499,066 sites with valid third-party certificates were found this month, an increase of 1,515 (0.3 percent) from last month's total of 497,551. All told, 1,963,512 sites were able to respond to an SSL request, with only 27.1% having valid third party certificates.
The May 17 announcement that VeriSign Inc. will acquire GeoTrust for $125 million alters the competitive landscape of the SSL certificate market. When the deal is finalized later this year, VeriSign certificates will secure more than 70 percent of all SSL-enabled web sites, with no other company above 12 percent. VeriSign certificates secure approximately 45 percent of the SSL-enabled sites on the Internet, while GeoTrust certificates are found on 27 percent, according to Netcraft's SSL Survey.
While VeriSign's purchase reinforces its dominant market share, it is unlikely to alter the broader trends that fueled the growth of GeoTrust. The deal is in many ways an acknowledgement by VeriSign that the SSL market has become segmented, and affordable domain-validated certificates will continue to gain market share. Recent growth trends in the Netcraft SSL Survey suggest that cost is a major decision point for many web site owners, with the bulk of those site owners buying certificates through existing relationships with web hosting companies and domain registrars. Both those trends have been instrumental in the emergence of GeoTrust as the fastest-growing certificate authority.
VeriSign and GeoTrust are the two largest players in the SSL market, but differ in their pricing, sales and validation processes. VeriSign's certificates typically sell for $300 or more, and most are bought directly from VeriSign. Most GeoTrust certificates are sold for between $20 and $50, primarily through resellers such as registrars and hosting providers. More than 94 percent of VeriSign SSL-enabled sites use "organization-validated" certificates that verify the applicant's business details, while 87 percent of GeoTrust's SSL-enabled sites use "domain-validated" certificates that verify only the applicant's control of the domain name.
Early responses from competitors (more on these in a moment) seem to presume that these differences mean VeriSign would change the price and/or validation process for GeoTrust certificates. Details of VeriSign's plans are not likely to emerge before the deal is finalized later this year. But at its Analyst Day presentation on May 25, VeriSign clearly accepts the segmented nature of the SSL market, and gives no indication that it plans to unify pricing and vetting. The strategic rationales for buying GeoTrust were that it "strengthens VeriSign's position in key market segments" and gives the company the "opportunity to optimize a complete brand portfolio across all geographies and customer segments," according to VeriSign's presentation, which also emphasized the value of GeoTrust's reseller network.
VeriSign also indicated it expected to realize "significant expense synergy" from "overlapping capabilities" - euphemisms which historically have not been happy ones for employees of the acquired company.
In the wake of the deal, Entrust issued a press release offering GeoTrust customers "two years for the price of one" if they switch to Entrust certificates before June 30. "By acquiring GeoTrust, VeriSign eliminated one of its major competitors and one of the few alternatives organizations have to VeriSign's high-priced SSL certificates," said Entrust Senior Vice President Kevin Simzer. "Now we are giving former GeoTrust customers a chance to switch to a lower price SSL provider." The one-year price for Entrust certificates is $199, which is lower than VeriSign's pricing but still considerably more than GeoTrust customers are likely to have paid for their certificates.
Much of the recent marketing for The Comodo Group has focused on validation methods, and it held to that pattern in a May 25 press release. "Since most GeoTrust certificates are currently domain validated only without any business authentication, they significantly undermine the efficacy of the padlock icon as a trust indicator," Comodo said in its statement. "With this announcement, Comodo believes that VeriSign, by curtailing the dispersion of non-validated low assurance SSL certificates, can deliver identity assurance for previously unverified eCommerce sites."
In reality, web site owners who have purchased GeoTrust certificates for between $20 and $50 (depending upon the reseller) would be unlikely candidates to renew for $100 to $300 or more without a business rationale - at least not while Go Daddy is selling domain-validated certificates for $19.99 a year.
The challenge for VeriSign is that it was not winning those cost-conscious customers. Over the past year, VeriSign accounted for just 15.8 percent of new SSL-enabled sites, while lower-priced domain-validated certificates accounted for 61.5 percent of those new sites, with GeoTrust and Go Daddy grabbing the lion's share of those sales. With the GeoTrust acquisition, a far larger share of value-oriented SSL buyers will be establishing business relationships with VeriSign, with some becoming candidates for upgrades to pricier SSL certificates, including the new tier of high-assurance certificates.
