Netcraft Claims Apache Now Runs 2/3rds Of The Web

Mr Bill writes "According to NetCraft the Apache web server now owns over 2/3rds of the web. The jump of 2.8% since last month is mostly due to a number of large domain parking sites switching back to Apache from IIS. 'During 2001 and the first half of 2002 several companies hosting very large numbers of hostnames including Webjump, Namezero, Homestead, register.com and Network Solutions migrated to Microsoft-IIS. Subsequently these businesses have either failed, significantly changed their business model, or reverted to their previous platform, and Microsoft-IIS share is now in line with its long term pre-summer 2001 level of around 20%.' See the full report here."

That's Just Crazy

Who would've believed that a non-proprietary and free webserver would be so popular when Microsoft gives you the opportunity to lock yourself into monopoly driven endless licensing upgrade cycle?

What the hell is this world coming to?

Re:That's Just Crazy

[lone_marauder]

If anything, apache is closer to a monopoly (though both IIS and apache are far from it)

Monopoly != popularity. Monopoly is taking market share by force rather than by normal market behavior. If Apache had extensions that didn't work right for any other browser besides, say, Mozilla, you might have something.

Please turn the next page in your pamphlet and post accordingly.

Re:That's Just Crazy

[jc42]

How can this be true when many people run Apache on Windows?

Funny thing about this: On many occasions, I've found myself looking at a group trying to install IIS (or the Netscape server or some other commercial server), and getting more and more frustrated over the problems getting it to work.

So, while they're fighting with it, I sit down at an idle machine, point the browser at apache.org, download the latest apache for that platform, and ask them questions while I twiddle the configuration. Within 10 to 20 minutes, depending on how much configging is needed, I fire up the server, and it runs the first try. I invite them to check it out from the other test machines, and they find that it's working. We copy a few web pages to that machine, and they work

The result in almost all cases is that they decide to go with apache "for a while". It's just an interim measure, you understand, until they can get the real web server running. But meanwhile, they have a web server that they can put online. The web developers aren't sitting around idle; they're building the web site.

In the ensuing months or years, I occasionally prod them with "You know, we really should try to get the officially-mandated web server running." The response is usually to put it off until they can get through the huge pile of stuff that they need to put online.

In a few cases, management has gotten upset, and created a team to get the officially-mandated server running. This often succeeds after a few weeks. Then they put that server online, and it's a real disaster. It crashes repeatedly, produces a flood of complaints from baffled customers along the lines of "How the @#&$^%*& do I order things from you now? Your online ordering pages are broken."

After management notices the loss of income from IIS or whatever, they grudgingly agree to go back to apache "until the problems can be worked out."

Does this sound familiar to anyone?

Re:That's Just Crazy

[jc42]

Well, yes; sometimes it feels that way. ;-)

Actually, of course, it's just normal American corporate management practices that I'm talking about here. I keep getting the feeling that it's not outsourcing to cheaper parts of the world that we should be worried about. If any other part of the world ever invents a rational scheme for organizing companies, they'll wipe out our economy overnight.

Fortunately, there seems little danger of this threat materializing.

The funniest case was a few years back, when the project's management decreed the Netscape server as the standard. We tried several times. But the same thing always killed the effort: This server can be configured only through its web interface. Invariably, we would make some config mistake that turned the server into a zombie. At that point, there was no way to correct the problem because we couldn't change the configuration any more. We'd wipe the server's directories, reinstall -- and it would happen again. Sometimes we'd get it running for a few days, but every config change carried with it the possibility that we'd have to wipe the server and start over.

You'd think that people would understand why you can't trust a web server to handle changing its own config files. But the managers couldn't be convinced that there was a fundamental problem here. And we never found a way to get at those files with a plain editor. They just didn't make sense, and weren't documented anywhere that we could find.

I've long argued that one of apache's real strengths is its plain-text config file (with lots of good comments in the text). The commercial guys don't seem to be able to figure out why this is a good idea.

Not necessarily a good measurement

[taliver]

Numbers that are much harder to get but would be significantly more valuable would be the fraction of web traffic handled by the type of server. Just because I have a hosting company that has 3 sites doesn't mean that I'm getting traffic in the same amount that some other individuals. And MS(make that M$ so I don't get modded down) would tell you that there servers are deployed on the larger installations, the ones that need to higher performance.

(And, I'd expect that if we looked at a graph of traffic, you'd see the GWS getting a significant share.)

Re:Not necessarily a good measurement

[tolan's+my+name]

Lots of the _really_ big sites don't use Apache or IIS but use things like IBM_HTTP_Server (which, to be fair, IS Apache) with a Websphere backend. Also those really big site are all load balanced, portalled etc, so its hard to determin what is truely doing the serving.

