So, just yet another thing for a final countdown.
First, it was infamous GDPR (btw, does anyone hears ‘bout it after the 25th May, or is just us who hear the community silence?)
Now, Google takes its turn. And, as we all hear, the web is officially going full HTTPS only, and yes, it has been going there for many years. We’ve seen an acceleration in the progress in recent months but we still have a long way to go on our journey of securing all traffic on the internet. Despite the great progress we’re making, and all the valid reasons we should continue to do so, there are people who believe having a secure web is not the right thing to do.
Less than one month from today, on July 23, out beloved Google will start prominently labeling any site loaded in Chrome without HTTPS as “Not Secure”.
Google has announced its plans back in February, and back then, the percent of sites loaded over HTTPS clocked in at 69.7%. Just one year prior to that only 52.5% of sites were loaded using SSL/TLS—the encryption protocol behind HTTPS — tremendous progress has been made!
Unfortunately, quite a few popular sites on the web still don’t support HTTPS (or fail to redirect insecure requests) and will soon be flagged by Google.
HTTPS IS THE NEW BLACK
Just go and scan Alexa Top 1 Million, the million largest sites on the wild wide web, and measure many different metrics about their security. The growth of HTTPS is not only being maintained but it’s actually accelerating.
No matter which way you look at the data, and no matter which way you measure it, usage of HTTPS is going through a huge growth phase right now. In the 6 months up to that report, we saw a 32% growth in the use of HTTPS in the top 1 million sites.
Mozilla tracks anonymous telemetry from Firefox browser and they have seen a staggering growth in the rate of pages being loaded over HTTPS.
The data shows that 75% of page loads in Firefox now take place using HTTPS instead of HTTP.
Last but certainly not the least, the biggest browser of them all also reports the exact same thing. Chrome telemetry puts the figures pretty much right on 75% too.
This trend has been showing for a long time. In fact, there isn’t any data I can find that shows there was ever a decrease in the amount of HTTPS on the web. It has always been increasing since as far back as data goes so this is nothing new, we’re just making much better progress in recent years.
Cloudflare people spent some time scanning the top one million sites too, and here’s what they learned about the 946,039 reachable over plaintext (unencrypted) HTTP.
If you were to ask the operators of these sites why they don’t protect themselves and their visitors with HTTPS, the responses you’d get could be bucketed into the following three groups: “I don’t need it”, “it’s difficult to do”, or “It’s slow”.
And guess what? None of these are legitimate answers, but yes — they’re common misconceptions so let’s take each in turn.
MYTH #1: “HTTPS IS DIFFICULT TO DEPLOY”
This was true.. in the mid-1990s. But hey, today, in2018, we can all honestly say that things have changed for the better.
Thankfully, we’ve come a long way since then. Today, you can protect your site with HTTPS in a matter of seconds, for free, either by signing up for Cloudflare or using a CA such as Let’s Encrypt.
MYTH #2: “I DON’T NEED HTTPS”
This argument is the most puzzling, especially when spouted by people who should know better. Even if you don’t care about performance (see myth #3), surely you care about the safety and privacy of those visiting your site.
Without HTTPS, anyone in the path between your visitor’s browser and your site or API can snoop on (or modify) your content without your consent. This includes governments, employers, and even especially internet service providers.
If you care about your users receiving your content unmodified and being safe from maliciously injected advertisements or malware, you care about — and must use — HTTPS.
Besides safety, there are additional benefits such as SEO and access to new web features: increasingly, the major browser vendors such as Apple, Google, Mozilla, and Microsoft, are restricting functionality to only work over HTTPS. As for mobile apps, Google will soon block unencrypted connections by default, in their upcoming version of Android. Apple also announced (and will soon hopefully follow through on their requirement) that apps must use HTTPS.
MYTH #3: “HTTPS IS SLOW”
Lastly, the other common myth about HTTPS is that it’s “slow”. This belief is a holdover from an era when SSL/TLS could actually have a negative performance impact on a site, but that’s no longer the case today. In fact, HTTPS is required to enable and enjoy the performance benefits of HTTP/2.
Detractors typically think HTTPS is slow for two primary reasons:
1) It takes marginally more CPU power to encrypt and decrypt data; and
2) establishing a TLS session takes two network round trips between the browser and the server.
When HTTPS content is served from the edge, typically 10-20 milliseconds away from your users in the case of Cloudflare, SSL/TLS enabled sites are incredibly fast and performant. And even when they are not served from an edge provider it bears repeating that SSL/TLS is not a performance burden! There’s really no excuse not to use it.
Pro tip: Advanced users should also consider using HSTS to instruct the browser to always load your content over HTTPS, saving it a round trip (and page load time) on subsequent requests.
If you’re trying to protect your and your customers’ online privacy and security, reach out to us at AltusHost.com and we can help you with this process.