Received: from BLUPR16MB0194.namprd16.prod.outlook.com (10.162.233.156) by SN1PR16MB0208.namprd16.prod.outlook.com (10.162.209.143) with Microsoft SMTP Server (TLS) id 15.1.534.14 via Mailbox Transport; Thu, 7 Jul 2016 16:29:10 +0000 Received: from BLUPR16MB0147.namprd16.prod.outlook.com (10.162.233.146) by BLUPR16MB0194.namprd16.prod.outlook.com (10.162.233.156) with Microsoft SMTP Server (TLS) id 15.1.528.16; Thu, 7 Jul 2016 16:29:09 +0000 Received: from BLUPR16CA0008.namprd16.prod.outlook.com (10.164.14.18) by BLUPR16MB0147.namprd16.prod.outlook.com (10.162.233.146) with Microsoft SMTP Server (TLS) id 15.1.528.16; Thu, 7 Jul 2016 16:29:07 +0000 Received: from CO1NAM03FT052.eop-NAM03.prod.protection.outlook.com (2a01:111:f400:7e48::204) by BLUPR16CA0008.outlook.office365.com (2a01:111:e400:c463::18) with Microsoft SMTP Server (TLS) id 15.1.534.14 via Frontend Transport; Thu, 7 Jul 2016 16:29:07 +0000 Received: from ASBXCHMBXWPI01.SYMC.SYMANTEC.COM (155.64.138.31) by CO1NAM03FT052.mail.protection.outlook.com (10.152.81.213) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.534.7 via Frontend Transport; Thu, 7 Jul 2016 16:29:04 +0000 Received: from ASBXCHMBXWPI01.SYMC.SYMANTEC.COM (10.90.223.21) by ASBXCHMBXWPI01.SYMC.SYMANTEC.COM (10.90.223.21) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Thu, 7 Jul 2016 09:27:55 -0700 Received: from TUS1XCHHUBPIN02.SYMC.SYMANTEC.COM (155.64.220.138) by ASBXCHMBXWPI01.SYMC.SYMANTEC.COM (10.90.223.21) with Microsoft SMTP Server (TLS) id 15.0.1178.4 via Frontend Transport; Thu, 7 Jul 2016 09:27:55 -0700 Received: from tus1opsmtapin01.ges.symantec.com (192.168.214.43) by TUS1XCHHUBPIN02.SYMC.SYMANTEC.COM (155.64.220.138) with Microsoft SMTP Server id 8.3.406.0; Thu, 7 Jul 2016 09:27:50 -0700 Received: from [216.10.195.239] (helo=tus1smtinbpex02.symantec.com) by tus1opsmtapin01.ges.symantec.com with esmtp (Exim 4.76) (envelope-from ) id 1bLC9V-0007yk-Pn; Thu, 07 Jul 2016 16:27:49 +0000 Received: from mail6.bemta12.messagelabs.com (mail6.bemta12.messagelabs.com [216.82.250.247]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by tus1smtinbpex02.symantec.com (Symantec Messaging Gateway) with SMTP id 43.EA.03204.0038E775; Thu, 7 Jul 2016 17:27:48 +0100 (BST) Received: from [216.82.251.33] by server-12.bemta-12.messagelabs.com id 09/DC-32521-FF28E775; Thu, 07 Jul 2016 16:27:43 +0000 Received: (qmail 23127 invoked from network); 7 Jul 2016 16:27:39 -0000 Received: from mail.netcraft.com (HELO mail.netcraft.com) (194.72.238.7) by server-15.tower-130.messagelabs.com with DHE-RSA-AES256-SHA encrypted SMTP; 7 Jul 2016 16:27:39 -0000 Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.netcraft.com (Postfix) with ESMTP id AA2C25E827B; Thu, 7 Jul 2016 17:27:36 +0100 (BST) Received: from mail.netcraft.com ([194.72.238.7]) by localhost (cambus.netcraft.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wU1ZPzIaywVe; Thu, 7 Jul 2016 17:27:36 +0100 (BST) Received: from girvan.netcraft.com (girvan.netcraft.com [194.72.238.20]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.netcraft.com (Postfix) with ESMTPS id 221905E8261; Thu, 7 Jul 2016 17:27:36 +0100 (BST) Received: by girvan.netcraft.com (Postfix, from userid 1073) id 1484C50227; Thu, 7 Jul 2016 17:27:36 +0100 (BST) From: Mike Prettejohn To: Diana Marin Severino , Sue Coakley , Vijay NS , Sonya Perez , Eric Lipman , "Laura Aviles" , Jeffrey Whale , Alex Wong , "Landon Borup" , Alain Allen , Frank Agurto-Machado , "Charlene Mike-Billstrom" , Rick Andrews , Anna Sampson , "Eiji Yahagi" , Tomonori Sato , Christiaan De Villiers , Dean Coclin , Hari Veladanda , Robert Hoblit , Marisa Luke , "Roxane Divol" , Norie Sato , Masato Hayashi , DL-VSN-Data Analysis , Bill Ng , "Geoffrey Noakes" , Tracy Chao , Tri Tang1 , Jeff Barto , Theresa Garza , Sven Skerka , Helen Bates , "Jonathan Skinner" , Kevin Brown , Minori Nakanishi , "leeanne_dewit@netcraft.com" , "antec.com@netcraft.com" , "tristan_fourcault@symantec.com" , "Jun Kamimura" , Shusuke Nakagawa , Lisa Low , "Alejandro Borgia" , Belinda Charleson , Timothy Willey , Wasi Wahid , "Jo Ann Lambkin" , Abhijit Solanki , Donald Baker , Harbir Singh , Michael Klieman , Takashi Abe , Helen Lew , Jack Kato , Nicolas Popp , Bartosz Begej , Jon Kerr , Roxane Jerbi , Tim Gallo , "Gautam Kanaparthi" , Thomas La , James Duff , "aidan_calvert@symantec.com" , Ian McShane , Yoshimasa Hiraiwa , Robert Lin , Albert Cooley , Mirco Reimann , Jessica Crewse , Jason Luong , Rory Tavares , Asad Faruqui , "Karina Stiller" , Pavan Bhat , "jeannette_duong@symantec.c" , "om@netcraft.com" , Terri Parker , "K.J.Hari Hara Krishnan" , Anna Brannan , Graeme Watts , "Russel Scovel" , Maren Peasley , Tiphany Zellers , Randy Clark , Susanne Lambert , Alex Black , "Davin Pick" , Akhil Verma , Micheal Brown , Lee-Lin Thye , Suhasini Anand , Victoria Cloutier , Philip Antoniadis , Ruth Singh , Thiago Lacerda , "nilanjana_majumdar@symantec.com" , "Sarah Mellor (CS)" , Valerie Tsai , Deepika Chauhan , Angelique Pereira , Rachel Yokum , Charlotte Pommier , Ramana Murthy Subject: Netcraft Secure Server Survey July 2016 Thread-Topic: Netcraft Secure Server Survey July 2016 Thread-Index: AQHR2Gyx9zLTgub6x0+o9UQReuXgqQ== Date: Thu, 7 Jul 2016 16:27:35 +0000 Message-ID: <20160707162736.1484C50227@girvan.netcraft.com> Reply-To: "ssl-survey@netcraft.com" Content-Language: en-US X-MS-Exchange-Organization-AuthSource: TUS1XCHHUBPIN02.SYMC.SYMANTEC.COM X-MS-Has-Attach: yes X-MS-Exchange-Organization-Network-Message-Id: 7d68324c-c76c-4a43-871d-08d3a683d0b1 X-MS-TNEF-Correlator: x-organizationheaderspreserved: ASBXCHMBXWPI01.SYMC.SYMANTEC.COM x-auditid: d80ac3ef-f797e6d000000c84-da-577e830003e9 x-env-sender: jmr@netcraft.com x-msg-ref: server-15.tower-130.messagelabs.com!1467908857!40942893!1 x-originating-ip: [194.72.238.7] x-spamreason: No, hits=2.5 required=7.0 tests=ratty_date: Non-RFC but legit format in Thu, 7 Jul 2016 16:27:35 UT,ADVANCE_FEE_1, BODY_RANDOM_LONG,HTML_20_30,HTML_MESSAGE,HTML_TINY_FONT x-starscan-received: x-starscan-version: 8.46; banners=-,-,- x-viruschecked: Checked x-brightmail-tracker: H4sIAAAAAAAAA2VTf0wbdRzt9370bgvVW9nka3FRisbpBKnuj08 yMOqmYc74I3FhMTF6bDfa2R94VyZuOmGg2yAOxoiGsjCkg9UKMSxuI6QO6KK0dMkITKdg10HA MJgdHZuBjop3FgZk/717733fe9/kviypHWB0rFBoF0Qrb9arV1Le7DCTFjuwPyfDE0Tg/L2Ig Xr3LANjngYCXBUMNAYJqBGgdaaeAp9zFEFD9CO4fEuA6yeKEURaz6khGInQcLn/MAUNA19SMB YLkzDqCBPQ3DaMoKmzAcFfv/gReG5eo6Eu5iGgu2c7TA5NMdB/ZApBR91ZGip+KqfBf03mrsR 8DPRNjhJwu3cEwZGWagbO330bhme7KKg8dRjB94EbNISOp0K0dBscdUUp+CLspaE49DcDwQ4/ Ax2HAiQcrLrLwFRgExy4Km/557vT9IvPZrddqibfQu/SJmuurfAD2nizsgzl/9lJFE5P99JFq P0bogytYLVcHcLe5pcUjLlncOT6LF2GVsr8eYTLz9XOf5QQOHLxjDp+QsTDrluUgkkuBfdeLZ rHr+Pbg7+RCtZwq7C/ZoSKp2bhOyUnZZ5lKdlf3LRBodXcOuwpbVYr+au54EP4aG0vrQiJXAa O1reT8a4UfKn05//5B7kdeDBYguL5G/HFKjdRiTjHkhmOJTMcS2Y45GqSS8an/mXjcA0+GNt7 /0mMu8bGyOW8Ys/GzkDW8sDFezkW77WsRwlZj5u+nZgPTMJX3HPkfRYDjnWNqBc6q8uHmAX75 IVaoh4lutE6SRD3CGKa4fn0XNGUZ7RbeJM5zWB4Lt0iSBKfJ5j5XCl9h81yGsn/+ecqFWpD3Y HNXvQwS+jXaB57c3+O9oFc285PjLxkfF8sMAuSFz3Csnqs2V4sa6tEIU8o3GUyy49lQcZsgn6 1Zrcia6R83iKZ8uJSD0pj246FWggtZbVZBV2SZoti4hSTscB6L2LhyfWhtbpEDVKpVNqEfEG0 mOzL9XGUxCJ9omaXkpJgstrvNY3LIwh5xMzmfcoIO78o6YrQG1sLZvdc4F/2p7Jnxp+qafx0d 3L7q8c7T7JDndGPHx/cO86G/ghvcs18+HVri9P96EDPC9M/unKeKO32pWxNFm68ljnUv+LYV5 lV72yjdFm/TsQiW6onMmyfje6c24grfsjqm4tyJzaEzjqbfevfq3ulcaC1Jn1tcN+Th1y+rju p1swMPSUZecPTpCjx/wEgmaXZbQQAAA== x-ms-exchange-crosstenant-fromentityheader: HybridOnPrem x-ms-exchange-crosstenant-originalarrivaltime: 07 Jul 2016 16:29:04.8312 (UTC) x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BLUPR16MB0147; x-ms-exchange-transport-crosstenantheadersstamped: BLUPR16MB0147 x-exchange-antispam-report-cfa-test: =?utf-8?b?QkNMOjA7UENMOjA7UlVMRUlEOigx?