Are there 219,000 websites with expired SSL certificates?
This week Netcraft reported that there are now 1 million websites with valid SSL certificates on the Web. Only certificates issued by trusted third parties were included in this number.
In a study by Venafi from 2007 (referenced here), 18% of the Fortune 1000 websites had expired SSL certificates. If that ratio still holds true, and holds true for the rest of the Web as well, it means that in addition to the 1 million websites with valid SSL certificates there are 219,000 websites with expired SSL certificates.
Even the big guys have on occasion forgotten to keep their SSL certificates up to date. Both Google and Yahoo have had incidents with expired SSL certificates.
18% sounds a bit high to us, but even if we cut the number in half we still end up with more than 100,000 websites that have expired (i.e. invalid) SSL certificates. That’s a lot.
Web browser warnings will scare site visitors away
Considering how strictly new browsers handle invalid or self-signed SSL certificates, (we wrote a widely discussed post about this a while back), this is definitely something to keep in mind if you have a website that makes use of SSL (for example to secure a shopping form or login function).
To keep a long story short: Make sure your SSL certificate is kept up to date or you will see a significant amount of visitors simply flee your site when their browser starts to show warning messages that your site isn’t to be trusted.
Image from the Crystal project.
The New England Patriots held what seemed to be a commanding lead (17-15) with five minutes left of Super Bowl XLVI last night. But the New York Giants came back and managed to win with 21-17.
As Super Bowl 46 is approaching, fans will flock to the Lucas Oil Stadium in Indianapolis, Indiana, and to TV sets around the world to follow the New York Giants battle it out with the New England Patriots.
Every Friday we bring you a collection of links to places on the web that we find particularly newsworthy, interesting, entertaining, and topical. We try to focus on some particular area or topic each week, but in general we will cover Internet, web development, networking, performance, and other geeky topics.h
Out of the 
Pingdom’s Mobile Podcast is a weekly show about Internet, web, and mobile stuff. 
mike
February 6th, 2009 at 9:07 am
At Trustwave we have tools to automatically scan for and install certificates. The interesting thing we have seen recently is a renewed desire to understand and better manage the pki environment as a whole. The implications of the Kaminsky (DNS ) findings, the rapidssl md5 hole and the Comodo DV reseseller issues have really driven enterprises towards implementing a better system for managing their in flight data.
Times are interesting in the SSL world.
Johnathan Nightingale
February 6th, 2009 at 4:54 pm
For the top 1M sites (according to Alexa), I encountered 57,293 expired certificates vs. 214,035 valid certs. 382,860 of those sites responded to an SSL handshake at all. So you could call that 5.7% (of the top 1M sites), 21% (expired / (expired + valid)), or 14.9% (expired/total certs) depending mostly on what your agenda was.
I’d love to see others perform similar analysis though, I have made the code and the crawler data available as an SQLite file here: http://blog.johnath.com/2009/01/21/ssl-information-wants-to-be-free/
W.Wilkins
February 9th, 2009 at 3:55 pm
The numbers are interesting – not high at all in my mind. I have run into several expired certs and the “scary” web browser warnings. I have also run into more “green url bars” denoting an upgrade to Extended Validation SSL Certificates. Thank goodness.
I need more security these days – especially with my personal/financial information on the internet.
Allen Kelly
February 10th, 2009 at 12:12 pm
I agree with W. Wilkins. Phishing seems to be on the rise amidst this economic turnmoil, but at the same time, it is becoming standard that more people are sharing more sensitive and personal information online.
This is a double-edged sword and EV SSL seems to dull both sides of the blade.
I always look for the green URL bars first – because it’s so easy – and then continue scanning for other security indicators like the padlock, https, and other signs of credibility.