Those seeking to gain a sense of SSL market share typically lean on Netcraft, which operates a crawler finding and reporting on the SSL Certificates it locates in the wild. Netcraft can help us with information on the raw number of certificates it finds, but while that's useful information, it only tells part of the story.
In the past week I've seen a pair of blogs that have tried to look deeper at SSL market share. The first is an excellent piece of work by technology blogger Nasko on the netsekure blog. Nasko built a crawler to look at the Alexa one million (the million most trafficked web sites according to Alexa) and count the SSL Certificates it found on them, by root. The blog posting reports that this crawl made it through about 350,000 of the million before being terminated, but in that time Nasko found some very interesting results. Nasko publishes his (?) findings, root by root, for all roots with fifty or more sites among the one million. Feel free to check my math here, but adding up the various roots that belong to aftermarket SSL providers, I get this count.
- GeoTrust: 9417
- Comodo: 8049
- VeriSign: 6944
- GoDaddy: 4471
- Thawte: 4170
and then it falls off precipitously with Entrust at 1130 certificates and everyone else in three or two digits. Adding up the brands provided by VeriSign, Inc. I see a total of 20531 vs. 16215 for all non-VeriSign certificates combined.
In other words, Nasko's research indicates that GeoTrust is the most used brand of SSL among the world's million largest web sites and that VeriSign's SSL products are more used on these million sites than all other certificates combined. While it happens that the crawl only had a chance to hit about one third of the target sites, I don't see any reason why those results wouldn't be indicative of the entire set.
It appeals to common sense that sites would choose SSL Certificates differently based on the specifics of their situation. An easy example is that a site that highly values transactions and trust - like an established online retailer - would be more inclined to publish the VeriSign seal than an average site and therefore more likely to use the VeriSign brand of SSL.
To test this theory we can look to the second blog, this from Internet service provider LexiConn. In a recent blog on Extended Validation SSL, LexiConn looked at the SSL Certificates used by the Internet Retailer 100, the 100 largest North American online retailers according to Internet Retailer. LexiConn's numbers are now looking different with VeriSign leading the pack at 35, GeoTrust now coming in second at 14, Thawte third at 9 and all others lower than that. (LexiConn also found that 24 of the IR100 had no SSL of their own, instead using the SSL included in their Akamai service.) Note how the mix has changed considerably in favor of VeriSign, with its sales-driving seal, over GeoTrust.
I would love to see the overlay of Netcraft's list to third-party sources such as the Alexa one million, the Fortune 500, the Internet Retailer 500, and the like. That could be a very illuminating view on how the market connects to the different brands of SSL Certificate with their different properties.
[4/20/10 - I originally linked to the wrong blog post from LexiConn. Corrected that link to go to the correct post so you can see the actual numbers.]