= =?utf-8?q?02415321=29=28601004=29=282401047=29=2813016025=29=2813018025=29?= =?utf-8?q?=288121501046=29=2810201501046=29=283002001=29=3BSRVR=3ABLUPR16MB?= =?utf-8?q?0147=3BBCL=3A0=3BPCL=3A0=3BRULEID=3A=3BSRVR=3ABLUPR16MB0147=3B?= x-exchange-antispam-report-test: =?utf-8?q?UriScan=3A=2860795455431006=29?= =?utf-8?q?=28158342451672863=29=28148322886591682=29=2820558992708506=29=28?= =?utf-8?q?278428928389397=29=2823117731428927=29=28166708455590820=29=28192?= =?utf-8?q?374486261705=29=2831418570063057=29=28127066067092435=29=3B?= x-forefront-antispam-report: =?utf-8?b?Q0lQOjE1NS42NC4xMzguMzE7SVBWOk5MSTtD?= =?utf-8?b?VFJZOlVTO0VGVjpOTEk7U0ZWOlNGRTtTRlM6O0RJUjpJTkI7U0ZQOjtTQ0w6MDtT?= =?utf-8?q?RVR=3ABLUPR16MB0147=3BH=3AASBXCHMBXWPI01=2ESYMC=2ESYMANTEC=2ECOM?= =?utf-8?b?O0ZQUjo7U1BGOk5vbmU7TEFORzplbjs7U0tJUDoxOw==?= x-originatororg: symc.onmicrosoft.com received-spf: Neutral (protection.outlook.com: 155.64.138.31 is neither permitted nor denied by domain of netcraft.com) x-ms-exchange-crosstenant-originalattributedtenantconnectingip: =?utf-8?q?T?= =?utf-8?q?enantId=3D3b217a9b-6c58-428b-b022-5ad741ce2016=3BIp=3D=5B155=2E64?= =?utf-8?q?=2E138=2E31=5D=3BHelo=3D=5BASBXCHMBXWPI01=2ESYMC=2ESYMANTEC=2ECOM?= =?utf-8?q?=5D?= x-eopattributedmessage: 0 x-ms-exchange-crosstenant-id: 3b217a9b-6c58-428b-b022-5ad741ce2016 x-virus-scanned: amavisd-new at netcraft.com x-crosspremisesheaderspromoted: CO1NAM03FT052.eop-NAM03.prod.protection.outlook.com x-crosspremisesheadersfiltered: CO1NAM03FT052.eop-NAM03.prod.protection.outlook.com authentication-results: spf=neutral (sender IP is 155.64.138.31) smtp.mailfrom=netcraft.com; symc.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;symc.mail.onmicrosoft.com; dmarc=fail action=none header.from=netcraft.com;symantec.com; dkim=none (message not signed) header.d=none; X-Microsoft-Exchange-Diagnostics: =?utf-8?q?1=3BSN1PR16MB0208=3B9=3ABIaMgil?= =?utf-8?q?JO6ufgE3/uBmy0fa8bNN8mfP+YkOhmv3Zeih87IuXgq4NAGMsG4nSFGSoCUxxdDOC?= =?utf-8?q?1bHSre+PH7oKcHswcCaye1XR8Vuwq0lpwQKec8o5LZpaKwIiN3PKKQkiz6da7SNU5?= =?utf-8?q?C6j159A+OTpxC70MJVZhF6zMn3bh4kihbIL0101krmMwYjbDy0GwPgASLo4P2Fy+B?= =?utf-8?q?6xOZj2FwOjw2qUyYSYUoWZdrRQPr0LRaQ=3D?= Content-Type: multipart/related; boundary="_004_201607071627361484C50227girvannetcraftcom_"; type="multipart/alternative" MIME-Version: 1.0 --_004_201607071627361484C50227girvannetcraftcom_ X-Microsoft-Exchange-Diagnostics: =?utf-8?q?1=3BSN1PR16MB0208=3B9=3ABIaMgil?= =?utf-8?q?JO6ufgE3/uBmy0fa8bNN8mfP+YkOhmv3Zeih87IuXgq4NAGMsG4nSFGSoCUxxdDOC?= =?utf-8?q?1bHSre+PH7oKcHswcCaye1XR8Vuwq0lpwQKec8o5LZpaKwIiN3PKKQkiz6da7SNU5?= =?utf-8?q?C6j159A+OTpxC70MJVZhF6zMn3bh4kihbIL0101krmMwYjbDy0GwPgASLo4P2Fy+B?= =?utf-8?q?6xOZj2FwOjw2qUyYSYUoWZdrRQPr0LRaQ=3D?= Content-Type: multipart/alternative; boundary="_000_201607071627361484C50227girvannetcraftcom_" --_000_201607071627361484C50227girvannetcraftcom_ X-Microsoft-Exchange-Diagnostics: =?utf-8?q?1=3BSN1PR16MB0208=3B9=3ABIaMgil?= =?utf-8?q?JO6ufgE3/uBmy0fa8bNN8mfP+YkOhmv3Zeih87IuXgq4NAGMsG4nSFGSoCUxxdDOC?= =?utf-8?q?1bHSre+PH7oKcHswcCaye1XR8Vuwq0lpwQKec8o5LZpaKwIiN3PKKQkiz6da7SNU5?= =?utf-8?q?C6j159A+OTpxC70MJVZhF6zMn3bh4kihbIL0101krmMwYjbDy0GwPgASLo4P2Fy+B?= =?utf-8?q?6xOZj2FwOjw2qUyYSYUoWZdrRQPr0LRaQ=3D?= Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Follow us on Twitter & Facebook Netcraft Secure Server Survey July 2016 The Netcraft Secure Server Survey for July 2016 is now available. You can find the data to which you subscribe at: * https://ssl.netcraft.com/surveys/analysis/https/2016/Jul/ * https://ssl.netcraft.com/clients/iug3ore/symantec//Jul2016domain.cs= v.gz * https://ssl.netcraft.com/clients/iug3ore/symantec//Jul2016.csv.gz July 2016 Highlights July Trends Netcraft's July 2016 SSL Server Survey found 5,516,471 distinct valid third= -party certificates, representing a monthly gain of 188,016 (+3.5= %). Let's Encrypt gained a further 120,000 certificates in July, making up 64% = of the total increase across all certificate authorities this month. This g= ain was enough to push Let's Encrypt into third place, with a total of 770,= 000 certificates. GoDaddy has fallen to fourth place after losing 4,900 certificates since la= st month, and now has a market share of 13.52%. GoDaddy remains significant= ly ahead of fifth-placed GlobalSign, leading by 406,000 certificates and 7.= 35 percentage points of market share. Comodo also grew significantly this month, increasing its total count of ce= rtificates by 56,000. Much of this growth can be attributed to its Western = Digital and cPanel, Inc. sub-CAs . Due to the sheer volume of Let's Encrypt= 's growth, Comodo lost a very small amount of market share, dropping to 30.= 52%, despite having the second-largest absolute gain of certificates. GlobalSign lost 4,900 certificates as 12,000 Shopify, Inc. web stores repla= ced GlobalSign certificates with ones issued by Let's Encrypt. Within the DV market, Let's Encrypt now has slightly more than half as many= DV certificates as the first-placed Comodo. Although Symantec only took se= cond place in the DV market from GoDaddy last month, it has now been relega= ted to third place despite gaining 6,000 certificates and increasing its le= ad over GoDaddy to 25,000. The DV market has seen significant change over the past 12 months: In the J= uly 2015 survey GoDaddy was the largest issuer of DV certificates with a ma= rket share of 30.5% followed closely by Symantec and Comodo, and there were= no Let's Encrypt certificates. There are now 1.8 million more DV certifica= tes (+73.2%) with a majority of this growth focused in just two CAs: Comodo= (+871,000) and Let's Encrypt (+770,000). The Extended Validation market once again saw Comodo gain the most certific= ates with an increase of 494. Almost all of the top ten EV certificate issu= ers gained certificates this month with Network Solutions being the lone ex= ception, losing 23. Symantec maintains its dominant market position at 48.4= % market share. Symantec continues to achieve the most estimated monthly revenue (using lis= t prices) from its certificates; it issued 87,000 certificates in March to g= ive estimated monthly revenue of $28.9 million. Comodo issued more than twi= ce as many certificates, 205,000, yet has significantly smaller estimated r= evenue of $18.9 million. A majority of Symantec's revenue is derived from t= he much more expensive Organisation Validated and Extended Validation certi= ficates, markets in which Comodo plays a smaller part. Comodo abandons attempt to trademark "Let's Encrypt" In October 2015 Comodo filed three trademark applications for "Let's Encryp= t", "Comodo Let's Encrypt" and "Let's Encrypt with Comodo". All three appli= cations were abandoned on June 24th 2016 after Let's Encrypt publicly plead= ed for Comodo= to abandon its trademark application. Let's Encrypt claimed its lawyers ha= d been requesting Comodo drop its applications since March 2016 without suc= cess. After Let's Encrypt's blog post was published, Comodo's CEO engaged with co= mmentators on Comodo's forum alleging that Let's Encrypt had copied Comodo's 90-day certif= icate business model. Later in the same thread, Robin Alden confirmed that = Comodo was intending to let the trademark application lapse and had no inte= ntion of pursuing them after Let's Encrypt became operational. He explained= that "Josh [Aas, the ISRG Executive Director] was wrong when he said we'd = 'refused to abandon our applications'. We just hadn't told LE we would leav= e them to lapse." Let's Encrypt was officially announced in November 2014, almost a year befo= re Comodo's trademark application. It issued its first certificate in Septe= mber 