This is part two of the ten-year anniversary Top 1 Million Analysis. Part one covered the broad state of the web — HTTPS, the security headers, cookies, email and DNS hygiene. This part is the bit I've been most excited to write: a focused look at the cryptography underpinning the top 1 million sites — TLS, certificates, the keys behind them, and the genuinely historic arrival of post-quantum key exchange at scale.
As before, the numbers below come from the 13 June 2026 crawl of the Tranco Top 1 Million (819,002 responding sites), powered by Crawler.Ninja and Report URI. For this anniversary edition I rebuilt a big chunk of the crawler's TLS measurement — including a move to OpenSSL 3.5 so it can negotiate post-quantum groups — so several of the metrics here are brand new.

Introduction
In part one, we looked at the broader state of web security across the Tranco Top 1 Million and found a familiar story: lots of progress, but still plenty of rough edges. In this second part, we’re going deeper into the cryptographic foundations of the modern web: TLS versions, cipher suites, key exchange, certificate lifetimes, certificate authorities, CAA, OCSP, ECH, and even the early signs of post-quantum TLS. The good news is that, in many areas, the web has moved on dramatically from where it was ten years ago. The even more interesting news is that some of the biggest changes are now happening quietly, at enormous scale, because of defaults set by the platforms and providers that sit underneath much of the web.
Certificates
The certificate landscape has genuinely shifted since 2022. Let's Encrypt remains enormous, with 302,116 sites using one of their certificates, up 30%. Google Trust Services’ WE1 intermediate alone now accounts for 193,069 sites, making it the largest individual issuing intermediate in the dataset — even though Let’s Encrypt remains the largest issuer overall. The free, automated, short-lived CA model has well and truly won.
| Certificate Authority | Count |
|---|---|
| Google Trust Services — WE1 | 193,069 |
| Let's Encrypt — R12 | 59,705 |
| Let's Encrypt — R13 | 59,496 |
| Let's Encrypt — E8 | 48,754 |
| Let's Encrypt — E7 | 48,564 |
| Let's Encrypt — YE2 | 23,702 |
| Let's Encrypt — YE1 | 23,467 |
| Sectigo — Public Server Authentication CA DV R36 | 19,879 |
| Let's Encrypt — YR1 | 19,159 |
| Let's Encrypt — YR2 | 18,986 |
If we look at the absolute numbers, though, Let's Encrypt are still dominating in total issuance.
| Issuer | Certs |
|---|---|
| Let's Encrypt | 302,116 |
| Google Trust Services | 203,436 |
| Amazon | 37,690 |
| DigiCert | 34,961 |
| Sectigo | 29,006 |
| GlobalSign | 17,891 |
| GoDaddy | 7,999 |

You can see the consequence of the new certificate model in the death of the alternative: Extended Validation certificates are now on just 4,186 sites, down another 51% since 2022 and a fraction of the 15,604 we saw in 2020. EV has been a dead format walking for years and the numbers now read like an obituary.

Two newer certificate metrics this year. 657,853 sites (around 80% of responders) serve certificates with embedded Certificate Transparency SCTs — CT is now essentially universal, which is exactly what you want. And 319,192 sites use a wildcard certificate, a reminder that wildcard sprawl is extremely common and worth keeping an eye on from a blast-radius perspective.


How long do certificates live?
For the first time this report measures certificate lifetimes directly, across the 658,294 certificates we saw, and the distribution is remarkably tight — almost everything clusters at a handful of standard values:
| Validity period | Certificates | Share |
|---|---|---|
| ≤ 47 days | 1,692 | 0.3% |
| 48–90 days | 509,744 | 77.4% |
| 91–200 days | 49,743 | 7.6% |
| 201–398 days | 96,953 | 14.7% |
| 399+ days | 162 | 0.0% |
90-day certificates utterly dominate, at 508,049 — 77% of every certificate we saw. That's the Let's Encrypt and Google Trust Services automated model expressed as a single number. The old one-year certificate (clustered around 395–398 days) is now a ~15% minority, and anything longer than the old 398-day maximum has all but vanished — just 162 of them, almost certainly private or misconfigured.

