The Sorry State of SSL/TLS Certificates in NL
- 7 min read
During the past three months, I've researched the impact of the type of SSL/TLS certificate on website speed and reliability and the effectiveness of OCSP stapling.
On January 28, I published my research in the article EV Certificates Make The Web Slow and Unreliable, with the key take-aways being:
- Do not use an EV certificate
- For optimal performance, serve a DV or OV certificate with a valid OCSP staple
Having analyzed only a handful of Dutch websites in scope of my research, I was hungry for a bigger and better view on the state of SSL/TLS certificates in The Netherlands.
I carefully created a list of 500 high-traffic/premium brand NL websites, wrote a script that collects data for each domain and took that data to Google Sheet for analysis and charting.
The spreadsheet made me sad 😢
70% of the top NL websites serve a SSL/TLS certificate that hurts web performance
Let's walk through the data.
Sadly, EV Certificates Are Quite Popular
Extended Validation certificates are relatively expensive, a hassle to acquire, don't make your site more secure and since all modern browsers stopped showing the 'green bar' they also no longer provide users that 'enhanced perception of trust' (which is a myth anyway).
However, EV certs do make your website slower and less robust, much more so than DV and OV certificates.
I expected maybe 10% of the big NL sites to serve an EV certificate, but unfortunately it's more than 2x that:
Bol.com, Coolblue and HEMA are just a few of the big brands that serve the slow EV certificate.
Stapling DV/OV Certificates is Not Very Common
The 76% of NL websites that don't use an EV certificate have made the right decision. DV/OV certificates are the better choice from a web performance perspective, even if the certificate does not have a stapled "not revoked" OCSP response.
That said, OCSP stapling does add real value because in Firefox this effectively gets rid of a blocking request to the Certificate Authority's server very early in the page load process. This request easily takes 100 ms and for some visitors probably much longer.
Unless you're using a CDN that will do it for you, OCSP stapling doesn't just magically happen. Activation/implementation requires time and effort. Perhaps this is why only 40% of the 378 websites that serve a DV or OV certificate have it stapled.
Example websites that should put OCSP stapling on their to-do list are Wetransfer, Funda and TUI.
Most of Top NL Websites Should Serve a Better Certificate
122 websites serve an EV certificate and 228 serve a non-OCSP stapled DV/OV certificate.
122 + 228 = 350 and 350 / 500 = 70%.
So, the majority of high-traffic/premium brand websites in NL are doing it wrong and consequently provide a suboptimal user experience.
Assuming 25000 new HTTPS connections are established with the servers of those 350 websites on average every day by browsers that send that blocking request to the Certificate Authority, and the request to the CA takes 100 ms, then the total time of users wasted daily is 875000 seconds or roughly 10 days.