There is less public information out there about SSL certificate usage than one might like to see. Netcraft has a for-pay report with some interesting figures, and occasionally makes some of that data public, and I’ve blogged about other sources in the past, but in general, it’s pretty sparse. I keep meaning to do something coordinated about that, I have some ideas, but they keep getting back-burnered.
So it came to pass that when someone idly remarked that it would be nice to know what percentage of certs on the top sites were valid, I pounced upon it as a way to quickly release some pent-up info-gathering angst.
It’s profoundly unscientific, but so was the question. Are the Alexa top 500 sites even a good reflection of the most popular SSL sites? Not really. I think it will bias the data towards higher counts of untrusted certs (since the admins aren’t expecting them to be used) and towards lower overall cert counts (since many of those sites won’t answer SSL hails, whereas presumably a list of the top 500 SSL sites all would). Is blindly connecting to their main page on port 443 the best way to harvest their certs? Probably not, lots of them use secure.frobber.tld constructions, so that will also bias the data lower. Let’s just agree that it’s a sort of fun number to have as an order-of-magnitude style signpost.
Of the 500 top sites on Alexa, October 15, 2008:
- 217 responded to an SSL query on port 443
- 199 of those replies used valid certs chaining to trusted roots
- The other 18 were a mix of self-signed, bad chains (likely from trusted roots, though I didn’t investigate), and expired certs.
If you prefer pretty pictures:
Any conclusions you want to draw from this data will be only as good as the aforementioned biases within it, but don’t say I never do anything for you in a feeble attempt to vent my own info-lust urges.
Bonus Firefox Pro-Tip: If you are on Firefox 3.1 Nightlies or the upcoming Firefox 3.1 Beta 2, you now have the ability to turn off link-visited colouring. David Baron recently landed a fix for bug 147777 that adds a new about:config preference to control the behaviour, layout.css.visited_links_enabled.
“Great!” I hear you all saying, “We’ve been hoping for a way to turn off an occasionally useful feature!”
And who hasn’t, really? But the thing of it is that colouring links can give away information to tricky sites about where you’ve been. It’s up to you whether you think that privacy/functionality trade-off is worth making, and the bug is still open while more universal solutions are contemplated, but in the meantime, you have the choice.
meandering wildly 
Another Firefox tip: there’s an extension called Perspectives
that “verifies” self-signed certs. The university servers access the site from various hosts in the world and verifying that the certificate is consistent over a period of time. While not the “Perfect Solution”, it does protect you from some man-in-the-middle attacks.
Any idea of EV adoption?
It’s nice to get such a statistic, but I think that most of the problematic sites will not be top 500.
Using a self-signed cert is something that a lot of small sites would do, but almost no large size sites. But as they are a lot of small sized sites doing it, they probably end up representing a larger number of viewed pages than a few of the top 500 site (that’s the “long tail” magic).