November 20, 2015 archive

TechTarget Sheds Light On DNSSEC, CAs and Government Spying / Control

TechTarget article about DNSSEC

Over on TechTarget, Michael Heller wrote this week about some of the criticisms around DNSSEC and how some of them may be rooted in misunderstandings of what DNSSEC is all about.  His article is:

I’m admittedly NOT a fan of title TechTarget gave the piece – it’s got that negative slant along the lines of “well, at least DNSSEC isn’t as bad as CAs” – but putting the title aside I thought it was quite a good article.  Michael Heller starts out quoting John Levine about TLS certificates, which is what we know of in the technical realm as the DANE protocol.

He then went on to quote me more extensively than I expected … and I’m  quite pleased overall with what he did.  Particularly that he led with what I’ve been saying endlessly in presentations and articles for years now:

DNSSEC does one thing and one thing only: It protects the integrity of the information stored in DNS. DNSSEC ensures that the information for a domain name that you get out of DNS is the same information that the operator of that domain name put into DNS.

Every time someone on Twitter or Hacker News gets excited about how DNSSEC doesn’t protect the confidentiality of DNS information I always go back – that’s not the point!

As Heller writes later in the article, the work of the DPRIVE Working Group inside IETF is aiming to work on part of the confidentiality of DNS queries.

The other point I was pleased to see was that he addressed the issue of government control of top-level domains (TLDs).  Some critics of DNSSEC continue to maintain that using DNSSEC is giving over control to governments.  My point was that it depends upon what TLD you are talking about. Certainly some country-code TLDs (ccTLDs) are controlled by governments and so a government could in fact change your DNS information … but that can happen regardless of DNSSEC.   (The case of and the Syrian .SY TLD is an interesting example of challenges with ccTLDs.)

So… if you are concerned about this… well… don’t use one of those TLDs!

Stick with one of the TLDs where you know who the entity behind it is.

He also did cover what I do think is an important point about DNSSEC:

“Historically, DNS servers have often been boxes that network administrators set up and then generally ignored, as they’ve just been off running. Adding DNSSEC requires that some additional care must be given to the DNS servers,” York said.

This is very true. DNS servers often are just started up and then ignored. With DNSSEC you do have to be aware of them and plan for regular changing of the keys, ensuring the server times are in sync, etc.  It’s not necessarily a great amount of work… but you do have to pay attention to DNS servers.

I was also pleased that he captured the point at the end that DNSSEC evolves.  We’ve just recently seen that evolution with CloudFlare rolling out their DNSSEC services on a massive scale using the newer ECDSA elliptic curve encryption algorithm that is more secure cryptographically than RSA algorithms and has a smaller packet size.    We also see the evolution with the proposed Internet-Draft about using Ed25519 elliptic curve algorithms.  Yes, getting these changes deployed out into the field will take time, as resolvers and DNS servers all need to be changed to support them, along with user interfaces and more.

The point, though, is that DNSSEC is not a fixed and static technology. It can – and will evolve as security concerns change.

It’s good to see this piece out there and I do hope it encourages more people to look into how they can get started with DNSSEC.

Speaking of that… if you want to get started with DNSSEC please visit our Start Here page to find resources tailored to your type of organization!

WordPress Now Powers 25% of Top 10 Million Websites

W3techs wordpress 25percent

Fascinating news out of W3Techs earlier this month that WordPress now powers over 25% of the Alexa top 10 million websites. The next closest content management systems (CMS) are Joomla at 2.8% and Drupal at 2.1%.

The full stats are found here:

And a quick view of the top of the chart shows more data:

W3techs cms nov2015

Note the very top line - and this one is extremely important:

57.2% of the top 10 million sites do NOT use an identifiable CMS.

Either those sites use custom software or somehow strip off identification so that the tools W3Techs uses cannot detect the type of CMS that is being used by that site.

This leaves 42.8% of the top 10 million websites that DO use a CMS.

If you look at the chart:

  • the grey bars indicate the CMS' percentage across all Alexa 10 million sites
  • the green bars indicate the CMS' percentage within sites that use a CMS

So the net is:

  • 25.1% of the top 10 million sites use WordPress
  • Of the 42.8% of sites that use a CMS, 58.7% of those use WordPress

And of course all of this data is only on the Alexa Top 10 million sites. There are then millions more sites using various CMS' - and some % of those will be using WordPress.

Still, the Alexa Top 10 million is one set to use - and W3Techs has now been doing these measurements for years.

One interesting note out of the W3CTechs blog post about this milestone is what happens when you move from looking at the Top 10 million to the Top 1000:

When we split up all websites by traffic level, we see that WordPress is leading at all levels, but the market share among the top 1000 sites is significantly lower at 30.3%. Drupal (19.7%) and Adobe Experience Manager (11.8%) are the other dominant systems in that section. Note, however, that using a standard CMS is not very common among the top 1000 sites, more than 90% of them are custom developments.

The article also has some interesting stats on usage by language. It also has this note:

WordPress is not only the most popular CMS, it is also the fastest growing system: every 74 seconds a site within the top 10 million starts using WordPress. Compare this with Shopify, the second-fastest growing CMS, which is gaining a new site every 22 minutes.

WordPress' Matt Mullenweg chimed in with a post "Seventy-Five to Go" noting that the goal now was much of that remaining 75%, particularly the 57% who do not use any CMS right now.

He may be on to something there. If you look over at W3Techs historical yearly trends in CMS usage, you can see the rise of WordPress, but also the decline of "None" from 76.4% in 2011 to 57.2% most recently:

W3techs trends

So does all this mean that you should ditch your other CMS' and move to WordPress? Or that you should use WordPress for your next project?

Not necessarily.

I'm a firm believer that you need to use the right tool for the right job and the choice of CMS can depend upon many factors related to your individual site and needs. And while I use WordPress as the CMS for almost all of my newer sites, I also use other platforms for other sites.

And... from a security point of view, I do like a diversity of different systems out there - and I like the fact that there is competition and choice among open source CMS'.

However, the report certainly shows the robust and continued growth in the WordPress platform and the strength of the overall WordPress ecosystem. And it bodes well for the future of WordPress.

Congratulations to the team at Automattic and all the MANY people contributing as part of the much broader WordPress ecosystem!

P.S. I first heard about this statistic on the WordPress Weekly podcast epidode 212. If you are interested in WordPress, I find this podcast useful.

P.P.S. There's an irony, of course, that I'm writing this on a blog hosted on TypePad... I keep thinking that some year I'll move it to WordPress, but the effort involved is huge...