Now, more than ever, we are seeing a huge drive towards encryption on the web. In fact, encryption is now being adopted at a rate never before seen. Here are some of the notable things that have grabbed my attention recently and the evidence to back up my claim.
Adoption like never before
There are several factors pushing us towards an encrypted web and I recently covered quite a few of them in my blog titled Still think you don't need HTTPS?. There's better SEO, faster performance, powerful features like geo-location and so on. Without doubt though, one of the biggest things that has helped to increase the rate at which encryption is being adopted on the web is Let's Encrypt, the free Certificate Authority. I have a blog on Getting started with Let's Encrypt if you want to get your site up and running on HTTPS, but how much of an impact has free certificates had on our transition to an encrypted web? This much:
This is data from Mozilla, who make the Firefox browser, on what percentage of page loads they see taking place over HTTPS in the browser. Prior to the launch of Let's Encrypt we were seeing an increase of around 1% every 4 months, which is pretty steady growth. Since the launch of Let's Encrypt however, we've seen growth of around 1% per month!!! That's a staggering rate of change for the Internet and is a true testament to what lowering the barrier to entry for security can do. I did some related research in February on the use of Security headers in the Alexa Top 1 Million and found that the amount of sites in the Alexa Top 1 Million most popular sites on the Internet that redirected from HTTP to HTTPS had increased by 42% in less than 6 months!
Following on from the research in February I ran the crawl again and I'm pleased to report that not only did HTTPS adoption continue, the rate at which HTTPS is being adopted has also increased!
In the 6 months from February 2016 to August 2016 I saw a 46.43% increase in the use of HTTPS in the Alexa Top 1 Million taking the total up to 13.76%. It's not just me that is seeing these huge improvements, either. From the Mozilla telemetry from Firefox I can see we're very quickly approaching 50% of all page loads in Firefox taking place over HTTPS!
source: Mozilla Telemetry
On top of this there was also a great article by Guy Podjarny at Snyk titled HTTPS adoption doubled this year. They drew on data from BuiltWith and the HTTP Archive and came up with the following.
Lastly, to round it off, Google have literally just announced that more than 50% of page loads in Chrome now take place over HTTPS!
We recently hit a milestone with more than half of Chrome desktop page loads now served over HTTPS
source Google Security Blog
In the same blog they also dropped the news that pages served over HTTP that ask for card details or user credentials will also start to get warnings and eventually, HTTP will just be marked red with a not secure warning!
Who is migrating to HTTPS?
There have been quite a few notable examples recently so let's take a look at who's encrypting on the web.
In their transparency report on HTTPS Google have published some really interesting data on how they're moving to 100% encrypted comms across their products and services.
In the 2 year period from Jan 2014 to Jan 2016 Google took their traffic from being 53% encrypted to 76% encrypted, a jump of 23%, which is pretty massive when you consider their size and scale. Broken down by product we can see some interesting trends, including the fact that advertising is one of the biggest climbers.
Advertising is probably one of the biggest things holding other sites back from their migration, as they obviously don't want mixed-content warnings, so seeing this climbing at such a high rate is pretty encouraging.
Whilst writing this article there was a big win with Google announcing that YouTube was being added to their transparency report on HTTPS (YouTube Engineering Blog, Google Security Blog). At present, 97% of YouTube traffic is served over HTTPS.
One of the other really interesting things about this announcement was that HTTPS has improved the user experience for most clients!
We found that HTTPS improved quality of experience on most clients: by ensuring content integrity, we virtually eliminated many types of streaming errors.
HTTPS was always a 'premium' offering for many hosting providers but if we want to see 100% adoption on the web, this simply can't be the case.
WordPress is one of the most notable sites to adopt free certificates from Let's Encrypt at scale and offered free encryption to all WordPress.com sites earlier this year. This required zero input from their users in terms of cost or technical ability, they just woke up one day and had a HTTPS capable site. Easy peasy.
Technically another Google product but even blogs are important enough to be getting HTTPS on a wide scale. Google have announced that every single Blogspot blog now has HTTPS support.
Everyone has heard of Bitly, the URL shortening service, and they've recently teamed up with Let's Encrypt to generate certificates for some 40,000+ domains that Bitly manage to create custom short link for their customers. You can read more over on the Help Net Security article.
As a huge news website I don't envy the task of migrating an enormous catalogue of content from HTTP to HTTPS, especially not when you have things like advertising to contend with too. That hasn't stopped Wired.com though and they've recently started their migration to HTTPS and are publishing details about their journey too.
Continuing the news website theme Ars Technica have also announced that they too will be migrating to serving content securely.
We have to understand that for sites of this size this really isn't a cheap or easy task, yet there is still enough motivation for them to be doing it.
The story of Yell moving to HTTPS is quite an interesting one too. Steve Workman, Head of Web Engineering, thought to himself “We’re a business directory, why do we need to be secure?”, but when you think about the kind of things that people could search for in a business directory, you can see why.
The PaaS provider is now offering free SSL to all as a beta service and is rolling this out to all users over the coming weeks. They explained how "Encrypted communication has gradually become a default requirement for all web applications on the Internet".
Another big win came along whilst I was writing this article when Netflix announced that they were also going to start using encryption to protect video streams. Yes, that's right, even when you're watching Toy Story on Netflix your traffic will now be encrypted. That's 125 million hours of video streaming every day that will now be encrypted.
Even Governments are tracking their migration to HTTPS
I've seen an SSL Pulse sites for both the UK and USA Government and they are both tracking their progress in the migration from HTTP to HTTPS. You can see the gov.uk site and the .gov site online right now to see how they're getting on.
The SSL Pulse from SSL Labs
I'm sure many of you have heard of SSL Labs, created by Ivan Ristic, which has the awesome SSL Server Test to analyse your site and tell you how well you've deployed encryption or what problems you need to fix. The grading system will probably jog your memory if you've not heard of it by name, here are my results.
Alongside the SSL Server Test they also have the SSL Pulse which tracks the SSL implementation across ~150,000 popular websites. There are literally loads of metrics that they track over there so go and check the site out, but I've grabbed a few samples of the total number of secure sites going back a few months each time.
From another independent source we can see fairly conclusive data that demonstrates a rapid rate of change towards encryption.
There are no doubt other big wins for encryption on the web out there, and more to come in the weeks and months ahead. Please leave comments below for anything that you find and I will update the article with additional links here: