The number of SSL sites found by the survey this month increased by a further 1.8% to 794,008, reflecting growth of 39.9% from the same period last year. In total, 2,451,780 sites were able to respond to an SSL request, and the proportion which offered valid third party certificates has grown to 34.3%. A fair number of sites (87,780) continue to use certificates without renewing them, relying on users ignoring expiry warnings.
Verisign remains the market leading certificate authority at the start of 2008 with a total of 447,030 sites (56.3%). Despite showing steady growth in absolute numbers, Verisign's share has continued to decrease over the last year as a result of stronger growth at other authorities. Go Daddy's growth showed a brief acceleration in November 2007 as a large number of its own customers were migrated over to its own Go Daddy-branded certificates, and this growth has continued into the new year. Go Daddy now has 131,495 sites, representing 16.6% of the market and maintaining its lead over Comodo on 15.3%.
Verisign also retains the lion's share of the Extended Validation (EV) certificate market. Verisign's share has been largely static for the last six months, now resting at 75.2%. Verisign's premier brand takes 67.2% of the market alone; however, absolute numbers still remain small and Verisign's total share represents only 2,892 sites. The total number of EV certificates in use is now 3,846, having grown by 416, showing stronger growth of 12.1% compared with 1.8% growth amongst all certificates.
EV certificates are not only used by large financial institutions such as PayPal and banks, but also by charities and organisations that accept donations, such as The United Way and the Girl Scouts, Hornets' Nest Council - the latter of which uses one of the short explanations of Extended Validation from Verisign's website.
Extended Validation support is notably missing from the current beta release of Firefox 3 (see release notes); however, it is believed that later versions will display EV certificate information.
Apache and Microsoft web servers continue to host the majority of sites which offer valid SSL certificates. Apache has remained slightly ahead of Microsoft for nearly two years now, with 44.8% of the sites currently running on Apache servers and 42.3% running on Microsoft servers. Windows and Linux remain the most common operating systems, with Windows being found on 41.3% of sites and Linux on 38.5%. Windows Server 2003 is the most common Windows variant, being found on 34.0% of sites, while Windows 2000 decreases to 6.9%
It is interesting to note that while 59.8% of the sites are hosted in the United States, only 40.7% of the SSL certificates belong to addresses within the United States. Although 22.8% of certificates belong to an unknown country, it is still likely that the number of sites hosted in the United States is greater than the number of certificates belonging to American entities. The higher availability and lower costs of hosting in the United States may explain this to some extent.
An extremely convincing attack against Banca Fideuramillustrated that it remains essential to pay attention to web application security, even when a valid SSL certificate is used to secure communications and authenticate the identity of a site. A page on the Italian bank's website was vulnerable to cross-site scripting, allowing fraudsters to inject arbitrary content such as modified login forms.
Allowing such attack vectors is extremely dangerous, as injected content is delivered with the same assurances that the SSL certificate provides to the rest of the website. It is fortunate that this attack was not carried out very effectively, with the fraudsters using the vulnerability to inject an IFRAME which requested its content from an HTTP server in Taiwan. Internet Explorer therefore brought up a dialog box to warn the user that the bank's page also contained insecure items. While Firefox did not produce a similar warning, neither of the mainstream browsers displayed a secure padlock icon.
India's second largest bank, ICICI Bank, has selected Entrust to provide standard SSL certificates for its websites. The five year contract will see Entrust providing verification services for issuing the certificates, as well as support through one of its local registration authorities. Entrust currently has 11,772 sites in our survey, giving it a share of 1.5%.
SSLinabox.com announced the launch of their Instant SSL Reseller product, allowing resellers to get the lowest possible SSL Reseller pricing at only $7.99 each without any up-front deposit or quantity purchase required. Ironically, https://sslinabox.com uses an SSL certificate that is only valid for https://www.sslinabox.com, and so displays a warning in Internet Explorer.
794008 valid third-party certificates were found this month. 2451780 sites were able to respond to an SSL request, with only 34.3% having valid third party certificates.
The Netcraft Secure Server Survey examines the use of encrypted transactions on the Web through extensive automated exploration of the Internet. Its intent is to provide answers to questions such as:
We anticipate that this analysis will help the certification, server and SSL accelerator industries to identify and understand the user community and their applications.
Netcraft is a British Internet consultancy company. Founded in 1988, it offers a range of services such as Internet Research, World Wide Web Publishing, Network Security, and Contract Systems & Network Management to customers which include Hewlett Packard, IBM, Intel, Microsoft, and Sun Microsystems.
In mid 1995, Netcraft began its Web Server Survey, initially as a capability statement. Each month Netcraft conduct an automated exploration of the Internet, looking for hosts that may be offering http services, and in the last few days of the month, send an http request to each site to discover what server software is being used. The Netcraft Web Server Survey has become the web server industry reference for Internet connected sites. The SSL server survey started in 1996, providing an equivalent monthly snapshot for the use of HTTPS on the Internet.
The use of encrypted transactions on the Internet, and the whole Electronic Commerce spectrum, have been the subject of considerable media attention since early 1995. Since then, electronic commerce and the general use of encrypted transactions on the Internet have grown enormously, although not always steadily. By quantifying the growth, this survey complements media coverage which is sometimes exaggerated: for example the widely reported slowdown in e-commerce after the bubble of 1999 and 2000 appear in this Survey merely as a reduced rate of growth.
