Over 50% of client systems are EV aware
We recently hit a very cool milestone, which is that over half the client systems in use today are capable of distinguishing between Extended Validation SSL Certificates and traditional certificates. In other words, the combined market share of IE7, IE8 (very small), Firefox 3, and Opera 9.5 adds up to in excess of 52% of browsers in use. What's especially cool about that is it's an increase of almost 3% in a single month, which is quite a growth trajectory.
People have been writing about this milestone, such as this blogger at DaniWeb. The blogger questions how well six or seven thousand online businesses compare to the millions of Web sites that are out there, and I think that's a question that deserves an answer.
It's important to distinguish between the mass of Web sites out there that are strictly publishing content from the considerably smaller subset that actually engage in some sort of online business. EV SSL today very much is focused on those sites where consumers are asked to share sensitive information with a business, something like an account login or a credit card number or personally identifiable information. These are the pieces of information that criminals want to steal, and these are the sites that phishing and malware and other attacks are directed after. A consumer doesn't need protection from phishing attacks when visiting your personal blog or Star Wars fan site or even your company's brochureware site. It's only where the actual commerce takes place.
Therefore, you shouldn't consider the full footprint of Web sites in the world but rather this subset that is conducting business. I don't know exactly how to measure that number, but I expect it's orders of magnitude smaller than the number of total Web sites out there.
Now, there's an implication in this posting that maybe in the long run sites without commerce taking place will still want an EV cert in order to demonstrate their genuine identity. I think that is a possibility down the road, but today we're really focused on those sites where there is information to protect.