The social networking site Facebook suffered a period of short outages yesterday. A spokesman told the BBC that the outage was not thought to have affected every country, but Netcraft found the site to be unavailable from all of its performance collectors, located in London, Pennsylvania, San Jose, Phoenix, New York, Virginia and Italy.

Facebook's popularity has continued to grow and is now the 33rd most visited site by users of the Netcraft toolbar. Originally called "The Facebook", the company renamed itself after purchasing the domain facebook.com in 2005 for $200,000. By October 2007, Microsoft announced that it had bought a 1.6% share in Facebook for $246 million.

In the June 2008 survey we received responses from 172,338,726 sites.

The total number of sites has increased by 3.9 million this month, with the largest gain being seen at ThePlanet.com, where 632,000 new sites maintain its position as the 6th largest hosting company in the world.

A large switch to the Bahamas was seen at Secure Hosting Limited, where 1.2 million sites were gained from Nameview Inc. The offshore hosting company offers web hosting and dedicated servers from its data centres located in the Bahamas and Jamaica, and even provides dual-homed hosting for a 100% uptime guarantee.

Most of the new sites at Secure Hosting Limited were using the Lighttpd web server both before and after the switch, so Lighttpd's market share remains fairly static this month. Microsoft's IIS web server grows by 2 million sites, boosting market share by 0.36%, but Apache remains in the lead with a total of 49.1%.

LiteSpeed loses more than 600 thousand sites during this survey, while nginx gains more than a million sites; more than doubling in numbers. The WordPress blogging system recently converted all of its load balancers to nginx, using the upstream hash module to serve 8-9 thousand requests per second. Netcraft's site report shows the main WordPress site switching from LiteSpeed to nginx in April. nginx is a web server and mail proxy server written by Igor Sysoev.

An outage affected the Mozilla.com website on the day the organisation launched its Guinness World Record attempt for downloads of the new Firefox 3 browser.

The mozilla.com site was unreachable from around the world, occasionally responding with the message, "Http/1.1 Service Unavailable".

Melissa Shapiro posted a statement on the Mozilla blog to say that their servers were feeling the burn and should be back to normal shortly. An earlier post stated that the record attempt would begin today at 5pm UTC, but Shapiro announced after this time that the 24 hour period in which the downloads will be counted will begin once the site goes live.

Netcraft was able to access the Firefox 3 download page again shortly after 7pm UTC, but the Service Unavailable message was still seen occasionally. For some period before this, the page was still offering version 2 downloads, yet a Mozilla press release confirmed that Firefox 3 had indeed already been released.

A follow-up post on the Mozilla blog officially announced that the 24 hour period had begun, with Guinness counting all complete downloads of Firefox 3 before 18:16 UTC tomorrow.

The outages also affected the www.spreadfirefox.com website. Realtime performance graphs of the Mozilla website are available here.

Netcraft's June SSL Survey has found that a significant number of SSL certificates are affected by the Debian OpenSSL vulnerability, including Extended Validation SSL certificates and certificates belonging to banks.

The vulnerable certificates afford opportunities to create deceptive sites which use apparently valid SSL certificates, giving the user the impression that the site belongs to the certified organisation. In the case of EV certificates, browsers will also turn the address bar green, even though the certificate may be cloned.

From an attacker's point of view, the main limitation is that the browser will warn the user if the certificate common name does not match the name used by the user to access the site, so the attacker would need to affect the user's network or the DNS results to get a completely seamless attack.

The following screenshot demonstrates the feasibility and effectiveness of such an attack.

Example based on vulnerable site found via Netcraft's SSL Survey database.

On the 13th May, Debian released a security advisory (also described in CVE-2008-0166) announcing a vulnerability in Debian's OpenSSL package, which made it possible to discover private keys from public SSL and SSH keys. The issue affects all versions of OpenSSL on Debian-based operating systems over the course of two years — ever since two lines of code were commented out to prevent compilers displaying warnings about the use of uninitialized data.

The removal of these two lines of code vastly decreases the entropy of the seed used by the pseudo-random number generator in OpenSSL, making it easier to predict the random numbers generated by OpenSSL. This makes it easy for remote attackers to conduct offline brute force attacks against the cryptographic keys used in SSL certificates generated on vulnerable systems. All SSL and SSH keys generated on Debian-based operating systems since September 2006 may be affected. Affected operating systems include Ubuntu, Kubuntu, Knoppix, Grml and the Xandros Linux distribution used by the popular Asus Eee PC.

HD Moore has published an analysis of the Debian OpenSSL issue at Metasploit, noting how the keys are tied to the process ID. Using 31 Xeon cores clocked at 2.33GHz, Moore was able to generate all 1024-bit DSA and 2048-bit RSA keys for x86 architectures in only 2 hours, and all 4096-bit RSA keys in about 6 hours.

Although a number of certificate authorities have offered free replacement certificates to customers affected by the Debian OpenSSL vulnerability, it has been reported that they have not been getting a big response. Comodo is offering a free replacement SSL certificate to any affected business, regardless of their original provider, while VeriSign is offering free reissuance for both SSL certificates and code signing certificates. GeoTrust and Thawte also offer free SSL certificate reissuance, and RapidSSL certificates can be renewed for free at GeoTrust's website.

INetU is the most reliable hosting company site for May 2008, closely followed by Aplus.Net.

INetU also had the most reliable hosting company site in March. INetU is an enterprise managed hosting company located in Allentown, PA. They have been in business since 1996 and notably offer a 100% uptime service level guarantee. Managed services provided by INetU include MySQL and MS SQL database clusters, Exchange servers, virtualization and firewalls. Their clients include Fortune 500 companies such as Microsoft, Intel, Northrop Grumman and Canon.

Aplus.Net is a division of Abacus America, Inc., and has also been offering internet services for more than 10 years. APlus.Net offers dedicated servers, web hosting, web design, marketing and is an ICANN accredited domain name registrar. The company has more than 200,000 customers and more than 6,000 dedicated server customers.

Four of May's top ten hosting companies run Linux on their main sites. Three of the others use FreeBSD and another uses Windows Server 2003.