After more than 4 years of continued growth, Extended Validation SSL certificates still only account for 2.3% of all valid third party certificates found in the Netcraft SSL Survey. The majority of sites use the cheapest type of certificate – domain validated – although these are less common amongst high-traffic websites.

Netcraft's April 2011 survey found a total of 38,966 valid EV certificates:

Extended Validation SSL certificates typically cost more than both domain and organisation validated certificates. The vetting process for EV certificates cannot always be automated to the same degree as for domain validated certificates – for example, the current guidelines may in some circumstances require the certificate authority to arrange a site visit in order to verify an applicant's business address. Such checks ultimately ensure that EV certificates are only issued to legally established businesses or organisations.

Because simpler domain validation checks can be performed automatically, CAs can enjoy a very fast and low cost issuance process for domain validated certificates. Eddy Nigg's StartSSL is perhaps a prime example of this – they offer free domain validated certificates for one year, in addition to their range of other paid-for certificates.

EV certificates are much more prevalent amongst high-traffic or financial websites, where it is often beneficial to demonstrate higher levels of assurance to visitors. For example, losses to phishing fraud can be reduced by educating online banking customers to look for the green indicator in the browser's address bar. Because this can only be activated by an EV certificate, a fraudster would be unable to replicate this behaviour on an HTTP website or by using a more easily obtainable type of certificate.

Of course, EV certificates cannot entirely prevent phishing attacks. If an attacker were to compromise a website which already uses a valid EV certificate, he can piggyback on the trust instilled by that site's certificate to present his fraudulent content. Such a problem was first demonstrated on SourceForge, and then on paypal.com a few years ago, when cross-site scripting (XSS) vulnerabilities allowed arbitrary content to be injected into webpages. PayPal was one of the first companies to use EV certificates, which they believe resulted in noticeably lower abandonment rates on signup flows.

Restricting our analysis to the busiest 1,000 websites in the world, 81 sites accepted HTTPS connections and presented a valid SSL certificate. Nearly a third of these certificates used Extended Validation – a far higher proportion than the 2.3% share of all certificates.

While domain validated certificates have the largest share of the entire market, this share starts to decline when the least visited sites are removed from the analysis. Organisation validated certificates take the largest share within the top million sites, and are still almost twice as popular as EV certificates in the top 1,000.

The future looks quite promising for both Extended Validation and domain validated certificates. Both types have shown continued growth in recent years, while the growth of organisation validated certificates has been relatively subdued. Organisation validated certificates do not offer the same level of assurance as an EV certificate, and typically cost more than a domain validated certificate, so it will be interesting to see whether these "middle of the road" certificates continue to grow – particularly in a market where many consumers may only be interested in either having the highest assurance or paying the lowest price.

In the aftermath of last month's successful attacks against three of Comodo's affiliate Registration Authorities, Cryptome has just published a database purportedly belonging to GlobalTrust and InstantSSL. It is likely that the database was obtained during last month's security breach, where an Iranian attacker caused fraudulent certificates to be issued for several high-value domains including www.google.com. Many GlobalTrust websites were subsequently taken offline for forensic investigation.

GlobalTrust.it is still up and running, but it appears that InstantSSL.it has quickly been taken down again, possibly to defend it against any unauthorised access which may result from this latest leak. The site currently responds with a 403 Forbidden message:

The ComodoHacker stated via Twitter that the comodo-db.rar file on cryptome.org contains the "entire database of GlobalTrust and InstantSSL Italy". ComodoHacker proved his involvement in last month's attack by publishing the private key for one of the fraudulently issued certificates, so it is likely that this file does indeed contain the compromised database.

The Director of Policy and Enforcement for Xbox LIVE, Stephen Toulouse, had his Xbox LIVE account hijacked yesterday. The attacker purportedly used social engineering to convince Network Solutions to transfer DNS control of Toulouse's stepto.com domain name, allowing the attacker to receive any email sent to that domain. The attacker most likely used this to reset Toulouse's Xbox LIVE password and gain unauthorised access to his account, where he goes by the gamertag of Stepto.

The excited attacker subsequently uploaded footage of the hijack to YouTube, where he changed Stepto's motto from "Behave" to "Jacked by Predator". The attacker also advertised his account hijacking services in Stepto's bio, offering his AOL Instant Messenger contact details and payment methods. In his description of the video, Predator proudly boasts "ANY ACCOUNT $100 - $250 PayPal or AlertPay!!".

Predator revealed that the attack was carried out in revenge for being banned from using Xbox LIVE. During the video, he appears to hold Stephen Toulouse personally responsible for this: "Stepto, this is for console banning me over 35 times. You had it coming, man. Like, I'm tired of getting the console ban; now let's see what I can do to your account."

Proud of hijacking the Director's account, Predator ends his video's description with "I rest my name as Xbox Live's greatest account jacker."

Predator later uploaded a second video, noting that Stepto's account had been locked out. Toulouse regained control of his email and his domain's nameserver settings several hours after the attack, and his Xbox LIVE profile now looks to be restored.

Recent reports that "Samsung installs keylogger on its laptop computers" are likely to have been a false alarm, caused by a directory named C:\WINDOWS\SL being found on the newly purchased Samsung laptops. The mere existence of this folder causes some anti-virus software to incorrectly report the presence of the commercial Starlogger keylogging software, even if the software is not actually installed.

The Samsung Tomorrow website states that any claims of a keylogger on R525 and R540 laptops are false, pointing out that Microsoft's Live Application multi-language support legitimately creates this folder. Netcraft tested this by creating an empty C:\WINDOWS\SL folder on a malware-free Windows computer. VIPRE Antivirus Premium subsequently reported an elevated risk, claiming that the commercial Starlogger software had been found:

F-Secure's Chief Research Officer, Mikko Hypponen, was one of several security experts who found the original keylogging reports hard to believe. He solved the mystery for himself by going to a local computer shop and checking a range of Samsung laptops, none of which were running any keyloggers.

In a newsgroup posting by Robin Alden, CTO of Comodo, it has been confirmed that two further SSL Registration Authority (RA) accounts have been compromised since the original attack against GlobalTrust. Alden wrote: "Two further RA accounts have since been compromised and had RA privileges withdrawn. No further mis-issued certificates have resulted from those compromises."

It is not yet known which other RAs were compromised, or to what degree. In his latest Pastebin message, the Iranian ComodoHacker appears to claim responsibility for these other attacks:

"From listed resellers of Comodo, I owned 3 of them, not only Italian one, but I interested more in Italian brach because they had too many codes, works, domains, (globaltrust, cybertech, instantssl, etc.) so I thought they are more tied with Comodo."

According to an earlier message from ComodoHacker, the Italian attack was carried out by exploiting an SQL injection vulnerability on InstantSSL.it. The attacker subsequently escalated his privileges and caused the fraudulent certificates to be issued. The ComodoHacker unarguably proved his involvement in this attack by publishing a private key which corresponded to the fraudulently issued certificate for addons.mozilla.org. This private key has since been removed.

Both GlobalTrust.it and InstantSSL.it were shut down after the attack, but are now back online, offering a range of SSL certificates for sale.