Report: SSL Certificates Invalid For 219,000 Sites

Written by Fred J. Aun
February 10th, 2009

It’s possible the secure socket layer (SSL) certificates for nearly a quarter-million Web sites are invalid. And, added a site performance specialist, if those sites are involved in E-Commerce their operators are surely losing sales.

Peter Alguacil, an analyst at site monitoring company Pingdom, noted even large, global enterprises sometimes fail to renew their sites’ SSL certificates. When they do, visitors are often presented with notices from their Web browsers telling them the sites are not verifiably secure for online transactions. Those customers take their credit cards and go elsewhere, Alguacil said.

The Lost in Space robot’s effusive warnings pale in comparison to the red flags raised by some browsers upon encountering an invalid SSL certificate. “Firefox 3 displays a warning that is very discouraging,” Alguacil noted. “Basically, it looks like the page is broken. That will scare away visitors.”

According to Alguacil’s calculations, there are probably 219,000 sites with outdated SSL certificates. To reach that conclusion, he did a bit of math.

A new report from Netcraft says there are now a million Web sites with valid SSL certificates issued by trusted third parties. A 2007 study by Venafi determined that 18 percent of Fortune 1,000 sites had expired certificates, and Alguacil said there’s no reason to believe that ratio is true for all the Web.

“The 1 million sites that Netcraft listed did not include sites with expired SSL certificates,” Alguacil said.
“If 18 percent of the sites have expired SSL certificates, this means that 82 percent have valid SSL certificates. In other words, those 82 percent constitute the 1 million sites mentioned. Thus, the total number of SSL sites, counting both valid and expired SSL certificates, is something we can calculate.”
And that number, rounded a bit, is 219,000. Alguacil said he and his colleagues at Pingdom believe the 18 percent figure might be on the high side. But he noted that even half of 219,000 means “we still have more than 100,000 Web sites that have some expired SSL certificates.

Although, as documented on Pingdom’s Web site, major online entities including Google and Yahoo have allowed their certificates to lapse on occasion, Alguacil said keeping on top of the situation “is not really difficult” and should be one of the routine functions of Webmasters or systems administrators.

As Alguacil pointed out, it costs money to update SSL certificates. But any E-Commerce company that balks at the expense should consider the lost revenue resulting from inaction. “I can’t think of any sites that are more reliant on SSL certificates than E-Stores,” he said. “It’s something they need to keep in mind. Lapsed certificates will have a very direct effect, and the direct result on E-Stores is that they lose sales.”


2 Comments | Read Report: SSL Certificates Invalid For 219,000 Sites

  1. Lee Says:

    So online retailers lose some business, so what (like a snowstorm that keeps people home). My concern is with this statement “global enterprises sometimes fail to renew their sites’ SSL certificates. When they do, visitors are OFTEN presented with notices from their Web browsers telling them the sites are not verifiably secure for online transactions. ”
    The word ‘often’ suggest ‘not always, which suggests that sometime people are conducting online transactions that aren’t secure. Is that what was meant?

  2. Devon March Says:

    Lee you are spot on. “not always” means the browser is not keeping pace with technology and does not recognize expired CA’s or the site admin didn’t bother, can’t afford the CA’s fee to update the certificate.

    And yes Mozilla might as well just launch a sign the says “take your money and run” those dialogues are doing the right thing, warning that buyer beware.

    On the user side: I am looking for safe, reliable online retailers that offer human customer service and support. Additionally, I want to see all the signs that my information is secure like a green url bar that shouts “extended validation certificate found here”

    As far as the retailers go, if they can’t extend a trustworthy environment to process financial transactions they will suffer the consequences of abandoned shopping carts, if the buyer even goes that far into the site.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.