SSL Statistics and Why Security Matters so Much
We want to do everything online – from paying our taxes to ordering washing detergent with just the press of a button. However, this usually entails sharing some type of personal information.
Which leads us to the question:
How secure is the internet?
This is where Secure Sockets Layer (SSL) Certificates and SSL stats come into play. Created in the mid-1990s, digital certificates ensure the confidentiality, authenticity, integrity, and non-repudiation of online communication across the web.
But there’s a catch:
They weren’t compulsory. Not until recently, anyway. The good news is more and more browsers, including the big players Google Chrome and Mozilla, are putting in the effort to restrict uncertified sites as much as they can. And the results are obvious – the internet is more encrypted than ever.
At Hosting Tribunal, we’ve collected these jaw-dropping stats to show you just how important certificates are in the online world. Spoiler alert – the numbers are huge!
Here is a taste of what’s to come:
Incredible SSL Certificate Statistics For 2019
- BuitlWith detects 85,167,054 SSL certificates on the internet.
- Nearly 21% of the Alexa Top 100,000 websites still don’t use HTTPS.
- 6.8% of the top 100,000 sites still support SSL 2.0 and SSL 3.0.
- In May 2019, 84.2% of pages loaded in Chrome, on all platforms, are over HTTPS.
- 90.2% of the browsing time on Chrome is spent on HTTPS pages.
- 32.6% of sites have inadequate security.
- 68% of websites still support TLS 1.0.
- 95.77% of all certificates on the internet are issued by just 9 authorities.
- 1 in 10 URLs is malicious.
That’s impressive, isn’t it? Now let’s dive head-first into the stats.
Fascinating SSL Facts
We’ll start with some of the most fascinating stats, so hold on to your hats.
BuitlWith has detected 85,167,054 SSL certificates on the entire internet.
There were 1,946,522 detected certificates in the top most visited 1 million sites. In the top 100,000, there were 279,978 detections, and a further 37,008 detections in the top 10,000. Most certificates were detected in US sites – 29,875,389, followed by Germany with 2,868,892 and the UK with 1,831,756.
However, this in no way means that the entire internet is secure and encrypted. Far from it, in fact.
Nearly 21% of the Alexa Top 100,000 websites still don’t use HTTPS.
According to Watchguard’s Q3 of 2018 Internet Security Report, 20,911 of the top 100,000 sites are still going through the not-secured HTTP. Sharing plaintext via port 80, instead of connecting securely via port 443, should not be an option for a self-respecting site owner. Not according to today’s standards, at least.
Although 20%+ is a portion that should not be neglected, the good news is that things are slowly moving towards a fully encrypted internet. As far as HTTPS usage stats go, 79% adoption is not a bad number.
6.8% of the top 100,000 sites still support SSL 2.0 and SSL 3.0.
Another interesting take from the report is the portion of sites still supporting SSL 2.0 and SSL 3.0. Despite calls from a number of different industry and regulatory bodies to ditch these versions, 6.8% of the top 100,000 sites still support them.
With TLS 1.3 already available and widely deployed, this stat comes as a surprise. The time of SSL 2.0 and SSL 3.0 is long gone, and relying on them for encryption can only leave your site vulnerable to threats.
In May 2019, 84.2% of pages loaded in Chrome, on all platforms, are over HTTPS.
(Source: Google’s Transparency Report)
Google has been gathering HTTPS stats since 2015 thanks to users who altruistically enough click on “Yes” when asked if they would like to share their browsing data. 84.2% is the average across all platforms from May 11, 2019.
This is huge.
Back in April 2015, the average was a lowly 40%. The percentage has doubled since Google started collecting the data.
The figure varies across different platforms, but the average is above 80%. Only Linux is falling behind with 71%. Chromecast and Mac are the platforms with the highest percentage, both reaching over 90% of HTTPS loaded pages.
90.2% of the browsing time on Chrome is spent on HTTPS pages.
(Source: Google’s Transparency Report)
As with the previous stat, this is the average of browsing time across all platforms that support Chrome. We can see that it is higher than the percentage for loaded pages. Clearly, people are more likely to leave the site straight away if they find out it’s not secure.
The difference between platforms is even smaller here. Again, Chromecast and Mac are the leaders with 95 and 93% respectively. Linux is last with 87%, but it comes really close to Android with 88%.