2015, before it launched in April 2016 after a short public beta perio= d. ChaCha20-Poly1305 Cipher Suites RFC 7905, published in June 2016, spec= ifies seven new cipher suites for TLS that combine the ChaCha20 variant of = the ChaCha stream cipher with the Poly1305 one-time authenticator method. T= he new cipher suites provide a replacement to the RC4 stream cipher which w= as prohibited for TLS in February 2015= on the grounds that it no longer provided a sufficient level of security. Both ChaCha20 and Poly1305 are designed with high performance in mind and t= he combination of the two is reportedly comparable to RC4 in speed. ChaCha20-Poly1305 isn't new; a draft specification written by Google was published in N= ovember 2013 which proposed three cipher suites. The Chrome browser has con= tained support for this older version of the specification since November 2= 013 and CloudFlare began using it in February 2015. Some changes have been = made over the course of the standardisation process which has now been comp= leted and the RFC approved. Apple updates App Transport Security Apple announced at its Worldwide Developer Conference (WWDC) [slides] that all App Store apps will be required to use App T= ransport Security from the start of 2017. ATS is designed to improve the se= curity of apps by specifying minimum requirements for the HTTP connect= ions that they make. ATS requires that all connections are HTTPS over TLS 1.2, that the cipher s= uite must support forward secrecy, and that the certificate must be signed = using the SHA-2 hashing algorithm. ATS was introduced with iOS 9 in September 2015 and is enabled by default a= lthough it is currently possible to specify that ATS should be disabled for= connections to certain domains or disabled globally. After the end of 2016= , exceptions to the fundamental aspects of ATS will only be granted to Apps= with valid justification =C3=A2=C2=80=C2=93 for example if you must commun= icate with a third-party service that you cannot control. Other exceptions,= such as the requirement for perfect forward secrecy may be automatically a= pproved. Apple also announced the introduction of support for Certificate T= ransparency. In order to enforce CT, the developer must specify a list of d= omains for which to require CT, and in order for the check to pass Apple re= quire proofs from at least two CT logs. StartCom launch and then retract StartEncrypt On 6th June, StartCom announced StartEncrypt, a product designed to automatically acquire and in= stall certificates using its StartAPI. On the 4th July, StartCom announced<= https://www.startssl.com/NewsDetails?date=3D20160606> that StartEncrypt wou= ld be replaced with a new protocol based on ACME. ACME is undergoing IETF s= tandardisation after being first used by Let's Encrypt. StartAPI was launched at the end of April 2016 and allowed users to program= matically acquire certificates as well as complete the validation processes= required to prove domain ownership. StartEncrypt was the official client a= pplication which was released just over a month later. The proprietary soft= ware can be used to obtain any class of certificate and install it automati= cally both on Windows and Linux servers. A number of serious issues have already been discovered since the release of the= initial version of the StartEncrypt client, these allowed a user to gain v= alid SSL certificates by tampering with the URL used to verify control of a= domain. StartCom was quick to respond to this issue, taking the API offlin= e on the same day that the issue was disclosed and issuing an updated clien= t less than a week later. The issues lay with the way in which ownership of the domain was verified. = In order to prove domain ownership the user must upload a file to a specifi= ed path on the domain, but the path used could be specified by the user, th= e check also followed redirects and didn't verify the file type of the resp= onse it received. Combined these issues led to users being able to acquire = a valid certificate for any website that allowed file uploading or containe= d an open redirect, examples include sites such as Dropbox, GitHub, Faceboo= k, PayPal and Google. While the vulnerability was demonstrated with a proof= of concept, there is no evidence that the API was mis-used or certificates= issued for domains which the applicant did not control. Another bug in the St= artEncrypt system meant that certificates issued using the program were not= logged to Certificate Transparency servers. StartCom had stated that all o= f its SSL certificates would be published to CT logs as of 23rd March. Let's Encrypt leak user email addresses On the 11th June an automated email script designed to alert users of an up= date to Let's Encrypt's subscriber agreement accidentally also leaked the e= mail addresses of 7,617 users. The script prepended the email addresses of = the users it had already emailed to the beginning of the message. Let's Encrypt were alerted to the mistake 33 minutes after the emails began= to send and subsequently stopped the script after it had sent 7,618 emails= , 1.9% of the total it was expected to send. An initial statement by Josh Aas the Executive Di= rector of ISRG was published less than two hours after the incident origina= lly occurred with a longer analysis following on the 14th June. Symantec acquire Blue Coat Symantec has agreed to acquire the market leading web security company Blue= Coat for $4.65 billion. The deal will see Blue Coat CEO Greg Clar= k appointed as the new CEO of Symantec, the post is currently vacant follow= ing Mike Brown's departure in April. The acquisition will boost Symantec's enterprise security offerings and is = expected to mean that 62% of the company's revenue will be derived from the ent= erprise security market. Blue Coat and Symantec recently made headlines after Symantec issued an intermediate CA c= ertificate for Blue Coat Public Services. Blue Coat creates security system= s that include the capability to man-in-the-middle encrypted traffic, desig= ned for use in corporate networks. Some reports of the use of Blue Coat sys= tems by foreign governments have prompted criticism, although Blue Coat has= consistently denied having any direct involvement. The existence of the sub-CA was incorrectly reported as allowing Blue Coat = the ability to create trusted certificates for arbitrary domains; however, = Symantec confirmed that "private keys for the Blue Coat Interm= ediate CA were in Symantec's control at all times" and "the only certificat= es that could be issued from this Intermediate CA were limited solely to on= es for the bluecoat.com domain.". Other News * Microsoft update cipher suites for IE and Edge. * Mozilla adding support for reading from Windows Cert Stores to Firefox. * GitHub Pages officially support HTTPS and new sites enforce it. * Amazon is now HTTPS site wide. * UK government updates security guidelines= to enforce HTTPS, HSTS and DMARC by October 2016. * Microsoft Edge adds support for TLS False Start and TCP Fast Open. Copyright =A9 Netcraft 2016. All Rights Reserved. --_000_201607071627361484C50227girvannetcraftcom_ X-Microsoft-Exchange-Diagnostics: =?utf-8?q?1=3BSN1PR16MB0208=3B9=3ABIaMgil?= =?utf-8?q?JO6ufgE3/uBmy0fa8bNN8mfP+YkOhmv3Zeih87IuXgq4NAGMsG4nSFGSoCUxxdDOC?= =?utf-8?q?1bHSre+PH7oKcHswcCaye1XR8Vuwq0lpwQKec8o5LZpaKwIiN3PKKQkiz6da7SNU5?= =?utf-8?q?C6j159A+OTpxC70MJVZhF6zMn3bh4kihbIL0101krmMwYjbDy0GwPgASLo4P2Fy+B?= =?utf-8?q?6xOZj2FwOjw2qUyYSYUoWZdrRQPr0LRaQ=3D?= Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Netcraft Secure Server Survey July 2016
Follow us on Twitter & Facebook
3D"Netcraft=