This is the second time VeriSign has acquired its primary competitor in the SSL certificate market. In December 1999 VeriSign paid $575 million to buy Thawte, a South African company that gained popularity by selling certificates at lower prices. At the time the deal was announced, Thawte had a 38 percent share of all SSL-enabled sites, to 49 percent for VeriSign - meaning the deal gave VeriSign nearly 88 percent market share. While some pundits wonder whether the GeoTrust deal poses anti-trust problems, the approval of the Thawte acquisition would suggest that U.S. regulators are unperturbed by VeriSign having market share of 70 percent or higher.
Even as it was announcing its acquisition, GeoTrust was dominating the growth chart for SSL-enabled sites by certificate authorities in May, gaining 2,086 sites, more than three times the increase seen by Go Daddy, the next-best performer with a gain of 642 sites. Network Solutions continues to gain momentum with an increase of 421 sites, and now has 4,049. Entrust adds 66 sites, while VeriSign (-722) and Comodo (-1,501) lose ground.
On the hosting front, the May 5 announcement that GI Partners would buy both The Planet and EV1Servers appears to have prompted a minor exodus of e-commerce customers at the two dedicated server providers. The Planet loses 123 SSL-enabled sites this month, while EV1Servers has a decline of 72 SSL sites. Both losses are atypical, as The Planet had seen growth in SSL-enabled sites in each of the last 11 months, while EV1Servers added sites in 10 of the previous 11 months. It was a month of unusually subdued growth for SSL adoption at major hosting companies, with no hosting provider gaining more than 55 new SSL-enabled sites. AT&T led with 55, followed by SBC Communication (+50), 1&1 Internet (+48) and Go Daddy (+47).
A monthly analysis of market uptake by validation types is skewed this month by a classification change for a group of existing certificates. About 10K Thawte certificates previously categorized as organization-validated have been reclassified as domain-validated. Thus, domain-validated certificates gain 11,636 sites, while organization-validated certificates decline by 10,121.
Last month we noted that Apache has overtaken Microsoft as the leading developer of secure web servers. Is a similar leadership change likely along operating systems used on SSL sites? Linux is listed as the top operating system with more than 35.9 percent of SSL-enabled sites, placing it ahead of Windows Server 2003 (26.9%) and Windows 2000 (15.68). In that dataset, "Linux" includes all major Linux distributions (i.e. Red Hat, SuSE, etc.), while Microsoft's OSes are separated out.
A better "apples-to-apples" metric is our operating system group trend watch, which shows that Microsoft continues to hold a substantial lead over Linux with a combined market share of 43.8 percent. Linux has been steadily chipping away at Windows' lead for the past two years, but even if that trend holds true, no leadership change is imminent. Windows currently is found on 218,716 sites, while Linux runs on 179,469 sites - a difference of 39,247 sites. Over the past 12 months, Linux has gained 87.5K SSL-enabled site to 59.7K for Windows, a difference of 27.8K sites. Thus, if recent growth patterns continue, it will be another 15 to 18 months before Linux closes the gap.
That's a big "if," however, as Windows Server 2003 continues its powerful growth this month with an increase of 2,448 SSL-enabled sites, while growth on Linux slows considerably with an increase of just 528 sites. Many of the gains on Windows Server 2003 appear to be upgrades from Windows 2000, which has a decline of 1,760 sites this month. Microsoft also has a strong showing in our tracking of web servers being used by SSL-enabled sites, as Microsoft IIS gains 552 sites while Apache has an increase of 483.
Free SSL certificates from Israeli certificate authority StartCom will be supported in future releases of Mozilla Foundation products, including the Firefox and Mozilla web browsers and Thunderbird e-mail client. StartCom becomes the first free web server certificate to have its root certificate approved for use with Firefox, the second-most popular browser after Internet Explorer. This means that Firefox users can visit web sites using StartCom SSL web server certificates without triggering any pop-up alerts about the status of the SSL certificate - which in turn makes the certificate much more attractive to web site owners.
StartCom is seeking similar approvals from Microsoft, Opera, the Safari browser for Apple, and the Konqueror browser for the KDE Linux desktop. The Mozilla decision is a milestone for free certificates, but won't take effect immediately. "It should be included in the next official release, that is version 2.0 of Mozilla, Firefox and Thunderbird sometime in August this year," said StartCom's Eddy Nigg. The Mozilla Foundation's Frank Hecker noted that the inclusion date of StartCom is subject to coding schedules on the various Mozilla products. "There's a chance that the StartCom cert might make Firefox 2 but nothing is guaranteed, and it may well slip to a later release," said Hecker.
