Fewer than 5 percent of secure Web sites are using "trusted" methods of protection, a new security survey says.
British Internet consultancy Netcraft is offering a for-fee monthly survey to show what kind of security software is protecting the Web. The survey uses automated software programs to find Web servers using encryption. Gathering publicly available information, it then digs deeper to show what kind of encryption is in use, how strong it is, and if the encryption is protected by a "digital certificate," often known as a "trusted third party."
A certificate is an electronic ID tag passed between a server and a browser that verifies the identity of parties involved in a transmission or transaction. To be trustworthy, certificates are issued by known "authorities," the largest of which is private security company VeriSign.
The Netcraft survey drew information from 281,002 servers with SSL (secure sockets layer) encryption. Fewer than 5 percent--13,732--of the encrypted sites are using valid third-party certificates, mostly from VeriSign. About 10 percent have issued certificates in their own names (akin to issuing yourself a driver's license), and the rest have certificates that don't match the domain names. The self-certification and the mismatched domains are not necessarily cause for alarm, however, according to Netcraft.
For example, when a certificate is issued, it is matched to a specific host domain. But many companies change their domain names and keep the same certificate. Another reason for the vast amount of mismatches could be Web-hosting services buying one certificate and using it across several domains, according to one Netcraft employee.
Other points from the Netcraft survey are as follows:
Instead of conducting market research through phone calls and random sampling, Netcraft has designed a "crawler" program that asks as many sites as possible for information. The monthly secure server survey is available from Netcraft for about $1,980. The general survey is free of charge.