Netcraft Secure Serve= r Survey July 2016

The Netcraft Secure Server Survey for July 2016 is now available.

You can find the data to which you subscribe at:

  • https://ssl.netcraft.com/surveys/analysis/https/2016/Jul/
  • https= ://ssl.netcraft.com/clients/iug3ore/symantec//Jul2016domain.csv.gz
  • = https://ssl.netcraft.com/clients/iug3ore/symantec//Jul2016.csv.gz

July 2016 Highlights

July Trends

Netcraft's July 2016 SSL Server Survey found 5,516,471 distinct valid third-party certificates, representing a monthly gain of 188,016 = (+3.5%).

Let's Encrypt gained a further 120,000 certificates in July, making up 6= 4% of the total increase across all certificate authorities this month. Thi= s gain was enough to push Let's Encrypt into third place, with a total of 7= 70,000 certificates.

GoDaddy has fallen to fourth place after losing 4,900 certificates since= last month, and now has a market share of 13.52%. GoDaddy remains signific= antly ahead of fifth-placed GlobalSign, leading by 406,000 certificates and= 7.35 percentage points of market share.

Comodo also grew significantly this month, increasing its total count of= certificates by 56,000. Much of this growth can be attributed to its Weste= rn Digital and cPanel, Inc. sub-CAs . Due to the sheer volume of Let's Encr= ypt's growth, Comodo lost a very small amount of market share, dropping to 30.52%, despite having the secon= d-largest absolute gain of certificates.

GlobalSign lost 4,900 certificates as 12,000 Shopify, Inc. web stores re= placed GlobalSign certificates with ones issued by Let's Encrypt.

Within the DV market, Let's Encrypt now has slightly more than half as m= any DV certificates as the first-placed Comodo. Although Symantec only took= second place in the DV market from GoDaddy last month, it has now been rel= egated to third place despite gaining 6,000 certificates and increasing its lead over GoDaddy to 25,000.

The DV market has seen significant change over the past 12 months: In th= e July 2015 survey GoDaddy was the largest issuer of DV certificates with a= market share of 30.5% followed closely by Symantec and Comodo, and there w= ere no Let's Encrypt certificates. There are now 1.8 million more DV certificates (+73.2%) with a majorit= y of this growth focused in just two CAs: Comodo (+871,000) and Let's E= ncrypt (+770,000).

The Extended Validation market once again saw Comodo gain the most certi= ficates with an increase of 494. Almost all of the top ten EV certificate i= ssuers gained certificates this month with Network Solutions being the lone= exception, losing 23. Symantec maintains its dominant market position at 48.4% market share.

Symantec continues to achieve the most estimated monthly revenue (using list prices) from its certificates; it issued 87,000 certific= ates in March to give estimated monthly revenue of $28.9 million. Comodo issued more than twice as many certificat= es, 205,000, yet has significantly smaller estimated revenue of $18.9 milli= on. A majority of Symantec's revenue is derived from the much more expensiv= e Organisation Validated and Extended Validation certificates, markets in which Comodo plays a smaller part.