In the discussion of the StartCom application on Bugzilla, Hecker noted possible reservations about free certificates. "There's an obvious concern about this service being used fraudulently by phishers, and a philosophical issue about whether we should ever approve a no-charge CA that uses automated verification," Hecker wrote, noting that StartCom's process involves sending emails to standard addresses for domains with an authorization code to be "entered" by clicking a link back to the StartCom site. "On the flip side, having to pay to register domain names has proved to not be an obstacle for phishers (especially when you can pay for them with stolen credit cards), and the lowest current prices for SSL certs ($15/year) are comparable to domain name registration fees. So it's not clear that this would worsen the situation from where it already is.""The pricing policy of StartCom, and the fact that certain products and certificates are provided free of charge, is not relevant to the question (of phishing)," StartCom's Nigg replied. "The validation of certificates is a function of the controls, verification procedures and validation in place, not the cost of the certificate." After additional discussion, Hecker determined that StartCom met the SSL certificate inclusion criteria established by Mozilla, including an audit by an independent third party, which StartCom obtained from the We! Consulting Group, an Israeli PKI solution provider.
The acceptance of StartCom raised questions about the status of CAcert, the other widely-used certificate authority offering free certificates. With its certificates securing 3,821 SSL-enabled sites this month, CAcert has more users than StartCom (1,697 SSL-enabled sites), and has been working for more than two years to have its certificates supported by Firefox.
"The holdup right now has to do with CAcert completing an independent evaluation of their operations," said Hecker, dismissing suggestions that CAcert's approval had been delayed by pressure from commercial CAs. "I'm just asking CAcert to conform to the same policy we require every other CA to conform to, a policy that CAcert representatives had lots of opportunities to comment on and influence."
A lawsuit accusing VeriSign of improper marketing of SSL certificates has been given class action status by a California court, allowing thousands of VeriSign customers to join the proceedings and share in any award. The plaintiff, Southeast Texas Medical Associates LLP (SETMA), alleges that VeriSign overstated the differences between its Secure Secure Site and Secure Site Pro certificate products and their value to businesses conducting e-commerce. The proposed class includes anyone who has bought Secure Site Pro certificates since 2001. The plaintiffs estimated this figure at more than 400,000 potential class members, each of whom would be eligible for more than $500 in damages, placing the theoretical financial risk to VeriSign at more than $200 million.
VeriSign has thus far declined public comment on the lawsuit. The case may have relevance for other SSL providers as well, as it hinges on details of marketing complex technology products to customers who are not experts in Internet security or cryptography. The case highlights the fact that SSL certificates are among the products being closely scrutinized by attorneys seeking to build practices around Internet security litigation. One of the plaintiff's lawyers, Marc Gravely of the Austin firm Gravely & Pearson, L.L.P., says his law firm is now taking aim at Internet security companies "who place profit over the security and personal privacy of businesses consumers." In a press release, Gravely called the California case "almost certainly the first of many more to come given the burgeoning Internet security industry and tremendous growth of online transactions."
The complaint alleges that VeriSign overstated the benefits of its more expensive SSL certificates. "Secure Site and Secure Site Pro provide essentially identical security for communications between businesses and their customers," the lawsuit alleges. "It has only been through its false and misleading advertising that defendants have been able to extract a $546 premium from thousands of businesses throughout the country."
At issue is support for 128-bit SSL sessions and the necessity of Server Gated Cryptography (SGC), which is supported by Secure Site Pro only. SGC is an extension of SSL that was widely used prior to 2000, when the U.S. government placed export controls on 128-bit encryption technology, limiting banks and bank branches outside the U.S. to web servers that supported only 40-bit encryption. Once the export bans were lifted in 2000, subsequent browser releases had the capability to conduct 128-bit SSL sessions without SGC. Standard 1024-bit SSL certificates from most certificate authorities already support up to 256-bit encryption, which is enabled not by the SSL certificate, but the session key negotiated by the web server and browser.
Today, SGC's primary benefit is to provide additional security for Internet users with older browsers (4.x versions of Internet Explorer or Netscape). "Many take for granted that strong encryption (at least 128-bit) is universal today," VeriSign says in its description of Secure Site Pro. "In reality, legacy software issues may expose client systems to weak encryption (40-bit or 56-bit). According to a Yankee Group study, 'the number of people still subject to weak encryption because they are using older versions of Windows and Internet Explorer is in the tens of millions.'"
