SSL Infoporn

mac_steve infoporn600,000.  According to Netcraft, there are about 600,000 SSL sites out there on the public internet, and we just recently tipped over that arbitrary, but pleasantly round, number.

I’m not sure why, but when I tell people this (people, that is, who have any hope of being interested in such things; a small, biased, statistically indefensible sample,) they are surprised.  I think mostly they expect the number to be higher.  And in actual fact, it probably is, at least a little bit.  I am reasonably certain, without even looking into them, that Netcraft’s methods are more prone to type-2 errors – false negatives – than they are to false positives.  Nevertheless, it’s probably the right order of magnitude.  There are almost certainly less than a million, for instance.

Netcraft doesn’t publish any numbers it may gather about the ratio, in that group, between DV, OV, and EV certs, but the informal vibe I get leads me to believe that there are around 2000 EV certs out there at the moment.  Given that several of these have gone to extremely high traffic domains, though, that number probably under-represents their network significance.

I bring these numbers up here because they seem to surprise people, and surprises are generally more instructive than confirmations.  In the last couple weeks, a fair number of surprising numbers have flitted across my radar, so I figured I would rehash a couple here, with no particular (conscious) effort to weave a narrative into them beyond, “hey look, infoporn!”

Consumer Reports on Net Risks

Consumer Reports recently released their 2007 State of the Net, which includes this table.  It’s not a real surprise that 1 in 2 respondents report high levels of spam, or that 1 in 5 report major virus problems (particularly since “Viruses” remain a scapegoat bogeyman for most performance problems/system instability.)  The captioned stat, that Spyware caused 850,000 households to replace a computer in the last 6 months is what really sticks with me here, as is the observation that, by CR’s reckoning, phishing is still out-costing malware, for the moment.  Watch this space.

Venafi on Security Alerts


91% of internet users have seen a security alert while web browsing.  This, and the rest of the numbers in this post come from an interesting study by Venafi.  It’s a phone poll, so it’s subject to standard errors of self-reporting, and their margin of error (2.5%) is given for a 0.1 confidence interval, which is a little slack for my tastes, but they have a large (N>1000), US-Census-representative sample, which maybe gives us intellectual permission enough to keep playing.

Among those 91%, the proportion who continue with their task, as compared to those who give up, is basically 50/50.  That surprises me, because common wisdom sometimes seems to hold that security warnings just make users more rabid about giving away credentials.  It seems likely that a part of that number is self-report bias (people tend to report themselves as more prudent and conscientious than they actually are) but even still, it’s surprising.

Venafi on Expired Certs


18% of Fortune 1000 websites had expired certs!  It’s not clear whether the other 82% were all acceptable (unlikely) or some mix of acceptable and broken-for-other-reasons.  Still, 18%.  I said, damn.  I suspect that this number is inflated, given that their technique was to look for all sites owned by Fortune 1000 companies, meaning that temp.servertest.subsystem3.armonk.labs.ibm.com is on equal footing with www.ibm.com, despite one being rather more relevant. IE7, Firefox 3, and possibly other browsers are taking harsher stances on bad SSL, it will be interesting to watch this stat.

Venafi on User's Understanding of Errors

I’ll end with this one because it is at once the most interesting (to me) and seems the least subject to typical phone-screen biases. When confronted with a security dialog, users’ mental models of what’s happening fall into three dominant groups: Web Glitch (24%), Active Attack (40%), and Uncertainty/Confusion (32%).  Far behind the pack, in last place among the options mentioned, is that there is something wrong with the browser (4%).

If I may be permitted one iota of conclusion-drawing from this otherwise narrative-free post, I would submit this: our users, though they may be confused, have an almost shocking confidence in their browsers.  We owe it to them to maintain and improve upon that, but we should take some solace from the fact that the sites which play fast and loose with security, not the browsers that act as messengers of that fact, really are the ones that catch the blame.

9 comments

  1. I don’t know where you get the idea that FF3 is taking a ‘harsher’ stance on bad SSL certs. The harshest thing you can do is popup a big warning dialog, which is what FF2 does. FF3 is going to be using a new identity system, which doesn’t do that, and which I think is more sensible.

  2. Mmm, info porn. More hot bell-curves next time? I’m into standard deviations like that. :-) But seriously…

    The “not applicable” for the cost of Spam seems wrong to me. While the “per incident” cost to an individual is probably effectively zero, there certainly is an aggegrate cost. I suppose Consumer Reports didn’t consider things such as providers buying anti-spam tools, their time (labor) spent implementing and dealing with spam attacks, and the bandwidth and storage costs associated with all that spam.

  3. Good post, many questions … Just one for the moment:

    What is wrong with an expired cert?

  4. I agree that the spam cost can be measured … it’s easy. Take the time it takes someone to deal with a spam message, and extrapolate over the day’s loss. Before thunderbird got good at spam detection, I was spending around 20 mins a day on it. Now it’s down to 2 mins a day. Which means for every 720 users like me, the spammers owe us a life.

  5. Dolske, I agree. I think consumer reports sort of dropped the ball on that one, because there is a real cost, even to end users, for the tools you mention. And Iang – I like that life calculus!

    I feel a little like I’m being baited with Iang’s other question, since I read his blog too, and he knows plenty about SSL, but I’ll dive in anyhow. The problem I have with expired certs is that we lose revocation. With live certs from root CAs, we have (in theory) OSCP responders or CRLs to check. In practice, support for these is spotty, but one of the positive aspects of EV certs is that they compel CAs to create a better revocation infrastructure, so hooray for that. Nevertheless, expired certs don’t get carried on CRLs or kept in OCSP dbs, so treating expiration more weakly than revocation creates the potential for exploitation of that difference, and impairs the ability to mitigate mistakenly issued certs.

  6. Hi all,
    I’m from a developing country, India, and trying with small businesses to help them set them set up things right. The problem for small businesses is mani-fold. The growing pains are unbelievable. Unlike big businesses, they can’t buy domains for n no. of years and even that is a questionable decision in themselves. For e.g. I know one business who has been in the local mkt. (City-based) for 8-9 yrs, now if he wants to make an on-line presence how much time it would take? Right from domain charges, SSL charges (now is that multi-yr. or what)? Also who is a good CA? How does one define that? An EV SSL would be something to the tune of Rs. 125000 is his income for a yr. Again he doesn’t get any promise for better return on his money rather than say E-bay or something more community-oriented where atleast the possibility of 10 people saying that you are good/bad seller is there. Comments, suggestions all welcome.

  7. [...] SSL certificates are actually quite common. According to a study by Venafi, referenced here, as many as 18% of the Fortune 1000 websites have expired SSL [...]

  8. [...] with some interesting figures, and occasionally makes some of that data public, and I’ve blogged about other sources in the past, but in general, it’s pretty sparse. I keep meaning to do something coordinated [...]

  9. [...] in my Black Hat 2008 slides.  I went and tracked this down, and I actually picked this up from the Meandering Wildly blog.  Looks like I misread this a bit — a previous dataset had come from Consumer Reports, [...]