Report: SSL Certificates Invalid For 219,000 Sites
Written by Fred J. AunIt’s possible the secure socket layer (SSL) certificates for nearly a quarter-million Web sites are invalid. And, added a site performance specialist, if those sites are involved in E-Commerce their operators are surely losing sales.
Peter Alguacil, an analyst at site monitoring company Pingdom, noted even large, global enterprises sometimes fail to renew their sites’ SSL certificates. When they do, visitors are often presented with notices from their Web browsers telling them the sites are not verifiably secure for online transactions. Those customers take their credit cards and go elsewhere, Alguacil said.
The Lost in Space robot’s effusive warnings pale in comparison to the red flags raised by some browsers upon encountering an invalid SSL certificate. “Firefox 3 displays a warning that is very discouraging,” Alguacil noted. “Basically, it looks like the page is broken. That will scare away visitors.”
According to Alguacil’s calculations, there are probably 219,000 sites with outdated SSL certificates. To reach that conclusion, he did a bit of math.
A new report from Netcraft says there are now a million Web sites with valid SSL certificates issued by trusted third parties. A 2007 study by Venafi determined that 18 percent of Fortune 1,000 sites had expired certificates, and Alguacil said there’s no reason to believe that ratio is true for all the Web.
“The 1 million sites that Netcraft listed did not include sites with expired SSL certificates,” Alguacil said.
“If 18 percent of the sites have expired SSL certificates, this means that 82 percent have valid SSL certificates. In other words, those 82 percent constitute the 1 million sites mentioned. Thus, the total number of SSL sites, counting both valid and expired SSL certificates, is something we can calculate.”
And that number, rounded a bit, is 219,000. Alguacil said he and his colleagues at Pingdom believe the 18 percent figure might be on the high side. But he noted that even half of 219,000 means “we still have more than 100,000 Web sites that have some expired SSL certificates.
Although, as documented on Pingdom’s Web site, major online entities including Google and Yahoo have allowed their certificates to lapse on occasion, Alguacil said keeping on top of the situation “is not really difficult” and should be one of the routine functions of Webmasters or systems administrators.
As Alguacil pointed out, it costs money to update SSL certificates. But any E-Commerce company that balks at the expense should consider the lost revenue resulting from inaction. “I can’t think of any sites that are more reliant on SSL certificates than E-Stores,” he said. “It’s something they need to keep in mind. Lapsed certificates will have a very direct effect, and the direct result on E-Stores is that they lose sales.”
-Marc
February 12th, 2009 at 8:43 am
So online retailers lose some business, so what (like a snowstorm that keeps people home). My concern is with this statement “global enterprises sometimes fail to renew their sites’ SSL certificates. When they do, visitors are OFTEN presented with notices from their Web browsers telling them the sites are not verifiably secure for online transactions. ”
The word ‘often’ suggest ‘not always, which suggests that sometime people are conducting online transactions that aren’t secure. Is that what was meant?
February 12th, 2009 at 6:42 pm
Lee you are spot on. “not always” means the browser is not keeping pace with technology and does not recognize expired CA’s or the site admin didn’t bother, can’t afford the CA’s fee to update the certificate.
And yes Mozilla might as well just launch a sign the says “take your money and run” those dialogues are doing the right thing, warning that buyer beware.
On the user side: I am looking for safe, reliable online retailers that offer human customer service and support. Additionally, I want to see all the signs that my information is secure like a green url bar that shouts “extended validation certificate found here”
As far as the retailers go, if they can’t extend a trustworthy environment to process financial transactions they will suffer the consequences of abandoned shopping carts, if the buyer even goes that far into the site.