The lawsuit alleges that VeriSign overstates the number of e-commerce customers using older browsers - and thus overstates the need for the additional $546 cost of an SGC-capable certificate. "VeriSign deceives actual and potential customers into believing that these certificates have different properties when used with the vast majority of Internet users when this is simply not the case," the suit adds.
The motion for class action status was argued April 7 in Santa Clara, Calif. before California Superior Court Judge Kevin Murphy. VeriSign argued that Southeast Texas Medical Associates was "an impermissible puppet plaintiff" for lawyers seeking to target VeriSign. The judge denied that claim, while noting that the "plaintiffs are not overly informed about the theory and dynamics of the litigation."
At the very least, SETMA appears to not be terribly attentive to the use and description of SSL on its own web site at setma.com. Despite its grievances with VeriSign and the dispute over bit-depth, the setma.com web site includes a page that touts its use of VeriSign certificates. "These pages are encrypted using a 128 bit Verisign encryption certificate to ensure the privacy of your heath and financial data," the site notes.
That would be fine - if perhaps a little strange - if the setma.com site actually used a VeriSign certificate. In fact, the site uses an SSL certificate purchased from Entrust, a VeriSign competitor. Thus, even as it sues VeriSign for making false claims about its certificates, SETMA appears to be misleading its web site visitors about its own use of SSL certificates.
SETMA's complaint asserts that the lack of end-user sophistication regarding certificates is a central issue in the case, saying VeriSign succeeded in selling Secure Site Pro certificates "because the matter is so deeply steeped in technology and difficult for any consumer to discover or understand." It remains to be seen, if the case ever proceeds to trial, whether a jury will find the details of SSL certificates and encryption bit depths any easier to sort out.
Cybertrust says its current validation process for SSL certificate applicants already meets the proposed standards for the new tier of high-assurance SSL certificates. "Cybertrust-stated vetting procedures have always been of the highest standards, with the domain name, requester and company verified for each certificate issued by Cybertrust," the company said last month. "These standards are already in accordance with the new High Assurance SSL Certificates standards currently being defined by leading browser vendors, leading Certificate Authorities including Cybertrust, and independent standard bodies."
That validation process was highlighted in a press release noting that Cybertrust had successfully completed its WebTrust audit and has earned the AICPA/CICA WebTrust Certification Authorities Seal for the third year in a row. The American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants (AICPA/CICA) developed the WebTrust Program for Certification Authorities to increase consumer confidence in Internet e-commerce and PKI technology.
"Having Cybertrust achieve the WebTrust Certification Authority standards showcases our commitment to assuring that client data is secure and protected in Cybertrust's operations," said Kerry Bailey, Cybertrust senior vice president of global services. "By auditing our practice to industry standards, our customers can have complete confidence that they are working with a trusted partner with the experience and expertise to align information security to their unique business needs."
Cybertrust identity management solutions help businesses and governments efficiently manage user identities across multiple systems and applications, combining authentication management, single sign-on, access control, user administration and resource provisioning.
499066 valid third-party certificates were found this month. 1963512 sites were able to respond to an SSL request, with only 27.1% having valid third party certificates.
The Netcraft Secure Server Survey examines the use of encrypted transactions on the Web through extensive automated exploration of the Internet. Its intent is to provide answers to questions such as:
We anticipate that this analysis will help the certification, server and SSL accelerator industries to identify and understand the user community and their applications.
Netcraft is a British Internet consultancy company. Founded in 1988, it offers a range of services such as Internet Research, World Wide Web Publishing, Network Security, and Contract Systems & Network Management to customers which include Hewlett Packard, IBM, Intel, Microsoft, and Sun Microsystems.
In mid 1995, Netcraft began its Web Server Survey, initially as a capability statement. Each month Netcraft conduct an automated exploration of the Internet, looking for hosts that may be offering http services, and in the last few days of the month, send an http request to each site to discover what server software is being used. The Netcraft Web Server Survey has become the web server industry reference for Internet connected sites. The SSL server survey started in 1996, providing an equivalent monthly snapshot for the use of HTTPS on the Internet.
The use of encrypted transactions on the Internet, and the whole Electronic Commerce spectrum, have been the subject of considerable media attention since early 1995. Since then, electronic commerce and the general use of encrypted transactions on the Internet have grown enormously, although not always steadily. By quantifying the growth, this survey complements media coverage which is sometimes exaggerated: for example the widely reported slowdown in e-commerce after the bubble of 1999 and 2000 appear in this Survey merely as a reduced rate of growth.
