Report: SSL Certificates Invalid For 219,000 Sites

It's possible the secure socket layer (SSL) certificates for nearly a quarter-million Web sites are invalid. And, added a site performance specialist, if those sites are involved in E-Commerce their operators are surely losing sales.

Peter Alguacil, an analyst at site monitoring company Pingdom, noted even large, global enterprises sometimes fail to renew their sites' SSL certificates. When they do, visitors are often presented with notices from their Web browsers telling them the sites are not verifiably secure for online transactions. Those customers take their credit cards and go elsewhere, Alguacil said.

The Lost in Space robot's effusive warnings pale in comparison to the red flags raised by some browsers upon encountering an invalid SSL certificate. "Firefox 3 displays a warning that is very discouraging," Alguacil noted. "Basically, it looks like the page is broken. That will scare away visitors."

According to Alguacil's calculations, there are probably 219,000 sites with outdated SSL certificates. To reach that conclusion, he did a bit of math.

A new report from Netcraft says there are now a million Web sites with valid SSL certificates issued by trusted third parties. A 2007 study by Venafi determined that 18 percent of Fortune 1,000 sites had expired certificates, and Alguacil said there's no reason to believe that ratio is true for all the Web.

"The 1 million sites that Netcraft listed did not include sites with expired SSL certificates," Alguacil said. "If 18 percent of the sites have expired SSL certificates, this means that 82 percent have valid SSL certificates. In other words, those 82 percent constitute the 1 million sites mentioned. Thus, the total number of SSL sites, counting both valid and expired SSL certificates, is something we can calculate." And that number, rounded a bit, is 219,000. Alguacil said he and his colleagues at Pingdom believe the 18 percent figure might be on the high side. But he noted that even half of 219,000 means "we still have more than 100,000 Web sites that have some expired SSL certificates.

Although, as documented on Pingdom's Web site, major online entities including Google and Yahoo have allowed their certificates to lapse on occasion, Alguacil said keeping on top of the situation "is not really difficult" and should be one of the routine functions of Webmasters or systems administrators.

As Alguacil pointed out, it costs money to update SSL certificates. But any E-Commerce company that balks at the expense should consider the lost revenue resulting from inaction. "I can't think of any sites that are more reliant on SSL certificates than E-Stores," he said. "It's something they need to keep in mind. Lapsed certificates will have a very direct effect, and the direct result on E-Stores is that they lose sales."