In October 2016 Mozilla Telemetry showed more than 50% of page loads were encrypted with HTTPS. This week Let’s Encrypt is reporting that more than 50% HTTPS page loads is now the norm, a major milestone for HTTPS adoption across the web.
— Let’s Encrypt (@letsencrypt) January 30, 2017
Google’s Transparency Report shows similar numbers for HTTPS usage, confirming that secure browsing has become the norm. Google found that HTTPS is less prevalent on mobile devices than desktop but the percentage of pages loaded over HTTPS is steadily on the rise across the board.
The launch of Let’s Encrypt, the new free and open certificate authority, is one of the main factors causing the rapid rise in secure traffic. Thanks to sponsorships and partnerships with hosting companies and services, Let’s Encrypt closed out 2016 with more than 20 million active certificates.
Google’s influence has also been one of the driving factors in HTTPS adoption after the search engine announced in 2014 that it was starting to use HTTPS as a ranking signal. As of 2017, Google Chrome is adding a prominent security warning for HTTP sites.
Throughout 2016 many major publications moved to HTTPS, including the Guardian, Washington Post, Wired, Engadget, Ars Technica, and New York Times, to name a few. Nearly all of them publicly documented the challenges and triumphs of their HTTPS transitions.
In July 2016, security researcher Scott Helme crawled the Alexa Top 1 million sites to measure how security is progressing on the web. In his previous scans, which included August 2015 and February 2016, the top million sites saw a 42% increase in HTTPS adoption. Helme’s July 2016 crawl showed a 46% increase from February 2016.
Despite the overall growth, the number of HTTPS-enabled sites is just 13.75% of Alexa’s top million. However, these are the sites that serve the most traffic: Google, YouTube, Facebook, Amazon, and others. These results are consistent with Electronic Frontier Foundation’s (EFF) reports that HTTPS adoption is growing the fastest with smaller, previously-unencrypted sites.
Let’s Encrypt’s launch has also had a ripple effect on commercial certificate authorities who are now moving to offer domain validated SSL certificates for free in order to promote their other security products. Symantec is now partnering with hosting companies to issue free certificates as part of its Encryption Everywhere program. Comodo also announced a partnership with cPanel in December 2016 to automatically issue SSL certificates at no additional costs to consumers via cPanel’s AutoSSL feature.
Securing half the web’s traffic is a major landmark on the road to a fully encrypted web, but encryption advocates will need to continue educating website owners on the benefits of making the switch to HTTPS. With the necessary infrastructure now in place for anyone to get an auto-renewing SSL certificate for free, Let’s Encrypt director Josh Aas is optimistic about progress on the remaining 50% of the web.
“As exciting as 2016 was for encryption on the Web, 2017 seems set to be an even more incredible year,” Aas said “Much of the infrastructure and many of the plans necessary for a 100 percent encrypted Web really solidified in 2016, and the Web will reap the rewards in 2017. Let’s Encrypt is proud to have been a key part of that.”