Each of the sites that Netcraft receives a successful response from in the Netcraft Web Server Survey — and a large number of sites which might be offering purely SSL-encrypted services — are queried by the survey. Netcraft uses links from the front pages of websites, retrieved during the web server survey every month, to identify possible SSL sites. Data from the Netcraft Toolbar is also used, as there is no better way of identifying sites than to take those that users actually visit.
An HTTPS request is made to each site. Two requests are made: one using SSL version 3, and one using TLS. A full set of ciphers is offered for maximum coverage. A connection is also made using SSL version 2 for all servers that offered SSL version 2 in the previous 2 months (this keeps old servers only offering version 2 in the survey, without wasting time and causing complaints by trying it for newer servers). SSL responses are decrypted and analysed to produce the material that appears on this site.The information made available by an https server is more substantial and more interesting than with http servers. The most interesting piece of information available from http servers is the server signature; this can be analysed to give straightforward empirical evidence about the relative popularity of server software on web sites across the Internet. This same information is also available from https servers. Additionally, the contents of the site's X.509 certificate are available, providing details about both the company or organisation owning the site, and the certificate issuer. Furthermore, in most cases the characteristics of the network connection allow us to determine the operating system on which the server is running.
This extends the empirical analysis to include;
The response from an SSL server is a rich nugget of information that facilitates analysis of the evolving landscape of encrypted transactions on the Internet.
Different governments' legislation impacts upon people's ability to make use of encrypted transactions. For several years the early development of the SSL market was significantly affected by the US government's export legislation which, at that time, made it impossible to export software containing effective cryptography from the US. Initially, US vendors had to ship "export grade" versions of their software with weak encryption to overseas markets. US rules have now changed, and make it much easier for US vendors to export to most countries.
Another significant historical feature was the US patent on RSA. RSA is an important and widely used public key encryption algorithm, which was patented in the US, but not elsewhere. This caused some distortions in the uptake of encryption products at the time, but since the patent expired in September 2000, most encryption vendors are now able to use the same RSA code both in the USA and elsewhere.
Internationally, many other jurisdictions have quirks restricting the export, import, sale, or use of https servers. For example, the UK does not currently have any specific laws pertaining to software containing strong cryptography, but advice from the Department of Trade & Industry suggests that SSL servers would fall within the definition of "high technology" and export to a "denied list" of countries, including Iraq & Iran, would be restricted.
Several countries, including Iran, Iraq, Pakistan, and parts of the former Soviet Union have laws restricting the use of cryptographic products. Professional advice would be especially useful if considering operating in these jurisdictions.
In the first Secure Server Survey in November 1996 we found 3,239 sites which responded to our ssl request with a certificate valid for the site name we used. The number of distinct SSL websites (as measured by the number of distinct, valid certificates) was more than 100,000 by the end of 2000. The rate of growth has slowed since, but is still around 30% per year.
An https server must, when servicing a request, return to the client a copy of its certificate. This certificate contains details of the organisation controlling the site, the authority that issued the certificate, the duration of the certificate's validity, the hostname that it was issued in respect of, and the cryptographic key the site uses.
Sites that wish to gain the trust of the people who connect to them, must use a certificate that has been issued specifically to that particular site. The issuer will digitally sign each certificate, so that it can be immediately detected by the browser if it has been tampered with. Browsers will issue warning messages if the certificate is not signed by a trusted third party, or does not contain the same host name as was used to make the connection, or has expired or is in some other way invalid.
However, sites that are experimenting with https can make and sign their own certificates. One way of doing this is to sign the certificate using the same cryptographic key as is contained in the certificate data (making it "self-signed"), and in such cases we regard the certificate as untrustworthy. Alternatively, sites may use private certification, which in most cases we treat as valid third-party certification by an unknown issuer.
Our survey methods tend to find many sites which do not appear to have valid third party certificates correctly matching the hostname, and if these names were used in a browser, it would issue a warning message upon connecting to the site. Most of the extra responses are from sites which can be accessed by more than one name, and return the same certificate whichever name is used. Our first attempt to contact a site frequently uses one or more of the incorrect names — those which are not intended for use with SSL — so we find that the name in the certificate does not match the site name we used. When this happens, we extract the correct name from the certificate and verify if this name would allow users to visit the site and see a valid certificate.