Comodo abandons attempt to trademark "Let's Encrypt"

In October 2015 Comodo filed three trademark applications for "Let'= s Encrypt", "Comodo Let's Encrypt" and "Let's Encrypt w= ith Comodo". All three applications were abandoned on June 24th 2016 a= fter Let's Encrypt pu= blicly pleaded for Comodo to abandon its trademark application. Let's E= ncrypt claimed its lawyers had been requesting Comodo drop its applications= since March 2016 without success.

After Let's Encrypt's blog post was published, Comodo's CEO engaged with= commentators on Comodo's forum alleging that Let's Encrypt had copied Comodo's 90-day c= ertificate business model. Later in the same thread, Robin Alden confirmed = that Comodo was intending to let the trademark application lapse and had no= intention of pursuing them after Let's Encrypt became operational. He explained that "Josh [Aas, the I= SRG Executive Director] was wrong when he said we'd 'refused to abandon our= applications'. We just hadn't told LE we would leave them to lapse."

Let's Encrypt was officially announced in November 2014, almost a year b= efore Comodo's trademark application. It issued its first certificate in Se= ptember 2015, before it launched in April 2016 after a short public beta pe= riod.

ChaCha20-Poly1305 Cipher Suites

RFC 7905, published = in June 2016, specifies seven new cipher suites for TLS that combine the Ch= aCha20 variant of the ChaCha stream cipher with the Poly1305 one-time authe= nticator method. The new cipher suites provide a replacement to the RC4 stream cipher which was prohibited for TLS in February 2015 on the grounds that it no longer pr= ovided a sufficient level of security.

Both ChaCha20 and Poly1305 are designed with high performance in mind an= d the combination of the two is reportedly comparable to RC4 in speed.

ChaCha20-Poly1305 isn't new; a draft specification written by Google was published in November 2013 wh= ich proposed three cipher suites. The Chrome browser has contained support = for this older version of the specification since November 2013 and CloudFl= are began using it in February 2015. Some changes have been made over the course of the standardisation process= which has now been completed and the RFC approved.

Apple updates App Transport Security

Apple announced at its Worldwide Developer Conference (WWDC) [slides] that all App Store apps will be required to use App Transport = Security from the start of 2017. ATS is designed to improve the security of= apps by specifying minimum requirements for the HTTP connections that they make.

ATS requires that all connections are HTTPS over TLS 1.2, that the ciphe= r suite must support forward secrecy, and that the certificate must be sign= ed using the SHA-2 hashing algorithm.

ATS was introduced with iOS 9 in September 2015 and is enabled by defaul= t although it is currently possible to specify that ATS should be disabled = for connections to certain domains or disabled globally. After the end of 2= 016, exceptions to the fundamental aspects of ATS will only be granted to Apps with valid justification =C3= =A2=C2=80=C2=93 for example if you must communicate with a third-party serv= ice that you cannot control. Other exceptions, such as the requirement for = perfect forward secrecy may be automatically approved. Apple also announced the introduction of support for Certificate Transpare= ncy. In order to enforce CT, the developer must specify a list of domains f= or which to require CT, and in order for the check to pass Apple require pr= oofs from at least two CT logs.

StartCom launch and then retract StartEncrypt

On 6th June, StartCom announced StartEncrypt, a product designed to automatically acquire and= install certificates using its StartAPI. On the 4th July, StartCom a= nnounced that StartEncrypt would be replaced with a new protocol based = on ACME. ACME is undergoing IETF standardisation after being first used by = Let's Encrypt.

StartAPI was launched at the end of April 2016 and allowed users to prog= rammatically acquire certificates as well as complete the validation proces= ses required to prove domain ownership. StartEncrypt was the official clien= t application which was released just over a month later. The proprietary software can be used to obtain an= y class of certificate and install it automatically both on Windows and Lin= ux servers.

A number of serious issues have already been discovered since the release of the in= itial version of the StartEncrypt client, these allowed a user to gain vali= d SSL certificates by tampering with the URL used to verify control of a do= main. StartCom was quick to respond to this issue, taking the API offline on the same day that the issue was d= isclosed and issuing an updated client less than a week later.

The issues lay with the way in which ownership of the domain was verifie= d. In order to prove domain ownership the user must upload a file to a spec= ified path on the domain, but the path used could be specified by the user,= the check also followed redirects and didn't verify the file type of the response it received. Combined thes= e issues led to users being able to acquire a valid certificate for any web= site that allowed file uploading or contained an open redirect, examples in= clude sites such as Dropbox, GitHub, Facebook, PayPal and Google. While the vulnerability was demonstrated with= a proof of concept, there is no evidence that the API was mis-used or cert= ificates issued for domains which the applicant did not control.

Another= bug in the StartEncrypt system meant that certificates issued using th= e program were not logged to Certificate Transparency servers. StartCom had= stated that all of its SSL certificates would be published to CT logs as of 23rd March.

Let's Encrypt leak user email addresses

On the 11th June an automated email script designed to alert users of an= update to Let's Encrypt's subscriber agreement accidentally also leaked th= e email addresses of 7,617 users. The script prepended the email addresses = of the users it had already emailed to the beginning of the message.

Let's Encrypt were alerted to the mistake 33 minutes after the emails be= gan to send and subsequently stopped the script after it had sent 7,618 ema= ils, 1.9% of the total it was expected to send.

An initial statement by Josh Aas the Executive Director of ISRG was publis= hed less than two hours after the incident originally occurred with a longer analysis following on the 14th June.

Symantec acquire Blue Coat

Symantec has agreed to acquire the market leading web security company <= a href=3D"https://www.symantec.com/en/uk/about/newsroom/press-releases/2016= /symantec_0612_01"> Blue Coat for $4.65 billion. The deal will see Blue Coat CEO Greg Clark= appointed as the new CEO of Symantec, the post is currently vacant followi= ng Mike Brown's departure in April.

The acquisition will boost Symantec's enterprise security offerings and = is expected to mean that 62% of the company's revenue will be derived from the enterprise= security market.

Blue Coat and Symantec recently made headlines after Symantec issued an intermediate CA certificate for= Blue Coat Public Services. Blue Coat creates security systems that include= the capability to man-in-the-middle encrypted traffic, designed for use in= corporate networks. Some reports of the use of Blue Coat systems by foreign governments have prompted criti= cism, although Blue Coat has consistently denied having any direct involvem= ent.

The existence of the sub-CA was incorrectly reported as allowing Blue Co= at the ability to create trusted certificates for arbitrary domains; howeve= r, Symantec confirmed that "private keys for the Blue Coat Intermedia= te CA were in Symantec's control at all times" and "the only cert= ificates that could be issued from this Intermediate CA were limited solely= to ones for the bluecoat.com domain.".

