This week HTTPS hit another big milestone. According to a two-week survey of telemetry data from the Mozilla Firefox browser, 50 percent of page loads used HTTPS.
“For the first time, the running average crested the 50 percent HTTPS page load mark,” said Sarah Gran, director of communications for Let’s Encrypt, the free certificate authority. “We see that as solid progress when it comes to making the entire internet more secure.”
It was only three months ago, in October, that Let’s Encrypt saw over 50 percent of HTTPS page load requests across a 24-hour window.
“We are really excited about this two-week running average that clearly demonstrates much more stability in the platform and security online,” Gran said.
Hypertext Transfer Protocol Secure (HTTPS) is a communication protocol used by both browsers and website that provides authentication of the website and associated web server. It also offers bidirectional encryption of browser data reducing significantly the threat of a man-in-the-middle attack.
“This rate of growth is quite spectacular,” said security researcher Troy Hunt in a blog post noting the milestone. Further analysis of HTTPS adoption by Hunt and security researcher Scott Helme shows that sites implementing HTTPS have doubled in the past year.
Hunt said there is still work to be done however.
“Most sites are now HTTPS because… a huge portion of traffic is served from a small number of big sites. Twitter, Facebook, Gmail etc. all do all their things over HTTPS and that keeps that number quite high,” Hunt said. He wrote that still only 18.4 percent of Alexa ranked top million sites support HTTPS.
Fueling HTTPS adoption, Hunt notes, is the certificate authority Let’s Encrypt. The service, which makes eases the installation and renewal of certs easy for any sites, is the largest certificate provider for the Alexa top 1 million sites, according to Helme.
“There have been some other great contributions to the HTTPS ecosystem in the past year, so we can’t take all of the credit for recent adoption. But it’s no coincidence that HTTPS adoption exploded during the month that Let’s Encrypt launched and hasn’t slowed down yet,” wrote Josh Aas, the executive director of Let’s Encrypt, in an email exchange with Threatpost.
Another contributor to HTTPS adoption has been the increase in warnings of insecure sites inside browsers. Last week, Google’s Chrome 54 browser started subtly warning Chrome users via the browser’s address bar that a site may not be safe. When users navigate to unsafe sites that prompt users for sensitive information, Chrome 54 shows a “Not secure” warning instead of a green lock.
Mozilla rolled out Firefox 51 last week that warns browser users in a similar fashion when they land on a HTTP website collecting personal information such as passwords.
This will eventually be the experience for all HTTP pages both Google and Mozilla said.
“Warnings about a site’s security at the time where you’re providing sensitive information is precisely the sort of thing that will force the hand of these sites,” Hunt wrote.
Hunt and others warn things are going to get even tougher for the over 80 percent of website that don’t support HTTPS.
Browsers security isn’t the only thing driving HTTPS adoption, said Hunt.
“For example, there’s the SEO bump Google started giving secure sites a couple of years ago. There’s also the fascination many governments are developing with intercepting everyone’s data, notably the likes of Australia’s Meta Data Retention law and the UK’s Snooper’s Charter (law),” Hunt wrote.
“Every time we encrypt even just another 1 percent of the Web, that is a massive amount of data that becomes protected,” Aas said.