Counting SSL certificates

The SSL/TLS protocol — used to protect sensitive communication across the internet — combines encryption with authentication, providing a private connection to the intended recipient. To achieve this, SSL certificates bind together a cryptographic key and a domain name, and are digitally-signed by a trusted certificate authority (CA). Commercial CAs compete to sell certificates to the general public and account for the bulk of the SSL certificates seen on the internet.

Netcraft's SSL Server Survey has been running since 1996 and has tracked the evolution of this marketplace from its inception — there are now more than one thousand times more certificates on the web now than in 1996. As CAs issue certificates, and most charge (or not charge) accordingly, the number of certificates issued becomes the natural unit of measurement. Our survey therefore counts valid, trusted SSL certificates used on public-facing web servers, counting each certificate once, even if used on multiple websites.


Two types of certificates make the distinction between counting sites and certificates most apparent: multi-domain certificates and wildcard certificates. These two types now account for almost a quarter of all certificates found.

  • Multi-domain certificates (or UCC certificates) use the Subject Alternative Name extension to specify additional hostnames for which this certificate is valid — CloudFlare uses this technique heavily, having dozens of unrelated sites share the same certificate.
  • Wildcard certificates are valid for all possible subdomains of a domain, for example * would be valid for,,, etc. Our methodology counts a wildcard certificate once, no matter the number of sites for which it is valid.

Netcraft also counts certificates used by subdomains. For example, if, and are all using different SSL certificates, Netcraft will count all three certificates that have been issued.

Although the global SSL ecosystem is competitive, it is dominated by a handful of major CAs — three certificate authorities (Symantec, Comodo and GoDaddy) account for three-quarters of all issued SSL certificates on public-facing web servers. The top spot has been held by Symantec (or VeriSign before it was purchased by Symantec) ever since the survey began, with it currently accounting for just under a third of all certificates. To illustrate the effect of differing methodologies, amongst the million busiest sites Symantec issued 44% of the valid, trusted certificates in use — significantly more than its overall market share.

However, nothing ever stays still forever — Let's Encrypt could shake up the market for SSL certificates later on this year by offering free certificates with a simplified installation process. Whilst free certificates and automated tools are nothing new, the open approach and the backing of Mozilla, IdenTrust, the EFF, and Akamai could change the SSL ecosystem forever.

Beyond counting certificate numbers, Netcraft's SSL Survey also tracks the list and reseller prices of the most popular certificate authorities. This provides another useful market share metric, as it allows us to estimate the total monthly and annual revenue of each certificate authority attributable to public SSL issuance.

As each type of certificate — multi-domain, wildcard, or Extended Validation for example — is available at a distinct price point, the estimated revenue of a CA can vary significantly, despite initially appearing similarly sized by the total number of certificates. For example, GlobalSign comes in third-place when considering its estimated annual revenue (by list price) in 2014, despite accounting for approximately 6% of all currently valid publicly-visible SSL certificates.

For additional information or details on how to purchase Netcraft’s SSL Server Survey please contact us at or visit our web site.

Netcraft releases Heartbleed indicator for Chrome, Firefox, and Opera

The Netcraft Extension: Heartbleed and phishing protection rolled into one

The Heartbleed bug affected around 17% of all trusted SSL web servers when it was announced a week ago. The critical vulnerability in the OpenSSL cryptographic library has the potential to allow attackers to retrieve private keys and ultimately decrypt a server's encrypted traffic or even impersonate the server. This is not a theoretical problem: practical attacks have actually succeeded in stealing private keys, yet despite the potential dangers, many of the affected sites have yet to take remedial action.

Even if heartbeat support has been disabled, or OpenSSL upgraded to the latest version, a website that was previously vulnerable to Heartbleed is not necessarily secure today. If the vulnerability had been exploited prior to the upgrade, the certificate's private key could have been compromised. If the certificate has not yet been replaced and the old one revoked, an attacker could impersonate the site and carry out man-in-the-middle attacks against the site's visitors.

Netcraft's updated extensions for Chrome, Firefox and Opera now allow you to see whether the sites you visit are still using potentially compromised certificates. The extensions use data from Netcraft's SSL Survey to determine whether a site offered the heartbeat TLS Extension prior to the Heartbleed disclosure. If this is the case, the extension will also check to see if the site's SSL certificate has been replaced; if it has not, then the site is considered to be unsafe, as the certificate's private key could have been compromised. Even if the certificate has been replaced, it does not guarantee that the site cannot still be impersonated with a copy of the old certificate unless the old certificate has been revoked – and even then, the revocation checking done by browsers is not infallible.