Re:Not necessarily a good measurement

[Peer]

This argument was already used before. That's why Smutcraft.net
uses a better method to measure market share.

They rate Apache even higher.

NCSA

[chill]

Netcraft really needs to drop the NCSA line on the charts that don't stretch back before 2000.

The only thing that straight orange line at 0 does is give the Sun ONE guys something to point and laugh at. And it looks like they need it.

That's very bad for Microsoft...

[Zocalo]

...and great for Apache. The underlying message seems to be that switching from Apache to IIS will either cause your company to fail outright, or at best cost you a huge chunk of resources while you switch to and from. That fact that Network Solutions is on the list is even better, because for many managers and users NetSol is *the* .com company, and if they can't make IIS work...

Re:That's very bad for Microsoft...

I would bet that a year ago someone at Microsoft came up with an idea to increase IIS standings at Netcraft: pay a couple of domain parking companies to switch. They probably paid them for a year only, and since the year has finished, the companies in question have decided to switch back, presumably because IIS had more expensive TCO than Apache. Microsoft's original idea would have been to gain momentum for IIS and indicate it was gaining rapidly over Apache, helping it's .Net initiative look like it was going somewhere.

Apache 2.0

[g_arumilli]

Netcraft seems to show every site that I've looked at running Apache 1.3.x, and none of them running Apache 2.0.x. Is this just Netcraft being weird in attempting to determine what version of Apache a server is running (or perhaps an equivalence in transmitted data between 1.3.x and 2.0.x), or a more significant sign of the "stability" that major servers require?

Re:Apache 2.0

The Apache version comes directly from the server signature. This is changed easily enough (we find 3K Apache 7.x sites) but most people don't bother.

This month, we found

• 26.3M Apache 1.x hostnames
• 1M Apache 2.x hostnames
• 3M Unknown Apache hostnames

Magnus at netcraft dot com

I remember previous news...

that many large companies started using IIS.
I got a bit nervous, but looks like using IIS is the best cure.
It's like pi**ing against electric fences.
You'll never do it again.

Mono-cultures not good!!!!!

[hughk]

Apache is cool and this is good for open source. However it would be better is there were more variety (perhaps Zope or others). Each approach has its own advantages or disadvantages.

Luckily many people use different Apache versions or even platforms and certainly different modules, i.e., mod-perl or php so this isn't as bad for a risk factor. I would still like to see more variety and thus hopefully better security.

Re:Mono-cultures not good!!!!!

[jalet]

Problem with Zope is that it's often installed behind Apache which serves as proxy/urlrewriter and so Netcraft may only see Apache some times. (it correctly detects Zope for my own website though)

OpenSSL...

[admbws]

Take a look at the article below. It's incredibly worrying how many sites are still using vulnerable versions of OpenSSL.

Re:OpenSSL...

[Przepla]

Indeed, but:

However, relying on version numbers to determine the number of vulnerable OpenSSL sites is flawed because vendors backport security patches. So a site using OpenSSL on a Red Hat 9 system will likely report itself as OpenSSL 0.9.7a even though it isn't vulnerable to any of the issues mentioned and the situation is similar for SuSE, Debian, Mandrake, and most of the Linux distributions. Additionally, many of the vendor distributions of Apache have recently started supressing all the extra module information by default, so newer distributions (ones that are not vulnerable) are less likely to be listed.

I'd just add, that FreeBSD does the same thing.

I wonder if MS stopped there secret free license?

[Pond823]

It seems odd that the two largest parking hosts switched away from IIS at roughly the same time, when they also changed to IIS around the same time too. Maybe Microsoft made them an IIS offer they couldn't refuse, but have since changed that policy.

Isn't it ironic...

[Kj0n]

... that this article appears directly above the article "Lies, Damned Lies, And [Gaming] Statistics"?

The monocrop argument

[goombah99]

We often here that mono cropping leaves one open to rapidly spreading global viruses. The poster child for this is the windows operating sytem and its suceptibility to rpc and outlook and active-X infections.

The yarn goes that MS products are not so badly written, that IS II is no worse that apache, that outlook is no worse than XXXX, its just that windows runs on 95% of the worlds computers so its a target and when its infected it gets noticed.

this apache story sort of gives a lie to this. if it runs 80% of the web servers it is the largest target by definition. Of course it does get attacked but you dont hear about this being a viral thing, spreading throught the mono crop.

I guess one can counter this argument by saying that bussinesses that run web servers maintain their patches better thsn the devil spawned endusers. But this doesn't really wash. If bussinesses had to patch as often as Windows users did they would be screaming bloody murder since while it only costs the end user free time, it cost the bussinesses actual operating expesnes.

Re:Microsoft running on Linux?

