Are there 219,000 websites with expired SSL certificates?

This week Netcraft reported that there are now 1 million websites with valid SSL certificates on the Web. Only certificates issued by trusted third parties were included in this number.
In a study by Venafi from 2007 (referenced here), 18% of the Fortune 1000 websites had expired SSL certificates. If that ratio still holds true, and holds true for the rest of the Web as well, it means that in addition to the 1 million websites with valid SSL certificates there are 219,000 websites with expired SSL certificates.
Even the big guys have on occasion forgotten to keep their SSL certificates up to date. Both Google and Yahoo have had incidents with expired SSL certificates.
18% sounds a bit high to us, but even if we cut the number in half we still end up with more than 100,000 websites that have expired (i.e. invalid) SSL certificates. That’s a lot.

Web browser warnings will scare site visitors away

Considering how strictly new browsers handle invalid or self-signed SSL certificates, (we wrote a widely discussed post about this a while back), this is definitely something to keep in mind if you have a website that makes use of SSL (for example to secure a shopping form or login function).
To keep a long story short: Make sure your SSL certificate is kept up to date or you will see a significant amount of visitors simply flee your site when their browser starts to show warning messages that your site isn’t to be trusted.
Image from the Crystal project.


  1. At Trustwave we have tools to automatically scan for and install certificates. The interesting thing we have seen recently is a renewed desire to understand and better manage the pki environment as a whole. The implications of the Kaminsky (DNS ) findings, the rapidssl md5 hole and the Comodo DV reseseller issues have really driven enterprises towards implementing a better system for managing their in flight data.
    Times are interesting in the SSL world.

  2. For the top 1M sites (according to Alexa), I encountered 57,293 expired certificates vs. 214,035 valid certs. 382,860 of those sites responded to an SSL handshake at all. So you could call that 5.7% (of the top 1M sites), 21% (expired / (expired + valid)), or 14.9% (expired/total certs) depending mostly on what your agenda was. 🙂
    I’d love to see others perform similar analysis though, I have made the code and the crawler data available as an SQLite file here:

  3. The numbers are interesting – not high at all in my mind. I have run into several expired certs and the “scary” web browser warnings. I have also run into more “green url bars” denoting an upgrade to Extended Validation SSL Certificates. Thank goodness.
    I need more security these days – especially with my personal/financial information on the internet.

  4. I agree with W. Wilkins. Phishing seems to be on the rise amidst this economic turnmoil, but at the same time, it is becoming standard that more people are sharing more sensitive and personal information online.
    This is a double-edged sword and EV SSL seems to dull both sides of the blade.
    I always look for the green URL bars first – because it’s so easy – and then continue scanning for other security indicators like the padlock, https, and other signs of credibility.

Leave a Reply

Comments are moderated and not published in real time. All comments that are not related to the post will be removed.required