70.8% of the unencrypted user traffic to Google comes from mobile devices.
(Souce: Google’s Transparency Report)
The reason is that some older devices cannot support modern encryption, standards, or protocols. Sadly, plenty don’t have software updates either, which means it’s almost impossible for them to support encryption.
32.6% of sites have inadequate security, according to SSL Labs.
SSL Pulse is a project created to continuously gather SSL and TLS stats from 150,000 websites, based on Alexa’s list of most popular sites in the world. The last published survey was carried out on May 3, 2019, and included 139,869 sites.
According to the survey, 32.6% (or 45,532 sites) of websites have inadequate security. The majority, or 52.3%, received a grade A. Another 14.9% of the surveyed sites deserved a grade A+, which means they have full encryption and are completely secure. A mere 0.3%, or 422 sites, were awarded grade A-.
68% of websites still support TLS 1.0.
The current version is TLS 1.3. According to most experts, the best practice is not to support SSL 2.0 and SSL 3.0, which are considered unsecure and susceptible to known exploits like POODLE and DROWN. The same fate awaits TLS 1.0, which is already quite outdated. Both TLS 1.0 and TLS 1.1 are expected to be discontinued by 2021.
In fact, the Payment Card Industry Security Standards Council (PCI SSC) required ecommerce site owners to disable TLS 1.0 by June 30, 2018.
Going back to current SSL statistics, 68% of surveyed websites still support TLS 1.0, 1.9% still support SSL 2.0, and 7.6% keep SSL 3.0 protocols. In addition, 77.4% also use TLS 1.1. TLS 1.2 is the most used, with 95.2% of websites supporting it. As of May 2019, only 14.2% support TLS 1.3, which should change in the recent future.
In case you’re wondering:
The percentages add up to more than 100, since many sites support several types of protocols. In and of itself, this is a cause for concern.
SSL Certificate Authorities Stats
It’s important to support encryption, but that’s not all. It’s just as vital who guarantees the validity of your certificates. With that in mind, let’s look at some stats about certificate authorities.
Let’s Encrypt is the most popular authority with 58.21% of all issued certificates.
Let’s Encrypt is a clear winner when it comes to SSL usage statistics. As of May 2019, the authority supports over 169 million fully-qualified active domains. What’s more, it’s responsible for 98,072 million active certificates and over 51 million active registered domains.
CloudFare is second with more than 41 million issued certificates or 12.21% of all SSL certificates. They’re followed by cPanel with 9.53% and DigiCert with 4.46%. Sectigo and GoDaddy.com are next with 3.15% and 2.43% respectively.
On August 10, 2018, Let’s Encrypt issued a record 1,566 million certificates.
The second best day was September 19, 2018, with 1,4 million issued certificates.
To put it in perspective, on January 2, 2015, the Authority issued just 5,712 certificates.
The popularity of Let’s Encrypt lies in the fact that the service is free. The goal is to make the internet a more secure place. The process is automated and the platform is open source, making it easily accessible.
95.77% of all certificates on the internet are issued by just 9 authorities.
All other certificate authorities have a market presence of less than 1%. Guess when it comes to encryption, trust is everything. These 9 authorities have proven themselves to be trustworthy and reliable.
Perhaps somewhat surprisingly, Amazon outside the top 9 with 0.84% of all issued certificates.
SSL Certificates Market
As browsers continue to push for total encryption, the SSL certificates market is expected to grow rapidly. Here are some Secure Socket Layer statistics to prove that.
The Certificate Authority market is expected to reach $114 million in 2024.
According to the cited report by Zion Market Research, Certificate Authority market value was around $57 million in 2017. Remarkably, it’s expected to double by 2024, growing at a CAGR of a little above 10.18%. And this is despite the emergence of free certificate authorities such as Let’s Encrypt.
The total number of certificates increased by more than 13.2 million between June 2017 and June 2018.
This represented an astonishing 68% year-over-year growth. While Domain Validation (DV) comprised the majority or 80%, Extended Validation (EV) also grew by an impressive 21.1%.
Now, DV still dominates the market, representing 94.30% of all certificates. Organization Validations (OV) are 5% and EV are just 0.70%. However, the numbers change when we look at the share of traffic by certificate type. 49% of all the traffic goes through sites with OV, 37.9% through sites with DV, and 13.2% through sites with EV.
