Of the 2451780 sites able to respond to our requests, only 841574 appeared to have valid third party certificates correctly matching the hostname, such that the latest version of Microsoft's Internet Explorer would not issue a warning message upon connecting to the site.
There are many reasons for the large number of sites with valid certificates but mismatched names:
The large number of self-signed and unknown issuer certificates includes both "real" self signed certificates (where a company or organisation has really created their own self-signed certificate), and default certificates such as that provided with Apache/mod-ssl, and test certificates from real certificate issuers (but which provide no assurance, so are not counted as valid).
There were 87780 valid-but-expired certificates in use at the time of the survey. So, while most sites are renewing their SSL certificates regularly as intended, there are a small but significant minority of sites that buying a certificate and then fail to renew it, relying on users ignoring expiry warnings.
Some certificates had issuers listed that were not known to us as certificate authorities. The most plausible explanation for this is that these certificates were actually self-signed, but not in a way that we were able determine automatically. However, new certificate issuers would also be treated in the same way. Netcraft review all unrecognised issuers with large numbers of certificates each month, and ensure that any new issuers are identified and included where appropriate.
Copyright © Netcraft 1996-2008