Someone asked for a cite on the Consumer Reports claims in my Black Hat 2008 slides. I went and tracked this down, and I actually picked this up from the Meandering Wildly blog. Looks like I misread this a bit — a previous dataset had come from Consumer Reports, but the data in my Black Hat deck actually came from Venafi, a security firm that specializes in systems management. Some collateral with more of their SSL data is here. Their methodology for collecting the data, according to Meandering Wildly:
It’s a phone poll, so it’s subject to standard errors of self-reporting, and their margin of error (2.5%) is given for a 0.1 confidence interval, which is a little slack for my tastes, but they have a large (N>1000), US-Census-representative sample, which maybe gives us intellectual permission enough to keep playing.
Of course, I also spoke about the one case we have hard data on — when the New Zealand bank’s cert went bad, and 99% of people didn’t care. Information on that case can be found here. I do wonder how these numbers might be changing in light of IE8 and FF3’s dramatically improved invalid SSL certificate experiences.
In general, anything I claim, I’m only too happy to back up, so if you have any questions regarding any of the details from a talk I’ve given, don’t hesitate to ask.