IdenTrust has a market share of 49.9% for paid SSL Certificate services.
Let’s Encrypt is the most popular authority with the biggest number of active certificates and most widespread usage. But when it comes to paid services, SSL statistics for 2019 say the clear leader is IdenTrust with a whopping market share of 49.9% as of May 16, 2019. Sectigo (the former COMODO CA) is second with a share of 26%, followed by DigiCert Group with 12.5%.
According to a w3techs survey, IdenTrust is used by 34.2% of all websites, amounting to a market share of 49.9%. Which means that there are websites that do not use any encryption at all – 11.6% to be precise.
And there’s more:
17.9% of the websites included in the survey had invalid domains, 1.6% had an expired certificate, 0.2% had a certificate issued by unrecognized authority, and 0.1% had a self-signed certificate.
State Of SSL Implementation In 2019
We’re probably not gonna reach the “totally encrypted web” promised land this year, but we’ll get pretty close. Let’s see what the numbers suggest.
TLS 1.3 will experience a growth of over 30% by the end of 2019.
(Source: CA Security Council)
TLS 1.3 is supported by Firefox versions 53 to 63 and Chrome versions 56 to 70. At the same time, Chrome and Firefox handle between 60 and 80% of all browser usage. Large CDNs also support the latest TLS version.
But that’s not all:
The latest stats provided by Netcraft say that TLS 1.3 is supported by 6.5% of servers and is growing by close to 1 million sites per month. Combine all this information and you will see that 30% is a moderately constructed prediction at best.
Over 90% of the world’s HTTP traffic will be secured over SSL/TLS by the end of 2019.
(Source: CA Security Council)
More and more SSL stats suggest that we’re getting closer to a 100% encrypted web. Browsers with a huge market presence, such as Chrome and Firefox, are truly putting in the effort to get us there as fast as possible. However, divergent UI policies will probably delay the whole process and cause users to suffer in the meantime.
97% of all traffic to Google in India is encrypted.
(Source: Google’s Transparency Report)
India shares the first place with the UK and Japan. The next group of countries, where 95% of all traffic to Google is encrypted, consists of Indonesia, Mexico, and Brazil. They’re followed by France with 92%, and Russia and the US, where 91% of traffic is encrypted.
90% of pages loaded in Chrome in the US are over HTTPS in May 2019.
(Source: Google’s Transparency Report)
In comparison, 4 years ago it was only 45% of pages. The rising trend is clearly noticeable among all countries included in the report. Germany is second with 89%, rising from 35% 4 years ago. France is next with 88% of pages loaded over HTTPS, followed by Russia and Mexico with 82%.
HTTPS usage stats about other browsers show the same uptrend. 78% of all pages loaded in Firefox are over HTTPS.
How Important Is Encryption?
Everyone’s talking about encryption and data protection, and this shows in the users’ preferences. Here are some numbers to ponder over.
85% of online shoppers avoid unsecure websites.
What with all the fuss about data security, online shoppers are becoming pickier – and rightly so!
What’s more, browsers are constantly looking for ways to make security details about a website visible to the end user. We’ve all noticed the padlock in front of the URL, which signifies that the website is secure and any information shared over it will be encrypted. In addition, there is the Green Address Bar function for websites with an EV SSL certificate.
1 in 10 URLs is still malicious in 2019.
This stat is featured in Symantec’s Internet Security Threat Report 2019. Another interesting take from the report is the huge number of detected formjacking. This is when attackers load malicious code onto retailers’ websites to steal shoppers’ credit card details.
On average, more than 48,000 unique websites are compromised each year.
Google has been using HTTPS as a ranking signal since 2014.
In order to optimize a site and make it rank higher, you absolutely have to use encryption. While this had little influence on your overall score at first, Google has stepped up its game in recent years.
With its open call for a totally encrypted web, the search giant is putting more stress on the importance of secure connection. That’s why SSL certificates have become a must for every site owner relying on Google for traffic.
SSL/TLS encryption has become the norm. Users want to be sure that any information they share on the web is secure, and developers are willing to provide.
Given that free SSL certificates are readily available, you have no excuse for failing to encrypt your website. And with the combined efforts of tech giants, a totally encrypted internet could become a reality pretty soon.
Hope you’ve enjoyed these incredible SSL stats!
Until next time!