I recently announced a new project to publish my crawler data and whilst I was there I decided to see what else I can do with the data. Looking over historic crawls we can see when sites make the switch from EV down to DV/OV.
For more details on the crawler you can check out the site https://crawler.ninja or look at my launch blog. Once the process is fully automated you will be able to see my daily crawl data there along with all of the statistics Troy Hunt and I use for the WhyNoHTTPS? project. The raw data files are available for anyone to download and use and there's definitely further analysis that can be done outside that which I'm already doing. Whilst setting up the project and thinking of additional uses for the data I decided to search an old crawl for sites that used to have EV certs but don't have them in a current crawl.
Sites that used to have EV
Here's a selection of just a few sites from the list and I've included the Alexa rank, both global and in the USA, for the first few as they're pretty big sites that have made the change. It's interesting that such big sites have made the switch and in honesty I've not heard a single thing about any of them, have you?
Are Twitter making the switch?
There's already been some controversy in the past about how Twitter use EV in some regions and not in others. Troy covered this in his blog On The (Perceived) Value of EV Certs, Commercial CAs, Phishing and Let's Encrypt and how it was interesting that up until that point, we hadn't really noticed this at all... Well, he noticed something else recently too:
Hey, anyone else notice that Twitter recently ditched their EV certs? I'd love to know why (I mean other than the fact they're completely useless). @Scott_Helme?— Troy Hunt (@troyhunt) August 21, 2018
Looks like the move kicked off a couple of months ago: https://t.co/wLeZmfPFp4
If you take a look at the search results over on crt.sh then you can see that all recent cert renewals for Twitter seem to be for OV certs rather than EV certs.
I never really got the point of OV, given they're harder and more expensive to get but receive the same UI treatment as DV, but, it does look like recent renewals are moving towards OV and not EV. Perhaps it's because they need wildcard certs, which you can't have with EV, or perhaps there's another reason, but it would be really interesting to know. If you work at Twitter or can think of a reason why, drop by in the comments below!
From the perspective of the crawler it's quite difficult to tell whether or not a site has an EV certificate as there isn't a flag or 'setting' I can look for in the certificate like
EV=true. What that means though is that I can be fairly sure I'm detecting most EV certs but possibly not quite all. In terms of this list though, any site that's on here I'm sure used to have EV, but there may have been another site or two that were missed off.
I've come up with another use for the data and I'm hoping to write that up and publish it maybe next week but I'm also working on the August 2018 crawler report to have that published this week too. The numbers are looking pretty interesting again and we've seen some pretty interesting changes since February too. Check back for publication of that soon!