This is the second post in my series on the security protocol HTTPS. In my last post, I discussed the origin and basic functionality of HTTPS. In this post, I discuss how HTTPS has emerged to become such a dominant protocol.
Let me start by asking a simple question: How many of the last 10 web pages you’ve visited are HTTPS?
(Note: it would be great if you could check your browser history and share the number in a survey I’m running – I will share the results in my final post in this series).
It’s no secret that HTTPS is becoming more and more popular. In December 2015, 39.5% of page loads on the web used HTTPS (as measured by Firefox Telemetry). As of September 2016, it stands at 45%.
Similar growth has been recorded by Statoperator (the graph below shows how many of the one million most popular domains are using HTTPS protocol), as well as the Trustworthy Internet Movement, who found 44.9% of websites they’d analysed use HTTPS (as of September 2016).
What has been the major cause behind such continuous growth of HTTPS? The answer is simple: the expectation of users and web domain owners to be protected under the security umbrella (authentication, integrity, confidentiality) that HTTPS provides.
Need for security and strong campaigns helping to grow popularity
Since the inception of online communication, security has been a basic concern and is intensifying every day. It’s natural for any conscious netizen to expect the best possible security to protect our personal information when we are doing financial transactions through a bank’s website or purchasing something from an e-Commerce site.
Similarly, many web domain owners want to obtain a Secure Sockets Layer (SSL) certificate, which will turn their website into an HTTPS site. This can ensure better acceptance of the site by users, increasing its activities and uplifting its organizational image. SSL certificates are now also cheaper (you can buy a certificate for USD 10 /year from professional Certificate Authorities) and easier to buy.
Learn how to get a SSL certificate
Robust campaigns promoting HTTPS, run by security organizations, have also helped increase its popularity. Two of the more popular campaigns are HTTPS Everywhere and Let’s Encrypt.
HTTPS Everywhere is a collaborative project by The Tor Project and the Electronic Frontier Foundation, which provides extensions for Firefox, Chrome, and Opera that encrypts communications with many major websites.
Let’s Encrypt is a collaborative project headed by the Linux Foundation and facilitated by the Internet Security Research Group (ISRG), which offers a free, automated and open certificate authority. It has been running massive promotions for HTTPS through both technical and educational endeavours under the sponsorship of some key online players like Facebook, Mozilla, Akamai and Cisco.
Since launching in December 2015, Let’s Encrypt has issued more than 5 million certificates to the general public. Approximately 3.8 million of these are active, and cover more than 7 million unique domains.
In my next post I will look at some of the limitations of HTTPS as well as publish the result of my survey.
Azfar Adib works for Bangladesh ISP and Telco, Grameenphone Ltd. He is focused on review and analysis of data-service related trends and their impact.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.
Nice post Azfar. I think we need to create more awareness for Letsencrypt across tech community. Many people I know still feel it costs a lot to get a SSL or it has a major setback on performance.
Why has it become popular ?
Google placing good points to website with https has turned it on. Since that moment, the wave is up.
Leading to another concern : Why google doesn’t rank better websites with ipv6 ? And DNSSEC ? At least on the first one, Google has some interest.
Hi 22decembre
I would love to see anything which promotes turning on IPv6 and DNSSEC but yes Google search is serious stuff and I think too much of changes in ranking algorithm may degrade quality. I personally wouldn’t like to see a crap result (with IPv6) over a good/more relevant result (without IPv6). But yes may be a “IPv6 green tick” or something that sort of with results might be something they could do.
I would simply recommand using the simple algo has now for https : google said it would rank better, but at a little margin. Meaning that the accuracy of results would stay the same : it’s the content that makes a good part of the ranking.
Thanks Anurag. Thanks to 22decembre as well for bringing up this interesting point (I am infact but late to reply as noticed it as published just yesterday!). Indeed , providing some better marking (in search engines) for sites having certain attributes (IPv6, DNSSEC) can boost up the adoption of these attributes .