EVERY mac program has a resource fork file containing launch information. It needs t

Re:Factual post : most secure server is NOT apache

[javester]

B4 you blow a gasket, check it out yourself - Netcraft survey of www.army.mil.

And security thru obscurity is one strategy that does work - why heck! Even MS keeps pestering security companies not to release advisories until they get a peek at it first.

OK, and?

[cardpuncher]

I guess the numbers have some interest, but I'd be far more interested in what they're doing with their web servers. On the assumption that serving flat HTML is a minority interest, what, more significantly, are they using for their application development? Perl? PHP? Java? C?

One of the main problems with IIS is that its single-process, multi-threaded operation makes it very vulnerable to threadlocks and memory leakage by various ancillary software components (database drivers, Active X stuff, etc). Debugging these problems is next-to-impossible, particularly for someone who's chosen to use IIS largely because of a familiarity with Visual Basic.

I would not *a priori* expect threading in Apache 2.0 to work any better than IIS if it's working with, say, PHP into which you can build a myriad of library functions many of which have a single-threaded heritage.

So, if users are moving to Apache in droves because they've found a reliable rapid development environment for multi-threaded web applications, then I'd be interested to know what (apart from Apache) was involved.

After all, Apache (like IIS) is fundamentally no more than a dispatcher for HTTP requests. It's producing the responses that causes the trouble!

Anybody notice the drop off time

[Technician]

The MS graph looked steady until May of 2002 them something drastic happened. MS took a sharp drop. Apachie at the same time to a jump up. What time did the rash of worms start again?

New servers?

I think that it's more significant to note that even though it already has the majority share, Apache use is growing faster than any other server. This means that when somebody decides on a new server, more often than not, it's Apache that is chosen. Microsoft seems to be fighting a losing battle here. It's also interesting to note that they group a number of different Microsoft web servers together, whilst they separate the Apache users into different groups.

All that shows is apathy

[GregWebb]

Just because many don't complain doesn't mean they're not being disadvantaged. I could steal 10 pence a day from you and you probably wouldn't notice. Does that mean my theft would be permissible?

Impartial, informed observers have been saying for a very long time that Microsoft are a monopoly and illegally maintain this. That a major customer of theirs (HP, I believe) felt strongly enough that they disliked dealing with Microsoft sufficiently to go on record as stating that if they had alternative suppliers, they would deal with them instead, is surely a strong indication of Microsoft's nature. As is Microsoft feeling able to pressure IBM into dropping OS/2 and later SmartSuite through preferential pricing on Windows. Surely if there existed a sufficiently realistic competitive market in computer software, such tactics would have merely driven up sales of OS/2? It's not like it wasn't getting good reviews at the time.

Microsoft are a monopoly in the legal sense, and there can be no doubt that they have significantly abused this to the detriment of both consumers and the industry as a whole to anyone who followed the trial. That users are too apathetic and uninformed to understand they have lost out is not a defence against the monopoly charge, merely and indictment of the popular media and Microsoft's few remaining competitors.

Another survey - lots of IIS in .gov

[Tim+Colgate]

There is another survey at Security Space.

What's interesting about this one is that results can be viewed by domain. The highest proportion, and highest growth, of IIS seemed to be in the gov domain, where Apache is actually decreasing. IIS usage in education was also pretty high.

Use of Apache was particularly high in Germany .

Re:That's Netcraft with a LOWER CASE 'c'

[Golias]

Hmm. Are you sure? I thought SCO owned the letter 'C' and all derivative words.

They might say they do, but the Cookie Monster can claim prior art.

Re:Microsoft running on Linux?

[Clover_Kicker]

OpenBSD runs Apache on Solaris? I'm sure thats because a uni hosts it.