Other News
Copyright =A9 Netcraft 2016. All Rights Reserved.
--_000_201607071627361484C50227girvannetcraftcom_-- --_004_201607071627361484C50227girvannetcraftcom_ X-Microsoft-Exchange-Diagnostics: =?utf-8?q?1=3BSN1PR16MB0208=3B9=3ABIaMgil?= =?utf-8?q?JO6ufgE3/uBmy0fa8bNN8mfP+YkOhmv3Zeih87IuXgq4NAGMsG4nSFGSoCUxxdDOC?= =?utf-8?q?1bHSre+PH7oKcHswcCaye1XR8Vuwq0lpwQKec8o5LZpaKwIiN3PKKQkiz6da7SNU5?= =?utf-8?q?C6j159A+OTpxC70MJVZhF6zMn3bh4kihbIL0101krmMwYjbDy0GwPgASLo4P2Fy+B?= =?utf-8?q?6xOZj2FwOjw2qUyYSYUoWZdrRQPr0LRaQ=3D?= Content-Type: image/png; name="ATT00001.png" Content-Description: ATT00001.png Content-Disposition: inline; filename="ATT00001.png"; size=7175; creation-date="Thu, 07 Jul 2016 16:29:11 GMT"; modification-date="Thu, 07 Jul 2016 16:29:11 GMT" Content-ID: <146790885556360@girvan.netcraft.com> Content-Transfer-Encoding: base64 iVBORw0KGgoAAAANSUhEUgAAAKUAAAAwCAYAAABwgLoqAAAABmJLR0QA/wD/AP+gvaeTAAAACXBI WXMAAC4jAAAuIwF4pT92AAAAB3RJTUUH3QEIDjkDB7NVBAAAG5RJREFUeNrtnHuYJXV55z/fX9U5 ffp098z0XJi7DM4MV4GAQVEiKIqXKAoGgbBJ1CTuPmx8sqsumH0gJjFLNqBJ3OwmmqiPJnlMhOgj xkuyaqJMxI0gFwG5DM4ww9yYW0/f+1yqft/9o+qcPj3TosYLiP32U885p07Vqarf71vv+32/71sN C7ZgC7ZgC7ZgC7ZgC7ZgC7ZgC7ZgC7ZgC7ZgC7ZgT61pYQieOdY3vS6xQ+jLB9LU9bSvXVc1rye1 OFDrb9dJYn9WywYn+7Kakrw/9mWDCqo2P3PGW+NPEyjPBq4E8n/n/inwNeCzQPunAVh/vo+Qw6Lx lPq4WDmasOxIwrLRlKGRhIGxwJKxhMqUWNw0zpBwZYhYC8G1ehr7k0pWq1TzelrN6+rL6klfPtDf lw3Ql9fbffnAZCXvVyWvxzSrqRLrjWpWb1Xyuit5P9U44DSr76vG+kya9++qZLWYuu9QmvXvSVwd S1yZUgwj112qxo9qDNIf8RifBlwD+Ae4af4S+L/PBFDG+1mqwGICw+2ExTMJmyYDa8bFurGE1aNi 2REzMJZQS0yaiHqAWgK1ANVgJCC49CYqR1aADI4TdszB08Yt4zYigqdMrBRbeR3Y2ClyAk6NK+UU pbZT8CA2uDyQ1UaexrTKeWjccKtHbe+W9KDtvYJvIh61OXT9paH9dAblTxVNmP4CK5VwapKwNgmc EFJ+hoQ1JKwiYTGRPgsJgkxQJAkiBBVAK18nMTskDsjsDuaAzOMy+4LZL9gvaADTxVGdYlXAA5hq AbI4iJxYsWKio6LBqZUHk9tEHGI7RmPFHDmLirnl3MQc3LZiBAcT2zYyXgxegr0KOM72s4Bh7PMl rQOWYGoS2Q2f8j7Ld8r6GnCH4e7rL1X76QbKjuVA/B4AnD5dgDbyQYng4EAIKQmBoJQBJWxQ4Lkh 5RwFziZwCtDXiQkGYzJMjolEIoH9Mvsxe4OZ7gAumHsFEwFqiehPYFUCS4LYkMC6BE5OzIoE+hIz JKgnUAkwVIxYDlSwXHhMFQcHsIp3xas751Y4WHW2iaizTwDHufui2EC0jMcsJmRPSBoD9gHfBvZg N5DaQIpYLrQe/FKkXxGsvuFT8SDSXcBt4LsN24Hm9ZeE+FSD8qvArUDfk4B2NfD2pwKAo3+0LLGy ftL2sEPsI22vxHGD4VkSm4EzECcAS7vgM5PAhGA3pgnssTkMTBqeEIxjRhBNm1zF9Z2A2CxxRhAr JI4LJgllaA6US/k+oWdd+VnFkiNUnEuM4NzEGWObWDGxGYky+RETk4jrUTGz4oSJ7QKmMTFuR2IV 4nQR5mOMRIwjihnyFIprjMfBeekVlyNWAYMlxKtADcjK14NIB4Gthi2S9penfzJwktAew/YbbvUj wCFg5rpLlD9VoHzfd9lmw48LlPblCe+/dy2t5mq7vTFT66QssK5pPQ9YgbXSFuAWZnciRqpV7qtU CATaSmgqJZAwAhxpRRxhKbASOAU4nsAS0gJJSmYRFhJIO2HbEEI3hDsYdcP5LBgt94A1gKCNETgB R3BEyIpVyxXLwVhK1Y+UEhSRgqSVCkKSpRCkEGUSyw1DojQgJQ5K2iGmQXnSDEpDosriJKaZYpfN RmAqRk3ZzjANiTHQIDBanJOiijFZWl5GwGoiZgRPAIuBSdutTkL84wZl3/ewTf27fL+89KbxScL/ DLCt/HwcsKI/DWHVYKV67pqB4XPX95+4alHY+Plf+dr6Wi2uqVbztWklX6skr6SVGDev5us5zGDd A7QDtBcNUNl2gIF/uAt/fSvJRJPl1ZTFa1ew8viV9D/3JDj3OVDvh3YnRxA8cQAOTQIBE1A5LSQV GF4By54FM61ZTilQB4jqvHoW04EC0O2/hnyKmq4GuwjIlsHuL5x4BGKFBJqPThInW+R5gyxO0c5r pHk/aewjzftI81oYXHQcQ8P9/VmrwaGde0ljP2ms9aV5jTT21RNXSfLq4sQVgpNumiAFFi9fT1// UOGwy8TLkAua4AaoYTgE3i/0CGIr+CHQTtsjgilJ2VMVvv0D7p8AlwO/O0v05wXlfcDF/sQ7hk59 y/v/8KEj0xfOZJGdY82wb7JV/dKOsaH+SqgnoeBRxtiQ2axcpJmvXltfnjsuA62rJFIOlWv+mvqn v0H/+DSMTUMr67nTKrB4AK9aCte/EV1yfnmlVfjwZ4olj6g33ZOg2gfnPg/e8U7oXwUTeXGBHfAl pRftvAYgSSC7G6Z/F/I9oJeUAdEFeqNMQsQqXKvqYuRd36J9/xTq/LmAuxBYuJWx8bKL+Jlfv4rJ vXv5wtt/mySt9Gyr7rbMvQwqtUEu/vU/5cTnvpQ862LVMjKMIN0n2CW7hRgCL7fZhHiZish5D2Kb 7Sdu+FRsXHdp8NMmofg+bDGw4sk2OH6gv3/HG1/+L/zzt866YNXwooeOTAeAaGhkppHl80mnBTFK Q92wSUhpAtsPmjf9Bdz3OORxzo3VnZtmGw6MogOj8IU74fUXlBsJxiZh577i2PPZt3fA/VvhPX8G