From Netcraft's FAQ:

""
Why do you report impossible operating system/server combinations ?

Webservers that operate behind a caching system, load balancer, reverse proxy server or a firewall may sometimes report the operating system of the intermediate machine. Hence reports of 'Microsoft/IIS on Linux' may indicate that either the web server is behind a Linux server that is acting as a reverse proxy, or has configured the Akamai caching system such that the first request to the site goes to one of Akamai's servers [which run Linux], or as in the case of www.walmart.com has been configured to send a misleading signature.
""

RTFM :-)

Why all of the fussiness?

[illuminata]

With Apaches controlling this much of the internet and damn near all of the U.S. casinos, what the hell are they still bitching about?

Who cares if you don't have the land anymore, you're filthy fucking rich!

Web Hosts are actively recommending Linux ...

[leoaugust]

When I hosted some of my earlier sites, web hosting resellers were advocating Windows hosting. They charged more for it, and also most of the technical help they had was for Windows and IIS ...

After the worm season of Microsoft, I actually had the same resellers begging me not to buy Windows hosting but go for Linux, even though it was cheaper (and hence their margins lower). Most of them were putting forward the reasoning that it was cheaper (but that was never a selling point earlier) and they said that there are so many free goodies available with it ... Finally one of the ladies confided ... "My techies are going nuts just keeping up with the patches after patches .. so please, go for Linux .... please .."

It's anecdotal ... .but I think very widespread ..

Re:good

It might help a bit, but not a lot. Web servers that belong to a domain, say www.slashdot.com, are counted here, but when you have millions of home machines worldwide still running an open web service on windows, that can overwhelm the statistics.

66% of 'real' websites may be apache driven, but when it comes to viral infection, Joe Normal's home windows box on his cable connection counts just as much an infectable web server as the business down the road that runs a real .com

Define 2/3rds of the Web

[winkydink]

I offer that 2/3rds of all web servers and 2/3rds of the Web are far from the same thing. While I have no firm idea how to accurately measure the Web, I'd offer that either total content or total content that is actually viewed would make for a far more intersting statistic.

Whether this makes Apache's percentage larger or smaller, I have no idea there either. I think that the claim as written is inaccurate.

Re:good

[nmg196]

But IIS usage is NOT going down though! The netcraft graph is a graph of relative usage of each system and adds up to 100%. If you look at the bottom the linked page at the second graph, you can see that IIS usage hasn't decreased at all - it's just that Apache usage has gone up quite a bit recently (ie, there are more total servers tested by Netcraft).

with the rise of webservices...

[jlemmerer]

...apache will spread even farther. i do a lot of web service programming myself, and i have to say that the axis project maintained by a fraction of the apache group made my life a whole lot easier. i don't think that a similar framework exists in the microsoft world (yeah, i know there is .NET, but i mean in the "real" java web service world that is truly portable cross platform)

Re:That's Netcraft with a LOWER CASE 'c'

[gunix]

If Netcraft would use an upper case 'C', Blizzard would send them a theratening cease and desist letter (http://www.freecraft.org/).

Re:Microsoft running on Linux?

[PowerBert]

Ummm, could it be because it's their Unix. Hp push Linux too, and their website runs HPUX. All vendors use their own OS to run their websites. Can you imagine all the flack they would get if they didn't?

Funnily enough SCO are the only ones that don't run their own OS on their webservers. The run Linux, whats wrong with OpenServer???

Who really stands behind their products?

IBM run IBM/Apache on AIX

HP run Apache on HP-UX

SGI run Netscape Enterprise on Irix

Sun run SunONE webserver on Solaris

Apple run Apache on MacOS-X

FreeBSD run Apache on FreeBSD

NetBSD run Apache on Net/OpenBSD

OpenBSD runs Apache on Solaris? I'm sure thats because a uni hosts it.

Microsoft got scared at the last worm outbreak and now hide
2003 behind a Linux webcache farm ;-)

The one to beat them all.............

SCO run Apache on Linux

Re:good

[Grizzlysmit]

Ummm I think you'll find thats wrong, ok the propotunate loss for IIS is worse, but they've had a notaciable numeric loss too.

Re:good

[Bert64]

Apache is not really a monoculture atall, not compared to IIS... If you encounter a machine running IIS you can pretty much guarantee it`s running on an x86 machine running windows, it might, but this is a 1/1000000 chance or something, be running on windows on an alpha, mips or ppc... but this isnt possible for any version above 5.0
However, with Apache, it could be running on any one of many OS`s, Linux, FreeBSD, Solaris, HPUX, AIX for instance, and on many different hardware architectures.
This is a good reason for promoting systems such as FreeBSD, OSX, and the other risc systems... If the entire world standardises on x86/linux for their webservers, especially a single distribution, then it would be no better than a windows monoculture.