The most telling detail: the 200-day cap that took effect on 15 March 2026 — barely three months before this crawl — is already visible in the data. A 199-day lifetime is now the third most common exact value (21,966 certs), and the 91–200 day band holds nearly 50,000 — issuers and sites already provisioning right up against the new limit. With the cap falling to 100 days in 2027 and 47 days in 2029, expect that enormous 90-day column to hold firm while the one-year remnant drains away.
I've followed this saga for years — from why we need shorter lifetimes, through Ballot SC22, to Let's Encrypt now issuing 6-day certificates — and the data finally shows it plainly: the ecosystem is responding. The sites that automated renewal years ago won't even notice the 47-day future. If you haven't yet, Cryptographic Agility is the mindset to adopt now.
A tale of two CA models
Breaking the certificates down by issuer makes the divide explicit. For each of the largest CAs, here's the typical certificate lifetime, the share on ECDSA keys, and the share that are wildcards:
| Issuer | Certs | Typical lifetime | ECDSA | Wildcard |
|---|---|---|---|---|
| Let's Encrypt | 302,116 | 90 days | 47% | 30% |
| Google Trust Services | 203,436 | 90 days | 92% | 71% |
| Amazon | 37,690 | ~395 days | 6% | 68% |
| DigiCert | 34,961 | 199 days | 9% | 42% |
| Sectigo | 29,006 | 366 days | 5% | 50% |
| GlobalSign | 17,891 | 397 days | 3% | 68% |
| GoDaddy | 7,999 | 397 days | 3% | 53% |
There are clearly two different worlds here. The free, automated, ACME-native CAs — Let's Encrypt and Google Trust Services — issue 90-day certificates and lean hard on modern ECDSA keys (Google's are 92% ECDSA). The traditional commercial CAs — Amazon, Sectigo, GlobalSign, GoDaddy — are still handing out roughly one-year certificates on RSA keys (3–6% ECDSA between them). The agile-crypto future I keep pushing has, in effect, already arrived for half the web — it's just unevenly distributed across the CAs.
And you can watch the commercial side being dragged forward in real time: DigiCert's single most common lifetime is already 199 days, right up against the 200-day cap that landed in March. The mandate is doing exactly what it was designed to.
Certificate Authority Authorisation
CAA continues its steady climb: 53,130 sites now publish a CAA record, up 50% on the 35,537 from 2022. It's still a small fraction of the web, but it's one of the cheapest wins in the PKI — it lets you tell the world which CAs are allowed to issue for your domain — and it's good to see it trending the right way.

TLS versions
This is one of the cleaner success stories, but it's taken us a long time to get here.
| Version | Jun 2022 | Jun 2026 |
|---|---|---|
| TLSv1.3 | 378,162 | 576,464 |
| TLSv1.2 | 180,121 | 70,395 |
| TLSv1.1 | 0 | 0 |
| TLSv1.0 | 512 | 106 |
TLSv1.3 is up 52% and is now comfortably the dominant protocol version. TLSv1.2 has fallen 61% as sites migrate upwards. And the legacy protocols are essentially gone: TLSv1.1 is extinct, and TLSv1.0 is down to just 106 sites, a 79% drop. After years of nagging, the back of the legacy-TLS problem is finally broken.

Cipher Suites
The cipher picture is overwhelmingly modern, led by the TLS 1.3 AEAD suites:
| Cipher Suite | Count |
|---|---|
| TLS_AES_256_GCM_SHA384 | 492,080 |
| TLS_AES_128_GCM_SHA256 | 82,080 |
| ECDHE-RSA-AES256-GCM-SHA384 | 32,027 |
| ECDHE-RSA-AES128-GCM-SHA256 | 23,070 |
| ECDHE-ECDSA-CHACHA20-POLY1305 | 5,628 |
| ECDHE-RSA-CHACHA20-POLY1305 | 3,130 |
| ECDHE-ECDSA-AES256-GCM-SHA384 | 2,853 |
| TLS_CHACHA20_POLY1305_SHA256 | 2,304 |
The old CBC-mode and non-PFS suites have dwindled to a rounding error. Forward secrecy is effectively universal at the top of the web.

Key Exchange and the arrival of post-quantum
This is the development I've been waiting to be able to measure — and it's further along than I'd have guessed.
| Key Exchange Group | Count |
|---|---|
| X25519MLKEM768 (post-quantum hybrid) | 358,115 |
| X25519 | 231,406 |
| ECDH P-256 (prime256v1) | 38,453 |
| ECDH P-384 (secp384r1) | 13,293 |
| ECDH P-521 (secp521r1) | 4,975 |
| DH 2048 / 3072 / 4096 | 294 |
358,115 sites — around 44% of everything that responded — negotiated a post-quantum hybrid key exchange.
X25519MLKEM768 combines the classical X25519 curve with ML-KEM-768 (the NIST-standardised, post-quantum key-encapsulation mechanism formerly known as Kyber). The hybrid construction means you get today's security and protection against "harvest now, decrypt later" attacks, where an adversary records encrypted traffic now in the hope of decrypting it with a future quantum computer. For a huge swathe of the web, that future threat is already mitigated.

