600,000. According to Netcraft, there are about 600,000 SSL sites out there on the public internet, and we just recently tipped over that arbitrary, but pleasantly round, number.
I’m not sure why, but when I tell people this (people, that is, who have any hope of being interested in such things; a small, biased, statistically indefensible sample,) they are surprised. I think mostly they expect the number to be higher. And in actual fact, it probably is, at least a little bit. I am reasonably certain, without even looking into them, that Netcraft’s methods are more prone to type-2 errors – false negatives – than they are to false positives. Nevertheless, it’s probably the right order of magnitude. There are almost certainly less than a million, for instance.
Netcraft doesn’t publish any numbers it may gather about the ratio, in that group, between DV, OV, and EV certs, but the informal vibe I get leads me to believe that there are around 2000 EV certs out there at the moment. Given that several of these have gone to extremely high traffic domains, though, that number probably under-represents their network significance.
I bring these numbers up here because they seem to surprise people, and surprises are generally more instructive than confirmations. In the last couple weeks, a fair number of surprising numbers have flitted across my radar, so I figured I would rehash a couple here, with no particular (conscious) effort to weave a narrative into them beyond, “hey look, infoporn!”
Consumer Reports recently released their 2007 State of the Net, which includes this table. It’s not a real surprise that 1 in 2 respondents report high levels of spam, or that 1 in 5 report major virus problems (particularly since “Viruses” remain a scapegoat bogeyman for most performance problems/system instability.) The captioned stat, that Spyware caused 850,000 households to replace a computer in the last 6 months is what really sticks with me here, as is the observation that, by CR’s reckoning, phishing is still out-costing malware, for the moment. Watch this space.
91% of internet users have seen a security alert while web browsing. This, and the rest of the numbers in this post come from an interesting study by Venafi. It’s a phone poll, so it’s subject to standard errors of self-reporting, and their margin of error (2.5%) is given for a 0.1 confidence interval, which is a little slack for my tastes, but they have a large (N>1000), US-Census-representative sample, which maybe gives us intellectual permission enough to keep playing.
Among those 91%, the proportion who continue with their task, as compared to those who give up, is basically 50/50. That surprises me, because common wisdom sometimes seems to hold that security warnings just make users more rabid about giving away credentials. It seems likely that a part of that number is self-report bias (people tend to report themselves as more prudent and conscientious than they actually are) but even still, it’s surprising.
18% of Fortune 1000 websites had expired certs! It’s not clear whether the other 82% were all acceptable (unlikely) or some mix of acceptable and broken-for-other-reasons. Still, 18%. I said, damn. I suspect that this number is inflated, given that their technique was to look for all sites owned by Fortune 1000 companies, meaning that temp.servertest.subsystem3.armonk.labs.ibm.com is on equal footing with www.ibm.com, despite one being rather more relevant. IE7, Firefox 3, and possibly other browsers are taking harsher stances on bad SSL, it will be interesting to watch this stat.
I’ll end with this one because it is at once the most interesting (to me) and seems the least subject to typical phone-screen biases. When confronted with a security dialog, users’ mental models of what’s happening fall into three dominant groups: Web Glitch (24%), Active Attack (40%), and Uncertainty/Confusion (32%). Far behind the pack, in last place among the options mentioned, is that there is something wrong with the browser (4%).
If I may be permitted one iota of conclusion-drawing from this otherwise narrative-free post, I would submit this: our users, though they may be confused, have an almost shocking confidence in their browsers. We owe it to them to maintain and improve upon that, but we should take some solace from the fact that the sites which play fast and loose with security, not the browsers that act as messengers of that fact, really are the ones that catch the blame.