July 20, 20160 mins read
Despite being around for over 20 years, HTTPS has always remained very lightly adopted - until now. Data from 2 independent sources show HTTPS adoption has more than doubled in the last year, an unprecedented massive spike in adoption of this security control.
Stats from BuiltWith imply HTTPS adoption has more than tripled, going from 2.9% to 9.6% in a single year. Data from the HTTP Archive show a similar trend, with the number of HTTPS sites rising by 2.3x, from 5.5% to 12.4%. It’s important to consider timeline here - it took less than a year to secure the same number of sites it previously took 20 years to protect!
This is great news for the web, both because of the value HTTPS provides and since it’s a rare case where a security control is visibly growing in adoption. This post digs into the data, tries to explain the drivers behind it, and suggests ways we can learn from HTTPS to promote other security practices.
The easiest way to track HTTPS is BuiltWith, a portal that shows tech adoption across the web. BuiltWith has a report called “SSL By Default”, capturing websites that redirect visitors to HTTPS. The following chart shows these stats across the last couple of years for the top 1 million and 10,000 websites. The following image shows HTTPS Adoption in top 1M sites, per BuiltWith:
This chart shows stunning growth in HTTPS adoption over the last year. For the top 1M, the share of sites grew from ~2.9% last August to 9.6% now - more than 3x growth in 1 year! Looking at the top 10,000 websites, adoption grew from 6.3% to 12.8% at the same time, more than doubling.
Also note that HTTPS adoption is generally greater amongst the more popular websites. This implies the ratio of pages browsed over HTTPS is higher than the number of sites that enabled it, as a top-tier website drives more traffic than a less popular one.
These stats are pretty staggering. In fact, they feel too good to be true, a sentiment strengthened by the odd dip in BuiltWith reports last month. To corroborate the number, let’s ask the same question on a completely independent data set - the HTTP Archive.
HTTP Archive stats
HTTP Archive, or HA for short, is an initiative created by Steve Souders to capture, over time, what websites are made of. It’s been running for nearly 6 years, scanning a growing number of websites twice a month and storing their page load metrics. HA currently scans the top 500,000 websites with each batch.
HA info can be queried using BigQuery (thanks to Ilya Grigorik), allowing us to extract the list of websites that redirected to HTTPS each month. The following graph shows the percentage of websites that redirect to HTTPS amongst the top 500,000 sites. The following image shows rapid growth in HTTPS websites (stats from HTTP Archive):
As you can see, the share of HTTPS websites has more than doubled in the last year, growing from 5.5% in mid 2015 to 12.4% a year later - a 2.3x growth. While a bit smaller than BuiltWith’s numbers, this growth rate is nothing short of amazing.
Tech note: HA switched from IE to Chrome in March, which had a marginal impact on the numbers, potentially explaining the slight dip in adoption that month.
How did this happen?
When bad things happen, a best practice is to run (blameless!) post-mortems to understand what went wrong, and how to avoid it next time. In this case, we would benefit from doing the same to understand why this positive surge is happening, and why now?
Answering these questions can help us keep the momentum going, and take these learnings to other areas where we aim to bolster security. Here are some of the key reasons I believe drove this change.
Historically, moving to HTTPS was always an expensive initiative. You had to buy certificates, pay extra for hosting, pay extra for your CDN… these costs add up, and so only the companies who truly needed or wanted HTTPS pushed through.
Today, you can a free certificate from Let’s Encrypt, SSL/TLS delivery is included in many CDNs (led by Cloudflare) and platforms such as WordPress and GitHub Pages enable HTTPS by default, at no extra cost.
These lower costs are driven in part by growing demand, and in part by the decreased costs to the platform providers themselves. Either way, when moving to HTTPS is not as expensive, it’s easier for champions to push it through.
Better Tools & Resources
These new tools not only make it cheaper to move to HTTPS, they also make it easier.
Let’s Encrypt makes it easy to auto-generate certificates, allowing platforms to generate them for users, and allowing ops teams to generate a certificate for every microservice. SSLTest and the Chrome Security Panel inspect if you configured it correctly. IsTlsFastYet explains how to make HTTPS fast, and enumerates which platforms support each feature.
Better tools are a key factor in further reducing cost, as humans are often the most expensive part of any IT project. If the effort and costs are sufficiently low, a passionate engineer can “just do it”, turning on HTTPS without needing to schedule and prioritize it in the plans.
Security, including HTTPS, is all about reducing risk, and risk - unfortunately - is invisible. All too often it’s hard to justify even a day of work if you can’t show a concrete top-line improvement at the end of it. It’s much easier to promote a change that helps you add a feature or achieve a noticeable gain.
For HTTPS, we’ve accumulated quite a few such carrots to help move projects along. New web standards such as HTTP2, Geolocation and ServiceWorker are only available over HTTPS, making it a prerequisite for certain features. Google ranks HTTPS websites higher than HTTP peers, and mobile platforms default to requiring HTTPS on native app APIs.
In some cases, these carrots motivate companies that aren’t truly sold on security to move to HTTPS. In other cases, they give champions in the company the justification they need to get the needed approvals.
Last but not least, the web is still a network, and one website’s actions impact another. Each time a website moves to HTTPS (and maybe even writes about it), its competitors are more likely to transition as well; a website moving to HTTPS will require its third party beacons to support it, which in turn will make it easier for their next customer to switch; and when enough sites in a community use HTTPS, the others feel socially pressured to upgrade their game.
I believe this last piece is the reason for the accelerating pace of HTTPS adoption. It’s hard to get the network effect ball going, but once it’s rolling, it naturally picks up speed.
First of all, this is a good time to smile.
Many of us on the web have been evangelising security as a whole and the use of HTTPS specifically for a long while, and these data are proof the efforts are bearing fruit. So if you were an HTTPS advocate, now is a good time to do a little jig!
If you’re not on the HTTPS bandwagon yet, now is the time to jump on. For a more structured list of reasons to switch, check out my blog post from last summer.
Beyond HTTPS, we should apply the same techniques above elsewhere. How can we reduce costs and simplify implementation of other security goals? Which carrots can we provide to complement the sticks? And once we gain some momentum, how can we accelerate it with network effect?
At Snyk we’re trying to apply these lessons to help make open source more secure, and would love to see them spread throughout the security world.