What's remarkable is how quietly this happened. A couple of years ago, post-quantum TLS was a research curiosity you had to go out of your way to enable. Today it's the single most common key-exchange group on the web, ahead of plain X25519 — because Cloudflare and Google turned it on by default and, between them, front an enormous fraction of the top million. It's the clearest example I have of how much leverage a handful of infrastructure providers now hold: one default flip, and quantum-safe key agreement goes mainstream across hundreds of thousands of sites overnight.
(A note on measurement: classical key exchange is overwhelmingly X25519 now, with the NIST P-curves a distant second and finite-field DH all but gone. To see the PQC group at all I had to upgrade the crawler to OpenSSL 3.5 — older clients simply don't offer the hybrid groups, which is a neat illustration of why client support is the gating factor for adoption.)
Authentication Keys
A quieter milestone, but a real one: ECDSA has overtaken RSA. Finally!
| Key type | Jun 2022 | Jun 2026 |
|---|---|---|
| RSA | 392,191 | 306,042 |
| ECDSA | 165,438 | 340,498 |
And by key size, 256-bit ECDSA is now the single most common choice, having overtaken 2048-bit RSA:
| Key size | Jun 2022 | Jun 2026 |
|---|---|---|
| 256-bit (ECDSA P-256) | 157,878 | 332,437 |
| 2048-bit (RSA) | 353,376 | 263,394 |
| 4096-bit (RSA) | 35,977 | 38,779 |
| 384-bit (ECDSA P-384) | 7,560 | 8,061 |
Smaller, faster, modern elliptic-curve keys have won the argument. The remaining RSA install base is large but now clearly in decline, and the insane pile of 4096-bit RSA keys has barely grown.


OCSP stapling
210,377 sites staple an OCSP response to their handshake, sparing clients a separate round-trip to the CA to check revocation (does anyone still do that?). It's worth noting this is a technology on the way out: with the CA/Browser Forum making OCSP optional and the industry shifting to short-lived certificates and CRL-based mechanisms, stapling matters less every year — when your certificate only lives 90 days (or soon 47), revocation is a much smaller problem to begin with. A nice example of one part of the ecosystem (short lifetimes) quietly dissolving the need for another (revocation infrastructure).

Encrypted Client Hello (ECH)
The last big metadata leak in TLS is the Server Name Indication field — the hostname you're connecting to, sent in the clear during the handshake. Encrypted Client Hello closes it, and adoption is already substantial: 199,959 sites publish an ECH configuration in their DNS HTTPS record, with 278,778 sites publishing a DNS HTTPS/SVCB record at all. Like the post-quantum rollout above, it's a privacy win that's landed years ahead of where I'd have expected — and one most site owners got without lifting a finger.

Closing thoughts
The cryptographic foundations of the web have changed enormously over the last decade. TLS 1.3 is now the dominant protocol, weak legacy versions have almost disappeared, modern cipher suites are the norm, forward secrecy is effectively universal, and short-lived, automatically issued certificates have become the default for a huge part of the web. That is a remarkable shift from where we were ten years ago.
What stands out most in this data is how much of that progress is now driven by infrastructure defaults. Certificate automation, 90-day lifetimes, ECDSA, modern TLS configuration, ECH and even post-quantum hybrid key exchange are being rolled out at enormous scale by CDNs, hosting platforms, browsers and certificate authorities. Individual site owners may not always be making these changes directly, but they are benefiting from the ecosystem moving underneath them.
There are still areas to improve, of course. CAA has plenty of room to grow, the use of ECH is still building, and the post-quantum transition is only just beginning. But compared with the broader application-security picture, the TLS and certificate ecosystem feels like it's finally in good shape. The plumbing is getting stronger, more modern, and more automated, and that gives us a much better foundation for whatever comes next.
A decade ago, we were still arguing about whether everyone really needed HTTPS. Today, the frontier is quantum resistance, and the web is quietly already crossing it.
Get the data
Everything here is open — the full per-metric files, the raw database dump, and the daily crawl data are at Crawler.Ninja.
If you missed it, part one covers the security headers, cookies, email/DNS security and the broader anniversary retrospective. Here's to the next ten years!
Crawl date: 13 June 2026. 819,002 responding sites from the Tranco Top 1 Million. Powered by Crawler.Ninja and Report URI.