I read 500 SSL Certificates so You Don’t Need To


First things first: There is no such thing as a SSL certificate. There’s digital certificate key pairs, and then there’s the protocols: SSL and TLS namely. But I’m mentally unable to break the habit of calling them “SSL Certs”, so it made it into the title.

The goal was to grab the Alexa Top 500, and do a quick scan of their certs — length, time until expiration, issuers and so on. My goal failed when I realized Alexa will give you the top 50, and wants simoleons to do so. This made my decision to use the Moz Top 500 an obvious fix — with a smooth CSV export to boot!

There’s some duplication across the top 500 (list-manage.com and list-manage1.com, google.com and goo.gl). There’s also differing services from the same vendor (YouTube and Google, Microsoft and Bing). I made no effort of deduplicating either of these metrics, my feelings being that they still reflect a large part of the internet and therefore have the same impacts.

So I set off on building a script to browse to the Top 500, and throw it into a database. It worked pretty well for most of them — 76 didn’t make the cut. I then turned off peer name verification and got that down to 60. Turning off certificate verification dropped that down to 50.

Most Popular Issuers

Top Certificate Issuers in the Moz Top 500

Of the 450 domains I was able to pull a certificate for quickly and programmatically, I found that DigiCert Inc. was -by far- the most popular issuer of certificates. Any sites that had unique certs (e.g. it was the only site that used that vendor) were ignored to keep this list easy to read.

Again, there’s duplication here — GoDaddy.com and Starfield Technologies are the same issuer, just different names.

I was really happy to see my personal favorite — Let’s Encrypt — made the list. I have no affiliation with them other than using their free certificates for my websites (including this one). The only reasons I can see for companies to continue to consume paid certificates are:

  • They don’t realize Let’s Encrypt offers free certificates for both standard and wildcard certificates
  • They don’t want to deal with 90-day certificate expiration, and don’t have the ability to rollout certbot or the equivalent
  • They are still within the validity period of their current cert, riding that out until expiration.

Average Validity Length (Days)

Moz Top 500’s list of certificate providers, ordered by average validity length in days

Charts, graphs, pies… Only one of those is fun in a meeting. Since we’re all out of pie, I decided to add a nifty drop shadow to this one. I’m sure you appreciate the beauty.

In the graph, you can see on the left we have Thawte Inc. comes in at 1,106 days average validity for their certificates. That seems like an awful long time for a certificate to be valid, and I was curious who was using those:

https://npr.org/
https://list-manage.com/
https://list-manage1.com/
https://bmj.com/
https://xiti.com/
https://blackberry.com/
https://iso.org/
https://unicef.org/

Well, good to know I guess… Nobody is going to most of those anyways. Obviously I’m listing domains here — not all that I’ve went to myself, so if you don’t like the content, then I probably wouldn’t either.

On the other hand, Google Trust Services certs are at 84 days, and as most people know, Let’s Encrypt’s are at 90.

What can we learn from all of this? Maybe not much. Presumably, these are all industry-leading domains, so their choice of vendors and lengths may highlight some interesting information.

Leave a Reply

Your email address will not be published. Required fields are marked *