SSL Survey

Netcraft’s SSL Survey examines the use of encrypted transactions on the Web through extensive automated exploration of the internet. Each month it provides timely answers to questions such as:

  • How many companies are doing encrypted transactions over the internet?
  • How many more companies are using SSL compared to the previous 12 months?
  • Where are they?
  • Whose server software do they use?
  • Which authority do they obtain their certificates from and how much did it cost?
  • How many are using Extended Validation?
  • Which hosting providers hosts their servers?
  • What size and type of public keys are they using?
  • How many SSL sites are using Server Name Identification (SNI), SPDY, OCSP Stapling, or Perfect Forward Secrecy?

Who should buy it?

  • Certificate authorities
  • Server and hardware accelerator vendors
  • Web hosting companies
  • Banks and financial institutions
  • Software vendors developing for the electronic commerce market
  • Brokerages, venture capitalists, and fund management firms investing in these companies
  • Legislators, Government officials, the Military, and Privacy groups
  • Anyone tracking the growth of ecommerce and encrypted communications on the internet
Certificates Authority Share, May 2013

In May 2013, more than one third of all trusted SSL certificates were issued by the market leader, Symantec. Go Daddy and Comodo were in second and third place in May 2013: Go Daddy with 29% of the market and Comodo with 15%. GlobalSign was the fourth largest CA, but it is significantly smaller than the largest three — it has issued 5% of the SSL certificates valid in May 2013.

Operating system share for SSL sites, to May 2013

As of May 2013, Linux was the most common operating system used to serve SSL sites but it does not hold a majority. Microsoft Windows trails Linux by a couple of percentage points, though its usage amongst SSL sites is significantly greater than on the internet as a whole where it is used by less than 20% of web sites.

OCSP Stapling amongst SSL sites, in May 2013

In May 2013, just over 21% of SSL certificates were served over a connection which included a stapled OCSP response. If an OCSP response is stapled to the TLS connection by the SSL web server the browser need not make a separate and time consuming request to the CA’s OCSP responder to check the revocation status of the SSL certificate. The vast majority, more than 90%, of SSL sites stapling an OCSP response are using Microsoft IIS.

Perfect Forward Secrecy, in August 2013

Perfect Forward Secrecy (PFS) provides a defence against the compromise of the private key corresponding to an SSL certificate. If an SSL web server uses a PFS cipher suite, the secret keys used to encrypt historical TLS sessions are not revealed even if the long-term private key is compromised. In the news in 2013, usage of PFS in August 2013 was not particularly widespread: around one third of SSL sites negotiated a cipher suite with the PFS property and a further 28% of SSL servers are capable of PFS, but actively avoid using PFS cipher suites.

Key length breakdown per CA, in May 2013

In May 2013, the majority of SSL certificates are using 2048-bit public keys, as per the NIST and CA/B forum recommendations. The distribution of key lengths, however, varies significantly between different CAs. For example, in May 2013, StartCom had issued no certificates with an RSA public key shorter than 2048-bits and almost 20% are 4096-bits long, more than any other major CA. Trustwave had the largest remaining share of certificates shorter than 2048-bits, with more than 20% of its certificates in May 2013 being 1024-bits long.

What do I get?

Access to a monthly updated analysis and dataset on our subscription access site. There is a sample pageset produced using the May 2013 data which is available on request.

The analysis includes:

  • Noteworthy highlights and related news
  • SSL server market share: by server, by vendor, by operating system.
  • Certificate Authority market share
  • Breakdown of certificate types in two dimensions: assurance level (domain, organisation, or extended validation) and class (standard, wildcard, or multi-domain)
  • Certificate pricing and monthly estimated revenue for major CAs based on observed certificates
  • Intermediate certificates: number of leaf certificates using each and the corresponding root CA
  • Top hosting providers of SSL sites
  • Geographical analysis: per-country (both subject country and hosting country) certificate authority, hosting provider, server, and operating system share
  • Analysis of technical trends for SSL server software: SPDY, OCSP Stapling, SNI, and Perfect Forward Secrecy
  • Public key length per-CA and an analysis by certificate authority share within each key length range
  • Detailed timeline trends including historical data for the past 3 years

What does it cost?

An annual subscription for an individual is £1200 (or approx. $1950 US). Licences for companies and certificate authorities are also available. For additional information or details on how to order please contact us at