The SSL/TLS protocol — used to protect sensitive communication across the internet — combines encryption with authentication, providing a private connection to the intended recipient. To achieve this, SSL certificates bind together a cryptographic key and a domain name, and are digitally-signed by a trusted certificate authority (CA). Commercial CAs compete to sell certificates to the general public and account for the bulk of the SSL certificates seen on the internet.
Netcraft’s SSL Server Survey has been running since 1996 and has tracked the evolution of this marketplace from its inception — there are now more than one thousand times more certificates on the web now than in 1996. As CAs issue certificates, and most charge (or not charge) accordingly, the number of certificates issued becomes the natural unit of measurement. Our survey therefore counts valid, trusted SSL certificates used on public-facing web servers, counting each certificate once, even if used on multiple websites.
As well as providing a summary analysis, Netcraft can produce bespoke datasets containing individual certificates, with the option of a wide variety of filtering options to produce a certificate list tailored to the intended purpose of the data. The data provided by Netcraft on SSL certificates will be essential to the running of a competitive certificate authority, and will be relevant to a whole host of companies and individuals with an interest in the state of TLS on the internet today and historically, including hardware & software vendors, web hosting companies, SSL certificate resellers, governments, and venture capitalists.
The results of the monthly SSL survey are presented on a detailed web site, providing news and analysis of the SSL certificate marketplace and the state of TLS usage on the public internet. The analysis includes:
- Noteworthy highlights and related news
- SSL server market share: by server, by vendor, by operating system
- Certificate Authority market share
- Breakdown of certificate types across two dimensions: assurance level (domain-validated, organisation-validated, or Extended Validation) and class (standard, wildcard, or multi-domain [SAN/UCC])
- Certificate pricing and monthly estimated revenue for major CAs based on observed certificates
- Intermediate certificates: number of leaf certificates using each and the corresponding root CA
- Top hosting providers of SSL sites
- Geographical analysis: per-country (both subject country and hosting country) and per-region breakdowns by certificate authority, hosting provider, server, and operating system share.
- Analysis of the state of TLS servers: reviewing support for SPDY & HTTP 2, SSL/TLS protocol version, OCSP Stapling, SNI, and Perfect Forward Secrecy
- Public key type (RSA and ECDSA), strength (in RSA-equivalent terms), and signature algorithm (MD5, SHA-1, SHA-2), including a countdown to relevant support deadlines
- Detailed timeline trends including historical data for the past 3 years
Beyond counting certificate numbers, Netcraft’s SSL Survey also tracks the list and reseller prices of the most popular certificate authorities. This provides another useful market share metric, as it allows us to estimate the total monthly and annual revenue of each certificate authority attributable to public SSL issuance.
As each type of certificate — multi-domain, wildcard, or Extended Validation for example — is available at a distinct price point, the estimated revenue of a CA can vary significantly, despite initially appearing similarly sized by the total number of certificates.
January 2015 sample
The sample contains the complete web site as generated in January 2015 and includes all of the analysis and news we released to our customers. Please email email@example.com to request access to the January 2015 sample web site.
Certificate authority market share, January 2015
In January 2015, just under a third of all SSL certificates were issued by Symantec, with the second-place CA, GoDaddy, trailing by just under 10 percentage points. The overall market is concentrated in the top three CAs, accounting for more than three-quarters of all SSL certificates in use on the internet.
Per-CA split of assurance type, January 2015
Certificate authorities typically sell certificates in three broad categories of assurance: domain-validated certificates simply validate control over a domain name; organisation-validated certificates include the identity of the organisation; and Extended Validation certificates increase the level of identity checking done to meet a recognised industry standard.
The chart below shows the individual split between DV, OV, and EV certificates for each major certificate authority group. Many CA groups will split out the different assurance categories into several brands with some focused on the large-scale but cheaper DV market, and have other brands targeted at enterprises searching for high-value EV certificates.
Domain-validated certificates account for just under 70% of all certificates, EV accounts for under 5%, with the remainder being organisation-validated. This overall split varies by certificate authorities, sometimes significantly — with some CAs, such as DigiCert and Verizon Business not offering domain-validated certificates at all, to GoDaddy where almost all of its certificates are domain-validated.
Signature algorithms, January 2015
Digital signatures rely on a cryptographic hashing algorithm like MD5, SHA-1, or a member of the SHA-2 family to produce a digest of the content being signed. This digest is then signed using a public key algorithm (most often RSA or ECDSA in most TLS use cases) and is used to verify that the certificate was actually issued by a trusted certificate authority. If it possible to either find a collision, or conduct a pre-image attack, the hashing algorithm is no longer secure enough for SSL certificates.
Both MD5 and SHA-1 are now considered insecure and should be replaced with SHA-2. MD5 has already been banned from usage in SSL certificates, and SHA-1 is facing a rapid deprecation, with Microsoft and Google aiming to phase out its usage by 2017.
As of January 2015, SHA-1 remains the predominant signature algorithm used in SSL certificates, though SHA-2 will overtake SHA-1 in May 2015. The migration only really ramped up in January 2014, which correlates with NIST’s ban of SHA-1 in digital signature generation after December 31st 2013.
Supported protocol versions, January 2015
The SSL protocol was designed by Netscape in the mid 1990s and was first released to the public as SSL 2 in February 1995. It was quickly replaced by SSL 3 in 1996 after serious security flaws were discovered. SSL 3 was replaced by the IETF-defined Transport Layer Security (TLS) version 1.0 in January 1999 with relatively few changes. Since TLS 1′s release, TLS 1.1 and TLS 1.2 have succeeded it and should be used in its place wherever possible.
SSLv3 is affected by several protocol-level vulnerabilities, including POODLE, which have made the move to newer versions of TLS all the more urgent. The PCI Security Standards Council, charged with defining network security standards for those processing credit card details, have declared that after 30th June 2016 TLS 1.1 or higher will be required for secure transactions.
As of January 2015, SSL version 3 remains well supported, being an option for just less than 60% of SSL certificates found. Less than 2% of all certificates were exclusively served from web servers that only supported TLS 1.0 or higher.
Certificate authority revenue, September 2014
By using the list price of different certificate types, Netcraft derives a monthly revenue estimate based on the types and number of publicly-visible SSL certificates issued by each CA. Using this technique increases the effective market share of those certificate authorities selling fewer, but more expensive, certificates, and reduces that of those selling large numbers of cheaper (or free) domain-validated certificates.
An alternative version of this analysis is available calculated with pricing from an indicative reseller — these prices are often much lower than list price and are more likely to be closer to the actual amount of revenue gained.
The market share of Symantec is boosted to over 40%, reflecting its breakdown of certificate types as demonstrated in the assurance breakdown chart above. Of particular note is GlobalSign, where its market share by revenue places it in third place with almost 17% share, compared to its forth place position (6%) when simply counting certificates.
An annual subscription for an individual is £1,200 (or approx. $1,950 US). Licences for companies and certificate authorities are also available. For additional information or details on how to order please contact us at firstname.lastname@example.org. There is a sample pageset produced using the January 2015 data which is available on request.