Factual post : most secure server is NOT apache

This valuable informative post got modded down to -1 even though it is nothing but 100% informative, and I rarely ever post it. Therefore I will post it three times in case the apache-fanboy mods it down to -1 again

I in 400 SECURE servers is still a classic Mac Os host even cccording to netcraft !

Because no mac in the history of the internet hosting a web server has ever been rooted or defaced remotely.

Why?

Because not one version of Mac OS has ever had a single exploitable hole ever discovered. (classic mac os now up to version 9.2.2 on currenlty sold g4 tolwers). OpenBSD has had no less than 5 holes (not one) in the default install in the last two years. Mac OS has had ZERO in over 7 years, even when paired up with its preferred web server app.

The Army (www.army.mil) has used Webstar for years on macs for security.

In fact in the entire SecurityFocus (BugTraq) database history there has never been a Mac exploited over the internet remotely. Scan it yourself.

For years, except, for a couple months ago, the army has always used MacOS and has never had a break-in on a Mac. Unlike their other MS defacements.

http://uptime.netcraft.com/up/graph?site=www.arm y. mil

That is why the US Army gave up on MS IIS and got a Mac for a web server, sometimes it is a honeypot for OSX testing, and US ARmy use regular Mac OS on other internal servers

I am not talking about FreeBSD derived MacOS X (which already had a more than a 50 exploits and potential exploits in BugTraq database) I am talking about current Mac OS 9.x and earlier which are highly sophisticated abstract-OS models.

Why is is hack proof? These reasons :

1> No command shell. No shell means no way to hook or intercept the flow of control with many various shell oriented tricks found in Unix or NT. Apple uses an object model for procces to process communication that is heavily typed and "pipe-less"

2> No Root user. All mac developers know their code is always running at root. Nothing is higher (except undocumented microkernel stufff where you pass Gary Davidian's birthday into certain registers and make a special call). By always being root there is no false sense of security, and programming is done carefully.

3> Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes. The mac avoids C strings historically in most of all of its OS. In fact even its roms originally used Pascal strings. As you know pascal strings are faster than C (because they have the length delimiter in the front and do not have to endlessly hunt for NULL), but the side effect is less buffer exploits. Individual 3rd party products may use C stings and bind to ANSI libraries, but many do not. In case you are not aware of what a "pascal string" is, it usually has no null byte terminator.

4> Macs running Webstar have ability to only run CGI placed in correct directory location and correctly file "typed" (not mere file name extension). File types on Macs are not easily settable by users, expecially remotely. Apache as you know has had many problems in earlier years preventing wayward execution.

5> Macs never run code ever merely based on how a file is named. ".exe" suffixes mean nothing! For example the file type is 4 characters of user-invisible attributes, along with many other invisible attributes, but these 4 bytes cannot be set by most tool oriented utilities that work with data files. For example file copy utilities preserve launchable file-types, but JPEG MPEG HTML TXT etc oriented tools are physically incapable by designof creating an executable file. The file type is not set to executable for hte hackers needs. In fact its even more secure than that. A mac cannot run a program unless it has TWO files. The second file is an invisible file associated with the data fork file and is called a resource fork. EVERY mac program has a resource fork file containing launch information. It needs t

All that shows is apathy

[GregWebb]

Just because many don't complain doesn't mean they're not being disadvantaged. I could steal 10 pence a day from you and you probably wouldn't notice. Does that mean my theft would be permissible?

Impartial, informed observers have been saying for a very long time that Microsoft are a monopoly and illegally maintain this. That a major customer of theirs (HP, I believe) felt strongly enough that they disliked dealing with Microsoft sufficiently to go on record as stating that if they had alternative suppliers, they would deal with them instead, is surely a strong indication of Microsoft's nature. As is Microsoft feeling able to pressure IBM into dropping OS/2 and later SmartSuite through preferential pricing on Windows. Surely if there existed a sufficiently realistic competitive market in computer software, such tactics would have merely driven up sales of OS/2? It's not like it wasn't getting good reviews at the time.

Microsoft are a monopoly in the legal sense, and there can be no doubt that they have significantly abused this to the detriment of both consumers and the industry as a whole to anyone who followed the trial. That users are too apathetic and uninformed to understand they have lost out is not a defence against the monopoly charge, merely and indictment of the popular media and Microsoft's few remaining competitors.

Well, that's interesting but...

[carlmenezes]

Wouldn't a breakup by a measure of the size in bytes of content served by the various web servers make a much more realistic figure?

I mean, if the traffic logs and stats are not available for all the sites around, surely, a measure of the size of the content would give one a fair idea of where the heavy weights really lie?