Extended Validation SSL certificates: 4 years of growth

After more than 4 years of continued growth, Extended Validation SSL certificates still only account for 2.3% of all valid third party certificates found in the Netcraft SSL Survey. The majority of sites use the cheapest type of certificate – domain validated – although these are less common amongst high-traffic websites.

Netcraft's April 2011 survey found a total of 38,966 valid EV certificates:

Extended Validation SSL certificates typically cost more than both domain and organisation validated certificates. The vetting process for EV certificates cannot always be automated to the same degree as for domain validated certificates – for example, the current guidelines may in some circumstances require the certificate authority to arrange a site visit in order to verify an applicant's business address. Such checks ultimately ensure that EV certificates are only issued to legally established businesses or organisations.

Because simpler domain validation checks can be performed automatically, CAs can enjoy a very fast and low cost issuance process for domain validated certificates. Eddy Nigg's StartSSL is perhaps a prime example of this – they offer free domain validated certificates for one year, in addition to their range of other paid-for certificates.

EV certificates are much more prevalent amongst high-traffic or financial websites, where it is often beneficial to demonstrate higher levels of assurance to visitors. For example, losses to phishing fraud can be reduced by educating online banking customers to look for the green indicator in the browser's address bar. Because this can only be activated by an EV certificate, a fraudster would be unable to replicate this behaviour on an HTTP website or by using a more easily obtainable type of certificate.

Of course, EV certificates cannot entirely prevent phishing attacks. If an attacker were to compromise a website which already uses a valid EV certificate, he can piggyback on the trust instilled by that site's certificate to present his fraudulent content. Such a problem was first demonstrated on SourceForge, and then on paypal.com a few years ago, when cross-site scripting (XSS) vulnerabilities allowed arbitrary content to be injected into webpages. PayPal was one of the first companies to use EV certificates, which they believe resulted in noticeably lower abandonment rates on signup flows.

Restricting our analysis to the busiest 1,000 websites in the world, 81 sites accepted HTTPS connections and presented a valid SSL certificate. Nearly a third of these certificates used Extended Validation – a far higher proportion than the 2.3% share of all certificates.

While domain validated certificates have the largest share of the entire market, this share starts to decline when the least visited sites are removed from the analysis. Organisation validated certificates take the largest share within the top million sites, and are still almost twice as popular as EV certificates in the top 1,000.

The future looks quite promising for both Extended Validation and domain validated certificates. Both types have shown continued growth in recent years, while the growth of organisation validated certificates has been relatively subdued. Organisation validated certificates do not offer the same level of assurance as an EV certificate, and typically cost more than a domain validated certificate, so it will be interesting to see whether these "middle of the road" certificates continue to grow – particularly in a market where many consumers may only be interested in either having the highest assurance or paying the lowest price.