Go here to download the Netcraft Extension for Chrome, Firefox or Opera.

Heartbleed indicator in the Netcraft Google Chrome and Opera Extensions

The extension will indicate when a site is potentially unsafe by displaying a bleeding heart icon. Additionally, in the Google Chrome and Opera versions of the Extension, a warning triangle will be displayed on top of the Netcraft icon.

Heartbleed indicator in the Netcraft Firefox Extension

As well as indicating which sites are using a certificate potentially compromised using Heartbleed, the Netcraft Extension also helps protect you from phishing attacks, displays the hosting location and risk rating of every site you visit, and lets you help to defend the internet community against fraudsters.

Netcraft's site report pages can also be used to determine whether a website might still be affected by the fallout from the Heartbleed bug. For example, our site report for shows that it no longer supports the TLS heartbeat extension and is using a new certificate.

In contrast, the site report for currently shows that the server previously supported TLS heartbeat and the SSL certificate has not been replaced. Even though TLS heartbeat is now disabled, the certificate could still be used to impersonate the site if it had been compromised prior to heartbeat being disabled. Fedex's website is hosted by Akamai, a popular Content Distribution Network, which was potentially vulnerable to Heartbleed. Akamai is in the process of rotating its customers' SSL certificates and stated that "some require extra validation with the certificate authorities and may take longer".

Heartbleed indicator in the Netcraft Site Report

Incentives for Phishing Site Reporters

As of the 1st November 2013, the Netcraft Anti-Phishing community has helped to block over 6.9 million phishing attacks worldwide. We incentivise phishing reports from the community, and have now added a Netcraft USB Flash Drive to our list of incentives:

Prize When
Netcraft USB Flash Drive after 100 validated phishing reports
Netcraft Mug after 250
Netcraft Polo Shirt after 500
Targus Laptop Backpack after 1,000
iPad after 5,000

On reaching 5,000 validated reports you become eligible for a monthly competition to incentivise large reporters.

To report phishing sites to us, please use the form at, or forward any phishing URLs or emails you receive to

The Netcraft Extension, which is available for Firefox, Google Chrome™ and Opera, serves as a giant neighbourhood watch scheme for the Internet. Members who encounter a phishing site can act to defend the larger community of users against the attack. Once the first recipients of a phishing mail have reported the attack URL, it is blocked for community members as they subsequently access the URL. Widely disseminated attacks simply mean that the phishing attack will be reported and blocked sooner.

Anti-Phishing Chrome Extension Netcraft Toolbar for Firefox Netcraft Toolbar for Opera

Netcraft removes phishing attacks in less than half the industry average time

Netcraft’s phishing site countermeasures service helps organisations targeted by phishing attacks remove the fraudsters’ forms as quickly as possible.

Recently we became aware that our median times for takedowns are very much better than the industry average calculated by the Anti-Phishing Working Group (APWG) in its most recent Global Phishing Survey. The APWG found that phishing attacks have a median lifetime of 5 hours and 45 minutes. In contrast, banks and other companies using our countermeasures service have experienced a median phishing attack availability of 2 hours and 12 minutes calculated over our most recent 100 takedowns, with the attacks removed in just 38% of the industry average time.

The graph below shows the availability times of our most recent 100 phishing attacks.

Last 100 Takedown Times

The difference between the first and final outages reflect the fact that phishing attacks will sometimes fluctuate up & down on compromised hosts where the fraudster may still have access to the system and be able to replace his content after the site owner removes it. In this scenario it is important to continue monitoring sites for some time after they go offline and restart takedowns if & when the phishing content reappears. For example, 87% of phishing attacks we attended to had their first outage within 24 hours, and 90% had their final outage within 48 hours.

Takedown times do vary significantly from country to country. For example, all of our last 100 takedowns in the US were completed within three days, and 90% had their first outage within 12 hours. In contrast, takedown times in Russia are rather longer, albeit with 90% going down within three days, and 70% having their first outage within twelve hours.

Russia and the US are by no means the long and short of phishing attacks. Phishing attacks we dealt with in the UK & Ireland have a shorter median lifetime than those hosted in the US, whilst phishing attacks we have taken down in Iran have a median lifetime of just under 30 hours, around five times longer than Russia.