izZAiN1cZQ6P7HDJJMDMrZDvLJ3h7wMf601fSo9Z3mwEkx9qku2ZftJBbU9MYZmYZ8wcPvw9T0a1 NkjWbswdR1tGSFpmfA7obIOFJoA9knfZ7EGekFTBDEgMlnJT9pMIyt7pdSL13rjObZbXqsvJ/GKC xjJ7JhEDvTv3AqQMmUUOa0iDBCIIHjtg3vShyD0753riSgJpUng7uwBrOyshEXtOshe+5fskFPvl ka4UeO898DcfgauvL0Jz0tEidVTSI2hvg+kvzJIXf64kKhsNeS8wYxeYPlqQC0etiMXBrDh7yiF0 T95x7g2skMz+VJIWJ9obqVSmgGhaMArcKWmP8WGhGVszEjm2ECsQlZLapTfc6kM/CaDMgfjIFb9d Pzw9svJXvvJ3K789MQLgIOltJ5/etnNBtOR25tyr65W8nKDsleuXDS3tT7CilVi7Jpvc+ugIM1kx /C/bVOfMNRUyItE5w0NFHjuTw59+cS4g+1I450S48kVw3qlw3FIYb8A3d8DHvwL/dGcxv/b8yuxg P/zq6+G4ZXDfVvj8FpgsHdjtt8FrfxkWbZybcc9JboDp22H66z0/Ogn8WYQ/Zo6nNCaqyKHneLa1 gyx7+UaSSo3glFRVaMDys0/ENn3DQzznFy8jVR/BFarpAPd99mamjxwCYHjlCZxy7uucJn0CSCp9 DB+3wY5zyInL+2kZaBl4A+iI4DAwInEE2AP6NngraAd4j83o9ZeG/OkIyqz3wwlDKzZ85MI3XQ3e vLw28HOXHn/qye954KuFx1LgPS+4cIK80Yfa7dHJI1oyVB1ArdR5EzC/sHkVv3DqCpPmIs24c98o X9o5xkxWHObKM4Z483mDRYKdtMlDm8mszb2Pm498ddZDJAF+6/XwttcWyUyriEcML4LN6+CyF8Pf /QvsOVxCw8f69cEBePsvw/GnFnzzbe+E9/1V8d0Te2ByHIZ7s27Pes1E4DE49Il5btkvALsirDd2 x0PGDj7mbF7bPMyGd7+Y+tBSKq1+Zu4/wrLNm9BEgmdy+o9bygvf+V+oZHWq+QCDtVXsuONfu6Bc sf5kfv5X36taLXHnGtstlOemJ2gVMcRgSTIVxFLQo2XZeD94EjQGmjKOQhXhFHj6gfJNp7/6rI/e /7nu5zOXP+tl9Urfq4wIyEGhW1xrO/pdd2xZFIjpTN7mqwf3c81pm7nk2avL4CfIjB3lGFGMTLfj LGCA6ZaJTTNtF8JKAlHwj/fnHQ4JwK9fCNe+rsisp5pFiqykAMVMC0IOV70UDk5AzMvvfCzxyLLy tqsUss6sPNXjFXuW3gx85iE4/Jl5Bu0R4NOGt3oWkCpeO2G8Y41to+y84atU+mqoIUa2bOeU//o6 1p3/fCBi57Smp3BuyKEZx4k94TvmGY3GBPKS2RInoEKJ1yw7V6cSmiGNALuMb8f6NPj+6y8NE0+X is4x9skr/mZRouyc1PkbaoEztx3ZvqEXlEGhYhRtyaiDJwGOtv7gW/ekBS2yDXrT10b5oM/SGzat Oioh95PolZr92iIi7nhsjsPmv70GWu1CzumlUO6UnQ2NFiwZmF13NAFutODLd8DWXfDpr8Dffnb2 u3XrYXjJsRyyo2Omgu3v77mifugqexnwjxGuMF5aVriPquJ0rLVrgr1/effsnWB44A8+QUX9rPnZ s3HseNnZ1+/A6zUntcGSiKCICldQVFTJgAlgWugBYBtS+398KobrLw3x6QBKA/zVlZ9ckjh/baL8 NZHsVcFKjSqRGBN6WHTJs0GF0ms6aUl3UPJZtyeAsXbGR7Y9zhs2rSmjSMG7C+B1JI75yvKBbkYQ xcGe+/jE1bB0cLY/YY53O7rpIpZC4zwC2OgE/Mb/LEDdzoptO/aqV8GzN8CIezTLjgwUYGYvPH5L DxV4K7RHofHBcsXnDd+M8JJuabArdx3bGTJ33dTOgxy6aysrzz6DpJeXqqh+zzONmnOfd6pKViHk S4nKwiWoUerGXwK2GwuTfydA/thBeerKs865/qI/urXZHn1FkGpYRQG26/qVlG6oAzqXXzq6MxJz 5Zj+JO2Ozkyec8HK5XzuJS+EPMMJs/qa9eTldvdsWwKhG+KblImijwVkD3fszlHP+65S0/FU87Ql vOJC+M9vgeyoKk5Hok6r8M2b5u4zdAW0VvWAEuDDGZwboRoLRikfE74JQtXQTZFjK9eaV57N5v/0 qmJdjD0eNp/lph1BQd2KOHN1V8XCb5d3g9hn+D3BP1x3iY4A3HCrBeL6S+WnpCHDH3dl5VuOX3pg 4vHuqvXDG1+SO6fnxN1DmehpllIPWqJRRBKmGXG1c94VBR549ZVEt5jOGty8cxvvfM6J5aY6yovp GIB0xlUuxOFebrBuOPDI/mJCdo/AI3vN6ScUwNE8XNEdEGl+MHYE86E6TDUgL2lafw0uvwQWL4KR ODfTDkAaoHEAHvrrHkC+HCpD0B6C5NWQd9jOx3PzO1FsLCqALpdeUA2cvULH33A+/fXFJDOp9nzw Lp9+3RtQGnAzYsVo3C6Dv8EJdkcMwHnMwNOzV60iUqP9iH8DHkNMAOOScpsX3nCrDxQ9AR6XNMN3 6a/9oYPypiu2rDE8/32f/reXnLf50td86u7/1Z2T6FgWxFCBSIXytYNLHR0QYzGquUXFUn/JU7pU esPgIogtguqcsXwYYgNod0N2B0Dq6jSaF1DFiRXfB4kLT0r554dneeV1N8Nf/QasGIZm7Nm3vItq FTg8CQ/vLsqN86r+g/B7V8O/3g2f+FKxbqYBv/VuqAzic1+GejPvIFzth6+/G2I2e+KtnXD4GshC 2crQe4+9t5nHD/VPhtwtywHc5+j+8p6BSsgq6wba1cGhUM3qlef88WVtxkPbWRYt14GG8X4r1oqG DPrtfHEHlFnWnInOH7McMVlRSlQDMV2WiDcaJrAngcNF8u0poQFEE2jdcKvjdZd8Z2/5QwPljVds uRDzCuD5mDNzx8V9ad29obibEc+Or+1OeV8JOsa5OEipIaUEr9Eckh2UlKmwyrS37HZw3uMhhVUC 9Dtxys6pWSSJeNkpKe/7F3FwojijrzwIV38Irr0EXnBqeYjyUErgjq1w4y2wfDG88PTZwnzv9dSq 8LoL4Bd/HvYdhtvvKdYfPAT//Xp04yDxlPOIwSiAk0A6uoPswU8yh2c3HymWee3DbXhXFrzaFWJ0 kYP0nEYes5hlo87z6DzPs8lGM6XWMm5CdMTTKAYTM/BIqKTtdmPmImAYIM9aTcd4oEcgiIgE6Adq tockhpD22z4AHBY6CBwBTdluX39p+NGF7xsvv60i6XLDf5A5GTGAGS+nfqZsYdKc2e/SttJDiuBS 8/P8dexOtnMMk2nFyDn/eHNZ3nBXj0gDfPTnzuLEpf3dEovMMQG9V+otMmh1s/HNxwWuvqDCuz/b 6m73+Xvg3h1wxgY4eyOsXAojk3D3tmLZcwje/Mqeas7cEF6UOBpw/Cb4+HvhFf8RHizaRrxnL3r7 