That's it - I'm calling it - HTTPS adoption has now reached the moment of critical mass where it's gathering enough momentum that it will very shortly become "the norm" rather than the exception it so frequently was in the past. In just the last few months, there's been some really significant things happen that have caused me to make this call, here's why I think we're now at that tipping point.
We've already passed the halfway mark for requests served over HTTPS
This was one of the first signs that we'd finally hit that tipping point and it came a few months ago:
Yesterday, for the first time, @Mozilla telemetry shows more than 50% of page loads were encrypted with HTTPS. pic.twitter.com/kADcLOLsQ7— Let's Encrypt (@letsencrypt) October 14, 2016
This is really significant - Mozilla is now seeing more secure traffic than it is non-secure traffic. Now that doesn't mean that most sites are now HTTPS because that figure above has a huge portion of traffic served from a small number of big sites. Twitter, Facebook, Gmail etc. all do all their things over HTTPS and that keeps that number quite high.
But let's look at individual site numbers too because the story there is also very good.
The sites implementing HTTPS doubled in a year
My good friend and fellow security aficionado Scott Helme regularly analyses the Alexa top million websites and looks at what security things they're doing. Among other things, he looks at how many of those sites are redirecting users' browsers from HTTP to HTTPS. Scott runs the scan every 6 months, here's what he's found over the last couple of years:
That's more than doubled year from August 2015 to August 2016 and is only a fraction under that over the last year which is excellent news! Yes, it's still only 18.4% of websites, but that rate of growth is quite spectacular. (Thanks to Scott for giving me a sneak peak of the next set of stats due to go out next month.)
Part of what's fuelling that growth is changes in browsers and that's where the news gets even better.
Browsers are holding non-secure sites more accountable
Just last week, Chrome 56 hit and it's started doing this:
Hi @Qantas, I just went to login to my frequent flyer account and the browser is warning me that it's not secure. Is something wrong? pic.twitter.com/6Bu4v9f5Qn— Troy Hunt (@troyhunt) January 26, 2017
Yes, I'm clearly trolling Qantas and yes, they deserve it! They've long had a very poor HTTPS implementation (things like mixed content) which is unacceptable for a service heavily used by people in higher-risk "man in the middle" (MitM) situations like airports and hotels. I was actually in touch with them some time back and outlined a raft of issues but unfortunately, here we still are.
Anyway, the point with Chrome 56 is that it's now holding sites using practices like this to account. Warnings about a site's security at the time where you're providing sensitive information is precisely the sort of thing that will force the hand of these sites. This has been on the cards for some time already with Eric Lawrence posting a very clear blog post about it in October. Firefox is now doing something similar as of version 51 which also hit last week:
Hi @Qantas, I just went to login to my frequent flyer account and the browser is warning me that it's not secure. Is something wrong? pic.twitter.com/5ZuUX3j4AE— Troy Hunt (@troyhunt) January 28, 2017
Yeah, I know, I couldn't help myself :)
But it's more than just non-secure login forms too. In that blog post, Eric also warned of a much more significant upcoming change:
Eventually, Chrome will show a Not Secure warning for all pages served over HTTP
Google has been talking about this for a while now and I wrote about how broken today's web will feel in Chrome's secure-by-default future back in September. This, more than just about anything, is a very good reason to go HTTPS sooner rather than later.
We're seeing more abuses of unencrypted HTTP traffic
I want to give just a few examples here of requests to everyday, normal old web sites that are being intercepted and modified by MitM attacks. Websites such as my old blog:
Oh @Fly_Norwegian ... you didn't just do that?!? /cc @troyhunt pic.twitter.com/1QpsOlUDxX— David Peter Hansen (@DPHansen) January 10, 2016
Or websites accessed over Comcast's network:
Comcast is injecting Bandwidth cap warnings into websites. Remember, when I signed up for this I asked if there was a cap and they said no. pic.twitter.com/rCvzLNtpEu— Scott Manley (@DJSnM) December 29, 2016
Or any non-secure site requested when you first connect to hotel wifi as I've been doing on the trip I'm currently on:
That first request to CNN sent all the cookies I had that were valid for the site and that response could have very easily have been redirected to somewhere else. As it happened, all the other tabs to the left were loaded over HTTPS so they remained grey and threw an appropriate error rather than putting my privacy at risk:
We connect more things to more untrusted networks than ever before and we need more protection. Fortunately, this is something that more sites are starting to realise, even ones not handling sensitive info.
