The Electronic Frontier Foundation (EFF) reported that, as of February, approximately half of Internet traffic was protected by HTTPS, making us safer from the eavesdropping, content hijacking, cookie stealing, and censorship that HTTPS can protect against.
Mozilla backed that up, stating that the average volume of encrypted web traffic on Firefox now surpasses the average unencrypted volume. Google Chrome's figures on HTTPS usage are consistent with that finding, showing that over 50% of all pages loaded are protected by HTTPS across different operating systems.
This milestone is a combination of HTTPS implementation victories involving tech giants, large content providers, small websites and users themselves.
Starting in 2010, privacy advocates pushed tech companies to follow crypto best practices, applauding when Facebook and Twitter implemented HTTPS by default, and when Wikipedia and several other popular sites later followed suit. Google put pressure on the tech community by using HTTPS as a signal in search ranking algorithms and, starting this year, showing security warnings in Chrome when users load HTTP sites that request passwords or credit card numbers.
EFF's Encrypt the Web Report also played a big role in tracking and encouraging specific practices. Recently other organizations have followed suit with more sophisticated tracking projects. For example, Secure the News and Pulse track HTTPS progress among news media sites and U.S. government sites, respectively.
HTTPS implementation needs to be accessible to independent, smaller websites. Let's Encrypt and Certbot are game changers, turning the process into an easy and affordable task for webmasters across a range of resource and skill levels.
Let's Encrypt is a Certificate Authority (CA) run by the Internet Security Research Group (ISRG) and founded by EFF, Mozilla, and the University of Michigan, with Cisco and Akamai as founding sponsors. As a CA, Let's Encrypt issues and maintains digital certificates that help web users and their browsers know they're actually talking to the site they intended to. CAs are crucial to secure, HTTPS-encrypted communication, as these certificates verify the association between an HTTPS site and a cryptographic public key. Through EFF's Certbot tool, webmasters can get a free certificate from Let's Encrypt and automatically configure their server to use it.
Since the EFF announced that Let's Encrypt was the web's largest certificate authority last October, it has exploded from 12 million certs to over 28 million. Most of Let's Encrypt's growth has come from giving previously unencrypted sites their first-ever certificates.
A large share of these leaps in HTTPS adoption are also thanks to major hosting companies and platforms--like WordPress.com, Squarespace, and dozens of others--integrating Let's Encrypt and providing HTTPS to their users and customers.
Unfortunately, you can only use HTTPS on websites that support it--and about half of all web traffic is still with sites that don't. However, when sites partially support HTTPS, users can step in with the HTTPS Everywhere browser extension.
A collaboration between EFF and the Tor Project, HTTPS Everywhere makes your browser use HTTPS wherever possible. Some websites offer inconsistent support for HTTPS, use unencrypted HTTP as a default, or link from secure HTTPS pages to unencrypted HTTP pages. HTTPS Everywhere fixes these problems by rewriting requests to these sites to HTTPS, automatically activating encryption and HTTPS protection that might otherwise slip through the cracks.
Hat tip to Dave Ries – and here's to fully encrypted web traffic in our future!
E-mail: firstname.lastname@example.org Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology