I recently announced a new project to publish my crawler data and whilst I was there I decided to see what else I can do with the data. Looking over historic crawls we can see when sites make the switch from EV down to DV/OV.
crawler.ninja
For more details on the crawler you can check out the site https://crawler.ninja or look at my launch blog. Once the process is fully automated you will be able to see my daily crawl data there along with all of the statistics Troy Hunt and I use for the WhyNoHTTPS? project. The raw data files are available for anyone to download and use and there's definitely further analysis that can be done outside that which I'm already doing. Whilst setting up the project and thinking of additional uses for the data I decided to search an old crawl for sites that used to have EV certs but don't have them in a current crawl.
Sites that used to have EV
Here's a selection of just a few sites from the list and I've included the Alexa rank, both global and in the USA, for the first few as they're pretty big sites that have made the change. It's interesting that such big sites have made the switch and in honesty I've not heard a single thing about any of them, have you?
shutterstock.com (e-commerce) 275 global, 310 USA
EV: https://crt.sh/?id=267665804
DV: https://crt.sh/?id=460138113
target.com (e-commerce) 390 global, 75 USA
EV: https://crt.sh/?id=93486931
DV: https://crt.sh/?id=526599363
ups.com (postal) 405 global, 104 USA
EV: https://crt.sh/?id=245522232
OV: https://crt.sh/?id=418143426
ao.com (e-commerce)
EV: https://crt.sh/?id=350440285
DV: https://crt.sh/?id=432190887
visa.co.uk (financial)
EV: https://crt.sh/?id=385001057
DV: https://crt.sh/?id=485686322
visa.pl (financial)
EV: https://crt.sh/?id=385286426
DV: https://crt.sh/?id=485686322
police.uk (government)
EV: https://crt.sh/?id=131315815
DV: https://crt.sh/?id=499159933
samsung.com.br (large brand)
EV: https://crt.sh/?id=141386701
DV: https://crt.sh/?id=470638146
duocircle.com (security)
EV: https://crt.sh/?id=131162293
DV: https://crt.sh/?id=579336902
industry.gov.au (government)
EV: https://crt.sh/?id=57828130
DV: https://crt.sh/?id=579901244
lynda.com (education)
EV: https://crt.sh/?id=16989973
DV: https://crt.sh/?id=512024084
tax.service.gov.uk (government)
EV: https://crt.sh/?id=366264316
OV: https://crt.sh/?id=316399411
finecobank.com (financial)
EV: https://crt.sh/?id=150780226
OV: https://crt.sh/?id=513770932
mbna.ca (financial)
EV: https://crt.sh/?id=140404379
DV: https://crt.sh/?id=431017417
tiket.com (e-commerce)
EV: https://crt.sh/?id=16409733
DV: https://crt.sh/?id=460193404
Are Twitter making the switch?
There's already been some controversy in the past about how Twitter use EV in some regions and not in others. Troy covered this in his blog On The (Perceived) Value of EV Certs, Commercial CAs, Phishing and Let's Encrypt and how it was interesting that up until that point, we hadn't really noticed this at all... Well, he noticed something else recently too:
Hey, anyone else notice that Twitter recently ditched their EV certs? I'd love to know why (I mean other than the fact they're completely useless). @Scott_Helme?
— Troy Hunt (@troyhunt) August 21, 2018
Looks like the move kicked off a couple of months ago: https://t.co/wLeZmfPFp4
If you take a look at the search results over on crt.sh then you can see that all recent cert renewals for Twitter seem to be for OV certs rather than EV certs.
I never really got the point of OV, given they're harder and more expensive to get but receive the same UI treatment as DV, but, it does look like recent renewals are moving towards OV and not EV. Perhaps it's because they need wildcard certs, which you can't have with EV, or perhaps there's another reason, but it would be really interesting to know. If you work at Twitter or can think of a reason why, drop by in the comments below!
Additional information
From the perspective of the crawler it's quite difficult to tell whether or not a site has an EV certificate as there isn't a flag or 'setting' I can look for in the certificate like EV=true
. What that means though is that I can be fairly sure I'm detecting most EV certs but possibly not quite all. In terms of this list though, any site that's on here I'm sure used to have EV, but there may have been another site or two that were missed off.
Further Uses
I've come up with another use for the data and I'm hoping to write that up and publish it maybe next week but I'm also working on the August 2018 crawler report to have that published this week too. The numbers are looking pretty interesting again and we've seen some pretty interesting changes since February too. Check back for publication of that soon!