Our analysis focuses on the sites for which we have a matching certificate issued by a certification authority recognised in the default configuration of the major browsers. We also include authorities with significant numbers of sites which are not yet included with browsers, but are candidates for inclusion in future, or are likely to be manually added to the browser by a significant userbase (for example, the certificates used on US government/military sites are accepted). Visiting any of these sites will not normally give any warning about the certificate presented.
One of the features of the survey is that it is possible to include the decrypted responses from the sites with trustworthy certificates. These have been organised by geographical location, by server software, by server vendor, by operating system, and by operating system group. The geographical location is derived from the address in the certificate rather than the domain name.
The striking thing from a geographical perspective is the degree to which the sites are concentrated in the USA. Over 50% of the sites are based there. Japan is the next most significant country, with about 7% of sites.
The dominance of the USA is in fact declining a little: five years ago 68% of sites were located there, with around 4% in the UK. Eight years ago (April 1997) 79% were in the USA.
Business and application areas vary enormously. Users include The Wall Street Journal, Goldman Sachs, IBM, Playboy, American Express, and Russia Online, In some industries such as adult entertainment, and retail of books, and CDROM, credit card over the net facilities are de facto and necessary, whilst gambling is one of the most legally complex applications anywhere on the Internet.
In other instances, people may have uses for the technology other than simple credit card transactions. Subscription publishing where the material is of a commercially sensitive nature is one natural application, and we may see more brokerage houses communicating with their privileged clients in this way. Also, organisations may choose to communicate with their overseas offices and close business partners using encrypted web servers.
Netscape once dominated the encrypted server market, and in November 1996 slightly over half of the Internet https sites used one of Netscape's servers. Since Netscape designed the SSL protocol, and developed the first servers, which were without competition for several months, Netscape's early lead in market share was to be expected.
However, Microsoft soon caught up and passed Netscape in site numbers. Microsoft's Internet Information Server continues to be the most popular single web server.
The most popular choice of SSL web servers is Apache and its derivatives. While the main Apache web server is not quite as popular as Internet Information Server, when taken together with other servers from the Apache group (Tomcat and Coyote) the total share for Apache is greater than that for Microsoft's products. And a number of other common servers found by the survey are commercial products from other vendors derived from Apache (such as IBM's HTTP server).
A number of new Windows sites appeared in the early part of 2000, taking the total Windows share just over 50%, mainly at the expense of those operating systems we have classified under "Others", while also diluting the shares of Solaris and BSD.
Since June 2000, Windows share remained almost constant around 52% until the middle of 2003, but it has now started to decline slowly and in in March 2004 stands at 49.5%. Meanwhile there has been a gradual shift towards Linux, which now accounts for 27.3% of sites in March 2004.
Verisign has dominated the certificate market for many years. Most third party certificates are obtained from Verisign — though it signs many certificates under its other brand names of RSA Data Security, and Thawte Consulting (Thawte was originally a separate company, which was bought by Verisign in 1999).
A primary reason for this level of domination is that early versions of the Netscape and Microsoft browsers would only accept certificates from Verisign. Since using a different Certificate Authority would lock out all the people on the web using one of these browsers, none of the early adopters of SSL who needed to reach a wide audience could consider using a different source of server certificates. Current versions of Netscape and Microsoft browsers include details of a number of certification authorities, and allow the user to add or remove them.
GeoTrust are the second largest issuer of certificates; like Verisign, they issue certificates under multiple brand names. Comodo are the other prominent international certificate issuer. There are other issuers that confine their business to particular countries or regions; Germany is a good example, where there are two big authorities which do not appear elsewhere. Per-country breakdowns by certificate authority are available on the geographical analysis pages.
The numbers of SSL sites using third party certificates continues to increase at around 25% per annum. End-users, while not yet understanding the ins-and-outs, have come to recognise the padlock in their browser as one indication that a site is safe to exchange confidential information. While recent problems with online fraud and phishing are challenging the IT industry to produce a more complete framework of security for non-technical users, it is clear from the continued growth of HTTPS use that SSL is still considered to be part of the solution for secure, online transactions.
The material on this web site is copyright © Netcraft Ltd 1996-2006.
It is made available to purchasers of the report for their own use, and other than the browser loading transfers necessary for that person to properly view the material, copying of all or any part of the material is forbidden.
Persons wishing to use summary or excerpted information from the material in a press release, promotional information, or other material intended for public consumption, should first request permission. Permission will normally be granted providing that the excerpt is brief and specific, and that Netcraft and the url http://www.netcraft.com/ are attributed.
All trademarks are hereby acknowledged.