The movement to encrypt the web reached milestone after milestone in 2017. The web is in the middle of a massive change from non-secure HTTP to the more secure, encrypted HTTPS protocol. All web servers use one of these two protocols to get web pages from the server to your browser. HTTP has serious problems that make it vulnerable to eavesdropping and content hijacking. By adding Transport Layer Security (or TLS, a prior version of which was known as Secure Sockets Layer or SSL) HTTPS fixes most of these problems. That’s why EFF, and many like-minded supporters, have been pushing for web sites to adopt HTTPS by default.
In February, the scales tipped. For the first time, approximately half of Internet traffic was protected by HTTPS. Now, as 2017 comes to a close, an average of 66% of page loads on Firefox and are encrypted, and Chrome shows even higher numbers.
At the beginning of the year, Let’s Encrypt had issued about 28 million certificates. In June, it surpassed 100 million certificates. Now, Let’s Encrypt’s total issuance volume has exceeded 177 million certificates. Certificate Authorities (CAs) like Let’s Encrypt issue signed, digital certificates to website owners that help web users and their browsers independently verify the association between a particular HTTPS site and a cryptographic key. Let's Encrypt stands out because it offers these certificates for free. And, with EFF’s Certbot, they are easier than ever for web masters and website administrators to get.
Throughout the entire year, projects like Secure the News and Pulse have been tracking HTTPS adoption among news sites and government sites, respectively.
Browsers have been pushing the movement to encrypt the web further, too. Early this year, Chrome and Firefox started showing users “Not secure” warnings when HTTP websites asked them to submit password or credit card information. In October, Chrome expanded the warning to cover all input fields, as well as all pages viewed in Incognito mode. Chrome has eventual plans to show a “Not secure” warning for all HTTP pages.
One of the biggest CAs, Symantec, was threatened with removal of trust by Firefox and Chrome. Symantec had long been held up as an example of a CA that was “too big to fail.” Removing trust directly would break thousands of important websites overnight. However, browsers found many problems with Symantec’s issuance practices, and the browsers collectively decided to make the leap, using a staged distrust mechanism that would minimize impact to websites and people using the Internet. Symantec subsequently sold their CA business to fellow CA DigiCert for nearly a billion dollars, with the expectation that DigiCert’s infrastructure and processes will issue certificates with fewer problems. Smaller CAs WoSign and StartCom were removed from trust by Chrome and Firefox last year.
The next big step in encrypting the web is ensuring that most websites default to HTTPS without ever sending people to the HTTP version of their site. The technology to do this is called HTTP Strict Transport Security (HSTS), and is being more widely adopted. Notably, the registrar for the .gov TLD announced that all new .gov domains would be set up with HSTS automatically. A related and more powerful setting, HTTP Public Key Pinning (HPKP), was targeted for removal by Chrome. The Chrome developers believe that HPKP is too hard for site owners to use correctly, and too risky when used incorrectly. We believe that HPKP was a powerful, if flawed, part of the HTTPS ecosystem, and would rather see it reformed than removed entirely.
The Certification Authority Authorization (CAA) standard became mandatory for all CAs to implement this year. CAA allows site owners to specify in DNS which CAs are allowed to issue for their site, and may reduce misissuance events. Let's Encrypt led the way on this by enforcing CAA from first launch, and EFF is glad to see this protection extended to the broader CAA ecosystem.
There’s plenty to look forward to in 2018. In a significant improvement to the TLS ecosystem, for example, Chrome plans to require Certificate Transparency starting next April. As browsers and users alike pressure websites for ubiquitous HTTPS, and as the process of getting a certificate gets easier and more intuitive for web masters, we expect 2018 to be another banner year for HTTPS growth and improvement.