Many sites you wouldn't expect are now going HTTPS by default
This is a large part of what I mean by reaching the tipping point because we're seeing things like this:
https://t.co/xxkWaizPqR now defaults to HTTPS! Only 789 days since blogging about it...— Eitan Konigsburg (@eitanmk) January 10, 2017
Ars announces HTTPS by default (finally) https://t.co/LX2SPQfq5Z by @Lee_Ars— Ars Technica (@arstechnica) January 25, 2017
HTTPS is now enabled on TNW https://t.co/kF0LzBDeIn— The Next Web (@TheNextWeb) January 26, 2017
Those three tweets all occurred this month within just over two weeks of each other and they're all for media sites. Not sites (primarily) handling financial information, not just on pages collecting passwords but HTTPS everywhere, all the time. We're talking normal old plain web pages served up for passive consumption now encrypted all the way.
HTTPS has gotten fast
This isn't an entirely new development, but in recent times a combination of both improvements to speed in HTTP implementations and a greater awareness of the performance upsides have helped move things along. For example, sites like istlsfastyet.com have been very good at setting record straight as has the emergence of other HTTPS upsides such as Brotli compression. And then there's this:
HTTPS is slow. No - wait - is it HTTP that's slow?! https://t.co/T49GG7oCaK pic.twitter.com/cfnYOpXMWc— Troy Hunt (@troyhunt) July 8, 2016
I watched on with much amusement at some of the outrage which followed that tweet before writing I wanna go fast: HTTPS' massive speed advantage. The support of HTTP/2 by HTTPS (and more specifically, the lack of support by browsers for HTTP/2 over unencrypted connections) has weighted the scales in favour of going secure. And if you don't have a web server that supports HTTP/2, you can still get it for free with Cloudflare. Which brings me to the next point...
Cloudflare and Let's Encrypt have made HTTPS free and easy
Two of the biggest hurdles I hear for HTTPS when I run my workshops is "price and effort". The former is obvious, the latter relates to both the initial setup in terms of obtaining and configuring the certificate then the necessity to renew it every year and repeat the process. Both Cloudflare and Let's Encrypt change this fundamentally.
To be fair, they're very different philosophies; Cloudflare is a reverse proxy which man in the middles your traffic by design whilst Let's Encrypt is a free CA that makes installation and renewal of certs easy. They both do different things both well and poorly depending on what's important to you. Cloudflare may send some of your traffic encrypted depending on how you configure it whilst Let's Encrypt can be painful (and unacceptably risky) to configure in some environments.
The great thing about having both of these though is that we have choices to create secure sites at a price and effort we never had until recently. As the barriers to adoption are removed, adoption increases.
The factors driving HTTPS go beyond just the few key ones I've listed here. For example, there's the SEO bump Google started giving secure sites a couple of years ago. There's also the fascination many governments are developing with intercepting everyone's data, notably the likes of Australia's meta data retention law and the UK's "Snooper's Charter". Whilst HTTPS doesn't prohibit governments from seeing who's sending data to who, it protects the contents of the communication which is a big step in the privacy direction.
There's never been a better time to move to HTTPS and not just because it's the right thing to do, but because there's also increasing pressure to do it. Access to newer, faster protocols, browser warnings and simply protecting customers from other nasty things are all very good reasons. Or choose not to just yet and wait for the browsers to start explicitly flagging sites not served over HTTPS as "non-secure" along with an unwanted visual indicator, that oughta do it...