W9F7PgwbnkceMiZrdSbv/hiLJvazeJ6sdz6J3kDi66ZH9TcDD7jt1DAaZ/KLgCUFiXS0fcRyHhXz MlQvQq5GnKK4yHi44KNuZFkzTWv9g90CQn1wOKTh/GLGNA7eh9lleBBpbwFGDgr2g8ZsJiUaQEsm v+67APLfDcqbrrhtqdFVgl8q69C7EYdt1yWtx1SL+dAxA+jZsOdunb/gc0bz0jViB8DzJCvfGDlw 7EVJzORxVjabN+uewypnlzKdShS4+sUpDz6R8YlvzCaKe48Uyxe/WSQlnTJjRwFSyS9iD48s44Ty nKzRYjsZe9atYu8tf8K+57yWK4F1gA8cQG+5DL3jJj52wZvJdz/GwL238tK8YCMkdbT+StyuQwPU FG4LZS3IvwBsLy/4H1pr/US2ykurweRosJu2WbVQJ+XUghXFsjGYLqky7lD+FooVi5GYZ6WyCod2 P/rA+OG9vzN4/HFbY8v7QC0Xd35ejnRE+MnC8w8NlDddsSUtex1fb/siiayUbcdVPIuzuhMhS8em eXQX7DIMF818JUcups9Hp3Q9n4t94Ht5smIW/TrKRYd5OWVZINYcnmmoV8WH3lRl7dIWf/Hl6Ga7 TNIpgJjPo90dHuPhAP+UmycY4sA9j/JLjrwYCO2M9kyT7UDqyFmnbeLC3VtYcuEbYetjxe+2miTv uYY3axhaCRzeRdb57bUX0XzBh8mfyOBIikeBcYhTEON7SHwtdSAw6Sy/cfJg8if1nYYnPJq9qGz5 U7Z/Zmc+3vwYi3TEOaPgfSbORHkfimNWzCKx9dEXvnK059ruAM4BGD+4e9//ufqsLz5Jl9YPbOmT h+ctQaKOWW94rooTSyTdRwHE1xoW9/Q0lPWlwv8N1ZZywvLTSUNR3lg+uIboWQ/W7b2zyvBt+tI+ Tl+xiVSiHTOeNbQCdYW/wJqBxZy9bA39SULosMzuUlQyUomBNJ0FZpcb2Iuric5bO8RoKyMSWT2U EruRX4CaEGZw3orWNKj9J1clvvi5TL/rk7G6/QCrbRa1c0I0qqZQ74PVy+DiFzD55lcx1sp5rQLL GWXRZS+GGMmzSGtogHz1Ml5ETkNixmZm7SpGb/4z2q/5NQb37OMEKDzfH74Zn38V3zrhLG576F95 jiMnLVrPNRW4M7RpKTKTBPIkZbwpmqzhdMRHMSmRj/h9kx9ovm+y0SwG7k/L+Uqaj45//aEXfvJd fH9PmN5TCuBJ2RZofoQ2r9u56fLbZLEEs0TSGuDZ4HoRqvVzwDmYYcvqtoS4K4eonH8qIaWaVgjk pOQ4b+K8Qaric0JGopyKc1K1SZ1TDZHBNCElJyXDsQl5g5SMqtsMBDOUmIrbVMmo0EZkoHZRPAjt ot/HDVltlGSQ5JBkxKSNKhHVYiTNj5BmB6JbRxq0DjtkLSdZy0k7cZJl5ftxkixzEkNfXzZUr8fh HSOctv0AJx6cQq0chgdh3UraJx3PZH8/Y402Y1GMhoRpAkdqQ4ywiBEqTFHhCEeYcM4BUvYTGFfK mE5mfPOz2fjodn4f+MXejjLgFuDvKRqbP/Ad5nFJ2ZpxLnBXKVb/xJqO8oySGHDxVNogeIXNUkmL bF4qcQF4I1alqyS7bLLWUdHTRUBOMIGchEhCTuJIqoyEWWBWVAAwJSNxXoI2K7/PqbpdgLIEZkUZ VdpUyKg4c0WZUrIS5BkkbVCOkwxCNqYk206SPRzTbJeTrBGTXE6zWkyzQYdswElWcZINkGTVmLRX OWkf5yRbTJINOBSgdpJPkOZ7k5SdlSr7KlUOp1X2EjhkmGrkTORiVIHDIWFcgZn+VzDxfc7HIuAq 4HeA3jrpBHAn8DiwExgry3cDwPHACcD/Bj7HM8DSHkknFF0aAtwHqmFNID8P+CWJU2z3S8qL9g+C UCgyCBWlF5VptOaW5nvknFl+2ImW7k1U1XW37qmfWN0kxOXvFDqny/eGCFkQO4zulvUgYgxzWAWX WodYj3mu0ZpSFRjAWgzqKzi+2oadQvtsfQNrN2YX6DFgBDND0R88k7dpNDNaw5fR/CHPx3jpDW8D ri6XlOKpxQt7+oLaZS6VFv1G3X23lAB+ZoBSs7miJY3ZfjniN2WdZrmBySU1DHWp8zy86ZZOZIOy UkYsNSzNbQnolX5KoZoy2bE0T7m4LHfTlRjVEbotbTV6CPNlAndjDRieDfys4WLBBtBAoSIqLQ4g ZA7aehjrYZk7bbaBtgMj4DadtBRHjId/c/qp+JcmDwFvA94LvJFC5Tix00XXFcLL+gLwmdJTTj2j PGXp0urAxcA1SM8W3oW4T2gZYjW4qtmEpoSJ8p4cN3FRlJinm0SdLrtuP1b5bHRXPuyosEUPtfKy l9oRHTB6yHCX0d1ChwybMBdYeqOtm4BqIXnm7YByrEmZb9jcV7zqGyGGx/Xnt4/9hMxNXobr3y+X VRRP46yk6NKeKr9/4CedQ87LKW+8YktdBUm+GDipJM3LSwloyEVCm5aD0Snzhg6l1GxfzDFoDMTy Qb7Y5YtJySVTCn6ZOp9KlY0mZOMpWTMl35E635kq254QR1Lax1XJf7ZC+8yq22srzhZXlc1UnY1U 3D6Skj2SKnswVfZIQvZIUHuPPn7zPhbsJ9NT3nTFlhSzErHSxYPzT0isLe++ewsJiFXAxk5jTtEI 7dJjSk9SXShr3D1lDRRdqP2P2ew3TFtM24xZNEtWcDziFUbPKryz9tjsRzxg9Flgt812i0cys3Pp 33+gvTCVzyBQYirFs2dsF8oR07ZzxEqhGpDbzkFNxIC6jx0d9bBQKU96Nhx3SGIL8U1gK2Jb8Y+V tNzFU4l9oJWGlZbWgVrAfkv3GW7GeszSAcNui5H9Hth70c3v8MK0PcNBabkpNAmcgbmgeMiHPsEO mzGJc0GbJIagKB9yrPzdSZJQ0bZ0H3Cb4dsSA4bTDKfYvMBS3WYx0kHEHouvY/0t4hHQIaMpW2MZ yfRFN/9GXJiinz5TIZZvGTA+E3Sm5AZFwvNrRqfMljqUYhLjsl+xW86bRNyFfTviwbKN5zzBeUab JdeCvSchfywo3pk43p6Q3Zsq358qz1JnWaI8v+rjVy54wAUrQHnTFVsEXgbaAGyyeYvECzAHLKqC 5ZgUUT7B7wxrG+LLpXQRMc9HvKjknUfAW23+DWmL7HuuveWCxxeGesG+H0koKbic66CXIu+39UWJ UwUJ9h6kjvywA7QXsQx8ttGrhR9DeghzPeL+a28+/+GFYV2wHxSUOTix1ZL4f0KnIWolCFtIDXDL 0Ie1RGIGuM3mL8Dbrr3lgoXMd8F++Jzyxstvq0paY3tQIoCWGA+p+J+DYza7gT3vvOX8qYUhW7Af Cyg7duPltyVC9UJX1PQ7bzk/XxiiBVuwBfupt/8PwEP+FurIt9IAAAAASUVORK5CYII= --_004_201607071627361484C50227girvannetcraftcom_--