Yep. The OpenBSD FAQ has this to say:

Although none of the developers think it is particularly relevant, this question comes up frequently enough in the mailing lists that it is answered here. www.openbsd.org and the main OpenBSD ftp site are hosted at a SunSITE at the University of Alberta, Canada. These sites are hosted on a large Sun system, which has access to lots of storage space and Internet bandwidth. The presence of the SunSITE gives the OpenBSD group access to this bandwidth. This is why the main site runs here. Many of the OpenBSD mirror sites run OpenBSD, but since they do not have guaranteed access to this large amount of bandwidth, the group has chosen to run the main site at the University of Alberta SunSITE.

Well, that's interesting but...

[carlmenezes]

Wouldn't a breakup by a measure of the size in bytes of content served by the various web servers make a much more realistic figure?

I mean, if the traffic logs and stats are not available for all the sites around, surely, a measure of the size of the content would give one a fair idea of where the heavy weights really lie?

webstar.

[leuk_he]

sorry, I would call this that flaimbait. But since it is well argumented i will reply...
1> No command shell.
Absence of features is not always a good thing. now you will have to add scripting in the webserver.

2> No Root user
Like windows 95?.. see 1.

3> pascal strings
but you can have buffer overflows with pascal strings if you fail to allocate enough memory for the string.

4>..only run CGI placed in correct directory location..
And if you get a script in there you have the same problem. And it is not easy to remotely administer....

5> Macs never run code ever merely based on how a file is named. ".exe" suffixes mean nothing!
You mean like the unix "x" attribute that was in the very first unix? This is a thing that windows has badly affected. But is this a thing that affects web servers or clients......

4> Stack return address positioned in safer location than some intel OSes
There are 3 kind of people.. that that can count and those who cannot 8-).
But a better solution would be not to have the stack in memory that can be executed.

7> There are less macs, though there are huge cash prizes for cracking into a
The fact that there are huge cash prices would

not be a ood advertisement for safety. And generally they are set on well protected servers that are doing nothing.
8> MacOS source not available traditionally,
same argument goes for ISS

no mac web server has ever been rooted,defaced,owned,scanned,exploited, etc.
I am 100% sure that they get scanned all the time. which makes me doubt all the other points. But then you can always blaim the user.

Re:Questionable

[daviddennis]

They switched to Windows with gigantic fanfare about a year or so ago. I was shocked and incomprehending, since it just didn't make any sense to do that given their Unix heritage.

I guess they're now back to Solaris, which is just where they were before.

So much for Microsoft's marketing.

D

End of Life for NT 4.0?

[WoTG]

I wonder if the upcoming (or is it recently passed by now?) end of support for NT 4.0 is a factor. I would guess that some of the parked domains could be running on NT. With the end of support, these registrars would face either a paid upgrade to W2K/2003 or a free upgrade to Apache on Linux (or whatever) - or I guess they could stay with NT, and live without new security patches...

Re:Apache not exactly mono-culture

[ReelOddeeo]

Apache is an open source project. Therefore...

• It can be compiled for multiple architectures. (Opteron, PPC, MIPS, etc.)
• It can be compiled with different configuration settings.
• It can be compiled using different compilers.
• It can be compiled using different compiler options.
• It can be compiled on different operating systems. (Solaris, BSD, Linux, OS X, etc.)

While in some sense Apache may be a monoculture, you can clearly see from what I've just stated that in another sense it is far from a monoculture. At least in the sense that matters, in the sense of biological diversity. It is unlikely that one single virus is going to wipe out all Apache installations.

On the other hand, a sophisticated virus could be written based on some as yet undiscovered exploit that tries the attack for each binary variation of Apache. Using platform X, Y, and Z binary code. Compiled using P or Q compiler with A, B or C option settings.

SCO running Linux

[Admiral+Burrito]

Funnily enough SCO are the only ones that don't run their own OS on their webservers. The run Linux, whats wrong with OpenServer???

SCO considers millions of lines of Linux to be "theirs", so in SCO's mind they are running their own OS on their webservers.

Don't you read Slashdot?