A new internet browser, Comodo Dragon, reports that more than half of the world's valid SSL certificates are unsafe.

Comodo Dragon is based on the open source Chromium project, but includes additional security and privacy features. In particular, when a user browses to a site that uses a domain-validated SSL certificate, Comodo Dragon will warn the user that the site may not have undergone trusted third-party validation.

Users are presented with buttons to "Proceed anyway", or go "Back to safety". The warning message explains why such a site is deemed to be unsafe:

The security (or SSL) certificate for this website indicates that the organization operating it may not have undergone trusted third-party validation that it is a legitimate business. Although the information passed between you and this website will be encrypted, you have no assurance of who you are actually exchanging information with, and many websites connected to cyber-crimes use this type of security certificate. Prior to exchanging sensitive information including login/password, personal identity information, or financial details such as credit card numbers with any website that generates this warning, you should find some alternative method of validating this business or consider abandoning the transaction.

Mainstream adoption of this behaviour would have a huge impact on e-commerce — more than half of the SSL certificates in use on the web are domain-validated, and this market continues to show strong growth due to the generally lower costs and ease of issuance when compared with organisation and extended validation certificates.

However, none of the popular browsers provides an explicit warning when browsing to a domain-validated site. With such widespread use of domain-validated certificates, it would undoubtedly lead to uproar if any of these browsers were to display warnings when users browse to domain-validated sites.

Although Comodo states that many websites connected to cyber-crimes use domain-validated certificates, Netcraft's phishing site feed shows that only 0.3% of reported phishing sites use HTTPS, including those running on compromised servers with SSL certificates already in place.

Netcraft found 683,563 valid domain-validated certificates in its March 2010 survey. Go Daddy has issued more than half of these, which it currently sells at $29.99 per year for new purchases.

Comodo itself is also a sizable player in the domain-validated SSL market, accounting for 7.6% of all domain-validated certificates. Ironically, domain-validated certificates signed by Comodo are also reported as being potentially unsafe, including those sold via hosting companies such as DreamHost.

DreamHost's CTO, Dallas Kashuba, told Netcraft: "I think the information being presented about the nature of the SSL certificate is useful, but the approach Comodo has taken to present the information is heavy-handed and seems a bit too close to "crying wolf". I worry that users of the browser will see that warning so frequently that they will become desensitized to all warnings."

Last year, DreamHost launched an amusing tirade against certificate authorities, criticising the "entirely automated" process of issuing domain-validated certificates. To prove a point, DreamHost then began offering domain-validated certificates to existing customers for only $15, stating: "...we're not making anything on them because we feel the whole business is a scam!"

DreamHost's Kashuba also told Netcraft: "I think Extended Validation SSL certificates are a good way to reduce the impact of phishing and other similar nefarious activities, but is not a necessary expense for most secure websites."

There is no doubt that upsetting the current level of trust in domain-validated certificates would cause problems: Many FDIC members continue to use domain-validated certificates for their banking sites, including Bank of the Sierra, Bank of Hawaii, TierOne Bank and Great Western Bank.

For additional information or details on how to order the Netcraft SSL Survey, please contact us at sales@netcraft.com.

NaviSite had the most reliable hosting company site in February, responding to all of Netcraft's requests.

NaviSite, providers of managed hosting and application management solutions, sold its Lawson/Kronos Managed Application Service business this month in order to "focus on providing Enterprise-class cloud computing for large organisations with complex environments". NaviSite uses Apache on CentOS to run its own website.

The second most reliable hosting company site in February was DataPipe, responding to all but one of Netcraft's requests.

DataPipe provides custom managed hosting solutions for businesses with complex Internet facing infrastructures with over 1,000 customers in seven data centres across the United States, Europe and China. DataPipe use Apache on FreeBSD to run their own website.

Six of the top ten in February were identified as running Linux, two as running FreeBSD and one running Windows Server 2008.

Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage.

Further information on the measurement process and current measurements are available.

In the February 2010 survey we received responses from 207,316,960 sites.

The biggest change of the month belongs to Apache with a 1.6M increase in hostnames. It was closely followed by Microsoft which saw a growth of 1.1M.

After a year long consistent rise nginx is experiencing a loss for a second month in a row as inactive weblogs on WordPress and 163.com are expired out of the survey. This month nginx had a decrease of 1.5M hostnames, which brings its total down to the number of hostnames it had in October.

China Internet Network Information Center has recently announced a change in the .cn domain name registration regulations. Since December 14th individuals can no longer register .cn domains and a paper application has to be submitted to register one along with photocopies of the company business license and registrant ID. While this has reduced the frequency of .cn domains in spam, it does not seem to have affected the growth of the domain. Netcraft has discovered 49k new hostnames in .cn this month, compared to 37k in December, 59k in November and 39k in October.

The first month of 2010 saw The Planet and Hosting 4 Less have the most reliable hosting company sites. Both sites responded to all but one of Netcraft's requests in January.

The Planet provides dedicated servers, managed hosting and colocation services to more than 20,000 businesses. The company has more than 10 million websites in Netcraft's Hosting Provider Analysis and uses Windows Server 2003 to run its own website.

Hosting 4 Less offers a 99.9% uptime guarantee, with its own OC48 Sonet Ring connecting their secure data center to the internet. Hosting 4 Less has been running since 1998 and currently uses Apache on Linux to serve its own website.

Four of the most reliable hosting company sites in January were identified as running Linux, while three were using FreeBSD and one was using Windows Server 2003.

Netcraft measures and makes available the response times of fifty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage.

Further information on the measurement process and current measurements are available.

In the January 2010 survey we received responses from 206,741,990 sites.

The biggest change this month is that 30M hostnames at qq.com expired from the survey. Last year all qq.com blogs were made public, leading to a large number of hostnames being added to the survey in February 2009. However, in the last 6 months qq.com have from time to time made all blogs private again, and have also stopped reporting blog activity to well known syndication points, so Netcraft can no longer tell how many accounts are active.

The market share for all the other major web servers has increased. Apache gained approximately 3M hostnames compared to the December 2009 survey, bringing their total to 111.3M. In second place comes Microsoft with a 600k increase. nginx lost hostnames this month but grew substantially in active sites, gaining 2.7M.