Phishiest Certificate Authorities
Top 10 based on active phishing incidents using certificates with reviewable hostnames
This table show the top 10 phishiest certificate authorities, based on the number of currently blocked phishing sites with an associated valid, trusted SSL certificate where the CA has had a chance to review the deceptive domain name or host name. For example, we do not include a block of borclays.netcraft.com as the associated certificate is valid for *.netcraft.com.
Find out more about Netcraft's Services for Certificate Authorities, including Phishing Alerts for CAs and Deceptive Domain Scoring.
| Certificate Authority | Currently Blocked Phishing Certificates |
|---|---|
| Sectigo | 17,012 |
| Let's Encrypt | 15,030 |
| DigiCert | 6,402 |
| ZeroSSL | 431 |
| Actalis | 64 |
| GlobalSign | 36 |
| 35 | |
| GoDaddy | 27 |
| GoGetSSL | 13 |
| Amazon | 12 |
Note: Authorities are ranked by the number of certificates blocked.
This graphs shows the number of phishing SSL certificates used by blocked phishing sites on each day over the last year, broken down by CA. Certificates only count for the days in which their associated phishing site is included in the Netcraft Phishing Site Feed, and the certificate has neither expired nor been revoked.