In addition to providing fast takedown of the fraudulent content, the countermeasures service is also linked to our phishing site feed, which is licensed by all of the main web browsers, together with many of the largest anti-virus and content filtering products, firewall and network appliance vendors, mail providers, registrars, hosting companies and ISPs. Consequently, as soon as the phishing attack is verified, access to it will be blocked for hundreds of millions of people shortly afterwards, significantly reducing the effectiveness of the attack even before it has been removed.

More information regarding our countermeasures service can be found here.

Chrome version of Netcraft Anti-Phishing Extension Available

A version of the Netcraft Anti-Phishing Extension for the Google Chrome™ web browser is now available. The Netcraft Anti-Phishing Extension is a tool allowing easy lookup of information relating to the sites you visit and providing protection from Phishing.

Google Chrome Anti-Phishing Extension

The Extension runs on any operating system supported by Google Chrome and displays the hosting location, country, longevity, popularity, and an abstracted risk rating for each site visited. In particular its key features are:

  • Detailed site reports — simply click the Netcraft logo to access a wealth of information about the sites you visit, helping you to make informed choices about their integrity.
  • Risk Ratings — we evaluate the characteristics of the site compared against those depicted by fraudulent sites. The result is a simple visual summary displayed on the site report.
  • Protection against phishing sites — The Netcraft anti-phishing community is effectively a giant neighbourhood watch scheme, empowering the most alert and most expert members to defend everyone within the community. As soon as the first recipients of a phishing mail report it, we can block it for all users of the extension providing an additional level of protection from Phishing.
  • Protection against cross site scripting (XSS) — The extension optionally traps XSS and other suspicious URLs which contain characters with no purpose other than to deceive.
  • Conveniently report suspected phishing & fraudulent sites — At the click of the button you can report suspected web forgeries to Netcraft, helping to protect the community. Netcraft operates an incentive scheme for Phishing site submissions, including iPads, backpacks, mugs, and more... Over five and a half million phishing sites have been detected and blocked by Netcraft since the anti-phishing service was launched.

The Extension is available for download from the Google Chrome Store, and requires no special administrator privileges to install. You can also find the Firefox version from our download page.

Customized versions with corporate branding and navigation are also available.

Download Now!

Phishing attacks using HTML attachments

Netcraft has recently seen an increase in the number of phishing attacks using attached HTML forms to steal victims' credentials. This type of attack is not new - we have received reports of them from our phishing community since 2005 - but have become more popular amongst fraudsters during this year.

The attack works in a conventional way with the distinction that instead of linking to a form hosted on a web server, the form is attached to the mail.

Example drop site mail

A drop site phishing mail against Barclays customers asking the recipient to complete the attached form.

On opening the attachment, the form asks the victim to fill in their credentials. However, because the form is stored locally, it is less likely to be blocked by anti-phishing mechanisms. Some attachments also make use of obfuscated JavaScript to try and prevent anti-phishing software detecting the fraudulent content.

Form attachment screenshot

The form is hosted locally on the user's own computer.

Nevertheless these phishing attacks still have to send the sensitive data to the fraudster. This communication is usually done by sending a POST request to a remote web server, which then processes the information. This POST request can be detected and blocked, thus the user can still be protected. For example, a web browser, or a piece of security software or spam filter can use Netcraft's Phishing Site Feed to detect the phishing attack and block it.

Code snippet of the HTML form element

The form posts the details to a remote web-server.

These phishing attacks are sometimes referred to as "drop site" phishing attacks. This is because the only publicly accessible URL is a page into which the victim's details are "dropped". Drop sites can be difficult to recognise without the accompanying phishing mail. Usually, the "drop" page just processes the victim's details and provides no indication as to its true nature. Some drop sites redirect to the target's real website. This merits suspicion for anti-phishing groups, but may not provide enough evidence for them to block the URL without the accompanying mail.

HTTP Headers for an example drop site

Without the accompanying mail, the drop site URL appears to just be a page that redirects.

Netcraft has recently made improvements to its detection and handling of drop sites, which should be reported to Netcraft by forwarding the original phishing mail, including the HTML attachment(s), to

As of 1st November 2012, the Netcraft Toolbar community has blocked over 5.5 million phishing attacks. To provide an incentive for the community to continue sending Netcraft reports of phishing sites, Netcraft currently sends reporters the following:

Prize When
Netcraft Branded Mug after 100 validated phishing reports
Netcraft Polo Shirt after 400
Targus Laptop Backpack after 1,000
iPad after 5,000

As a further incentive, reporters become eligible for a separate competition when they reach 5,000 validated reports. To track the progress, we have a leaderboard displaying the people with the largest number of accepted reports so far this month.