Different governments' legislation impacts upon people's ability to make use of encrypted transactions. For several years the early development of the SSL market was significantly affected by the US government's export legislation which, at that time, made it impossible to export software containing effective cryptography from the US. Initially, US vendors had to ship "export grade" versions of their software with weak encryption to overseas markets. US rules have now changed, and make it much easier for US vendors to export to most countries.
Another significant historical feature was the US patent on RSA. RSA is an important and widely used public key encryption algorithm, which was patented in the US, but not elsewhere. This caused some distortions in the uptake of encryption products at the time, but since the patent expired in September 2000, most encryption vendors are now able to use the same RSA code both in the USA and elsewhere.
Internationally, many other jurisdictions have quirks restricting the export, import, sale, or use of https servers. For example, the UK does not currently have any specific laws pertaining to software containing strong cryptography, but advice from the Department of Trade & Industry suggests that SSL servers would fall within the definition of "high technology" and export to a "denied list" of countries, including Iraq & Iran, would be restricted.
Several countries, including Iran, Iraq, Pakistan, and parts of the former Soviet Union have laws restricting the use of cryptographic products. Professional advice would be especially useful if considering operating in these jurisdictions.
All responses obtained by the survey are subject to the same 3 criteria that a typical web browser will apply when connecting to a secure website:
Although we give some overall figures for all sites visited by the survey, most of the survey data presented is for valid sites — that is, distinct sites (in effect, distinct SSL certificates, identifying distinct businesses or organisations) that would work without warnings in a typical user's web browser. See the methodology for details.
In the first Secure Server Survey in November 1996 we found 3,239 sites which responded to our SSL request with a certificate valid for the site name we used. The number of distinct SSL websites (as measured by the number of distinct, valid certificates) was more than 100,000 by the end of 2000. Steady growth of around 30% per annum has been seen in recent years.
(Recent numbers subdivided by type of validation)
One of the features of the survey is that it is possible to include the decrypted responses from the sites with trustworthy certificates. These have been organised by geographical location, by server software, by server vendor, by operating system, and by operating system group. The geographical location is derived from the address in the certificate rather than the domain name.
The striking thing from a geographical perspective is the degree to which the sites are concentrated in the USA: excluding sites with where no country is specified, 50% of the sites are based there. Its share has been declining, however, as e-commerce has grown in worldwide popularity.
Business and application areas vary enormously. Applications include website login forms, online retail, online brokerage, payment gateway services, online banking, gambling and charity donations. There are also many less public uses of the technology; organisations may choose to communicate with their overseas offices and close business partners using encrypted web servers.
Netscape once dominated the encrypted server market, and in November 1996 slightly over half of the Internet https sites used one of Netscape's servers. Since Netscape designed the SSL protocol, and developed the first servers, which were without competition for several months, Netscape's early lead in market share was to be expected. However, Microsoft soon caught up and passed Netscape in site numbers, and was the most popular SSL server product throughout the dot com era.
The most popular choice of SSL web servers is the open source Apache server. This is distributed with and supported by all the main Linux distributions, as well as FreeBSD. And a number of other common servers found by the survey are commercial products from other vendors derived from Apache (such as IBM's HTTP server).
A number of new Windows sites appeared in the early part of 2000, taking the total Windows share just over 50%, mainly at the expense of those operating systems we have classified under "Others", while also diluting the shares of Solaris and BSD. Windows share remained at around 52% for several years, but has started to decline in the last few years as Linux has grown in popularity.
Verisign has dominated the certificate market for many years. Most third party certificates are obtained from Verisign and its subsidiaries. Apart from its premier "Verisign" brand, Verisign retains several other major brands, including its subsidiary Thawte (Thawte was originally a separate company, which was bought by Verisign in 1999), and the Equifax brand (from the acquisition of GeoTrust in 2006).
Comodo are the second largest issuer of certificates; like Verisign, they issue certificates under multiple brand names. GoDaddy and Entrust are the other prominent international certificate issuers. There are other issuers that confine their business to particular countries or regions; Germany is a good example, where there are two big authorities which do not appear elsewhere. Per-country breakdowns by certificate authority are available on the geographical analysis pages.
The numbers of SSL sites using third party certificates continues to increase at around 30% per annum. End-users, while not understanding the ins-and-outs, have come to recognise the padlock in their browser as one indication that a site is safe to exchange confidential information. While recent problems with online fraud and phishing are challenging the IT industry to produce a more complete framework of security for non-technical users, it is clear from the continued growth of HTTPS use that SSL is still considered to be part of the solution for secure, online transactions.
The material on this web site is copyright © Netcraft Ltd 1996-2008.
It is made available to purchasers of the report for their own use, and other than the browser loading transfers necessary for that person to properly view the material, copying of all or any part of the material is forbidden.
Persons wishing to use summary or excerpted information from the material in a press release, promotional information, or other material intended for public consumption, should first request permission. Permission will normally be granted providing that the excerpt is brief and specific, and that Netcraft and the url http://www.netcraft.com/ are attributed.
All trademarks are hereby acknowledged.