Few sites use trusted security

Fewer than 5 percent of secure Web sites are using "trusted" methods of protection, a new security survey says.

British Internet consultancy Netcraft is offering a for-fee monthly survey to show what kind of security software is protecting the Web. The survey uses automated software programs to find Web servers using encryption. Gathering publicly available information, it then digs deeper to show what kind of encryption is in use, how strong it is, and if the encryption is protected by a "digital certificate," often known as a "trusted third party."

A certificate is an electronic ID tag passed between a server and a browser that verifies the identity of parties involved in a transmission or transaction. To be trustworthy, certificates are issued by known "authorities," the largest of which is private security company VeriSign.

The Netcraft survey drew information from 281,002 servers with SSL (secure sockets layer) encryption. Fewer than 5 percent--13,732--of the encrypted sites are using valid third-party certificates, mostly from VeriSign. About 10 percent have issued certificates in their own names (akin to issuing yourself a driver's license), and the rest have certificates that don't match the domain names. The self-certification and the mismatched domains are not necessarily cause for alarm, however, according to Netcraft.

For example, when a certificate is issued, it is matched to a specific host domain. But many companies change their domain names and keep the same certificate. Another reason for the vast amount of mismatches could be Web-hosting services buying one certificate and using it across several domains, according to one Netcraft employee.

Other points from the Netcraft survey are as follows:

Microsoft has a slight overall lead in secure server market share. It leads with 27.5 percent, followed by Netscape Communications, which has three different products in the survey, with 26.4 percent; and C2Net, which adds encryption to the freely available Apache server and resells it, with 18.7 percent.

Using 40 bits as the dividing line between strong and weak encryption, the survey shows that about two-thirds of sites within North America have strong encryption. But practically every country outside North America has a greater number of sites with weak encryption, a signal that U.S. export laws stifle the spread of strong encryption beyond U.S. and Canadian borders, according to Netcraft. U.S. law requires software makers to apply for a government license in order to export encrypted software with more than 40 bits. Industry groups and computer scientists have proven 40-bit encryption easy to crack, however.

The number of sites using any type of encryption is still relatively low. For its general Web server survey, Netcraft contacted 1.92 million Web sites.

Instead of conducting market research through phone calls and random sampling, Netcraft has designed a "crawler" program that asks as many sites as possible for information. The monthly secure server survey is available from Netcraft for about $1,980. The general survey is free of charge.