The Web is making progress towards universal encryption
51.8 percent of the Alexa Top Million websites are now using SSL / TLS and are served via HTTPS. This is fantastic news for encryption growth but a long way remains to go. In reality, the Alexa top million is no longer even a thing. Amazon, which keeps the Alexa top website lists, stopped publishing information for the top million months ago but it has been kept alive by an enterprising group of researchers and continues to pull actionable information out of it.
Scott Helme has to publish seven months of Alexa ‘s top million results, he published his latest findings at the end of August and they promise to say the least. Now more than half of the top million websites have stable connections.
The adoption was already below 40 per cent as late as January this year. Since then, however, a few things have happened pushing more websites towards HTTPS. The largest, clearly, is the decision by Google to require SSL. All websites that were still served over HTTP started to get penalized with browser warnings beginning in July.
Obviously most people are listening to browser warnings, meaning that SSL is basically a requirement now. And websites replied, and migrated massively to HTTPS.
Adoption of HTTPS was not the only thing on the rise, either. Helme also found a 40 % increase in Content Security Policy (CSP) headers, and a 23% increase in the use of HTTP Strict Transport Security (HSTS) headers.
The only metric that seems to drop off is key pinning, which the infosec community has generally ignored as overly risky.
Some more important points from studies by Helme:
- Extended Validation SSL certificates haven’t seen much of an increase in usage despite the growth of the market for SSL certificates.
- Let’s Encrypt now has 147 million active certificates, with 930,000 released every day.
- Elliptic Curve Cryptography keeps waiting in the shadows, while most sites use RSA for private keys
Said, Helme: “[HTTPS] adoption has picked up again and we’re still seeing that sharp incline sustained. In any other security mechanism, the growth shown here in this graph is unrivaled and if you think about the effort needed to achieve this, how impressive it is becomes crystal clear.