Some SSL Statistics

A few months ago NetCraft reported that 600,000 web sites are secured with SSL certificates. Jonathan Nightingale, a Firefox user interface designer, comments on this:

I’m not sure why, but when I tell people this (people, that is, who have any hope of being interested in such things; a small, biased, statistically indefensible sample,) they are surprised.  I think mostly they expect the number to be higher.  And in actual fact, it probably is, at least a little bit.  I am reasonably certain, without even looking into them, that Netcraft’s methods are more prone to type-2 errors - false negatives - than they are to false positives.  Nevertheless, it’s probably the right order of magnitude.  There are almost certainly less than a million, for instance.

Another interesting statistic from Venafi shows what people do when they encounter a security error or expired SSL certificate in their browser.

Venafi on security alerts

91% of users browsing the internet have seen a security alert. So what do people do when they see these security alerts? From the results of this survey, about half of them continue and about half of them abandon the site. You would think that more people would be scared away from such security alerts but many people place great trust in their browser.

Another statistic shows the number of expired SSL certificates found on Fortune 1000 companies websites:

18% is surprisingly high. Expecting this number to decrease, Jonathan says, "IE7, Firefox 3, and possibly other browsers are taking harsher stances on bad SSL, it will be interesting to watch this stat."

When asked what they think when they see security messages in their browsers, users responded:

When confronted with a security dialog, users’ mental models of what’s happening fall into three dominant groups: Web Glitch (24%), Active Attack (40%), and Uncertainty/Confusion (32%).  Far behind the pack, in last place among the options mentioned, is that there is something wrong with the browser (4%).

If I may be permitted one iota of conclusion-drawing from this otherwise narrative-free post, I would submit this: our users, though they may be confused, have an almost shocking confidence in their browsers. We owe it to them to maintain and improve upon that, but we should take some solace from the fact that the sites which play fast and loose with security, not the browsers that act as messengers of that fact, really are the ones that catch the blame.

SSL Infoporn - [meandering wildly]

Originally posted on Sun Aug 26, 2007