SSL trends: New findings on web security and SSL certificate usage

Hylke van der Veen
  • 6 months ago
  • 4 min read

In a previous blog, we discussed the basics of the TLS protocol, also known as SSL. Since then, has released an entire new product, the SSL Catalog, which adds searchable structured SSL certificate data to our database. Additionally, the SSL certificate detection methods have improved, creating even more accurate results. In this blog, we show you how SSL data can help create a more profound understanding of how secure the web is.

Before this improvement, we simply determined whether a website had an SSL certificate or not. But we can now distinguish between three possible values for the SSL certificate: valid, invalid, and none. The introduction of these new values has resulted in a distinction being made between websites that possess an invalid certificate and those that do not possess one at all, whereas previously, these websites were grouped under the designation 'No.'

Despite there being no difference between visiting a website with an invalid SSL certificate or no certificate at all, this information is relevant for certificate issuer organizations or hosting services looking to get more insights into their customers' security.

SSL certificates for inaccessible websites

We can now also detect certificates for websites that redirect to other websites or cannot be accessed by our spider. Despite the inability to access such websites in a browser, just attempting to go to the website can unknowingly establish a connection with the server. That is why it is always important to know whether the connection is secure.

The first figure shows that out of the 142 million websites analyzed, 63% of them had a valid certificate. Although this number is down from September 2022, when 65% of sites displayed a valid certificate, we should keep in mind that we've further enhanced our capabilities and now detect certificates on a broader range of sites.

To make a fair comparison between September 2022 and November 2023, we only look at available websites in both graphs. We see an 8% increase from September 2022, with over 73% of available websites now being protected by a certificate.

Figure 2 also shows that websites that our spiders cannot access are significantly less likely to be protected by a valid SSL certificate than websites that return an available response or redirect.

How SSL certificate data is useful

This extended SSL information can be used in a wide range of cases. For example, if we compare the use of SSL certificates of generic Top Level Domains (gTLDs) to that of new generic Top Level Domains (new gTLDs), some interesting statistics emerge.

In Figure 3, we see significantly more websites with a gTLD have a valid SSL certificate compared to websites with a new gTLD, 62% vs. 48%. But although the difference is clear, this does not offer an explanation as to where this difference comes from. To find out why gTLDs are using SSL certificates more often than new gTLDs, we need to dive deeper and look at individual TLDs.

Figure 4 illustrates the use of SSL certificates for the 33 largest TLDs among generic (shown on top) and new generic ones. There are massive differences in the usage of SSL certificates between these TLDs; coverage ranges from 13.1% for .icu domains to 95.5% for .bond domains. This difference can largely be explained by the types of websites associated with each TLD.

Not all TLDs are used equally

For example, .bond is aimed at the financial world. It is marketed as a premium TLD for financial professionals who want to make a trustworthy impression on their clients. According to our data, business websites are already among the most protected websites, with 86.5% having a valid SSL certificate. Considering that financial businesses rely on an image of security and trustworthiness, it makes sense that so many .bond websites are protected by SSL.

At the bottom of the chart, we find the TLD .icu, which is Internet slang for “I see you”. Interestingly, both .icu and .bond are owned by the same registry, ShortDot. Our data shows over 70% of available .icu websites are low-content or placeholder websites, which could explain the low percentage of websites with a valid certificate. On the other hand, TLDs like .today and .blog, which have a high rate of SSL certificates, cater to types of websites with frequent updates and much interaction from their visitors, thus incentivizing security.

Perhaps unsurprisingly, the original gTLDs are more in the center of the certificate distributions, with anywhere between 45% and 62% with valid certificates. These TLDs are well-established and popular, and are therefore less prone to large outliers. The reason then that original gTLDs are seemingly more secure is because the gTLD with the most valid SSL certificates is .com. By far the largest TLD, .com covers nearly half of all domains worldwide and more than 80% of all domains with a gTLD, therefore heavily influencing the number of valid SSL certificates in its group.

Use of SSL certificates increases

While general trends point towards an increase in SSL certificate adoption, the real story lies in the noticeable contrasts between domains. Certain TLDs, like .bond, demonstrate a strong commitment to security, reflecting the industry's need for trustworthiness.

In contrast, other domains such as .icu show less inclination towards SSL certificates, often hosting content-light or placeholder sites. This exploration not only highlights the critical role of SSL certificates in web trust and security, but also vividly illustrates how the nature of a TLD can significantly shape its security profile. Established domains like .com are still at the forefront of digital trust.

Subscribe to our newsletter to stay in the loop about the latest insights and developments around web data.


Related Recipes