The number of websites supporting HTTPS has skyrocketed over the past year and there are many benefits for turning on encryption on your website today.
After Edward Snowden revealed that online communications were being collected en masse by some of the world’s most powerful intelligence agencies, security experts called for encryption of the entire web. Four years later, it looks like we’ve passed the tipping point.
The number of websites supporting HTTPS—HTTP over encrypted SSL/TLS connections—has skyrocketed over the past year. There are many benefits to turning on encryption, so if your website not yet support the technology it’s time to make the move.
Recent telemetry data from Google Chrome and Mozilla Firefox shows that over 50 percent of web traffic is now encrypted, both on computers and mobile devices. Most of that traffic goes to a few large websites, but even so, it’s a jump of over 10 percentage points since a year ago.
Meanwhile, a February survey of the world’s top 1 million most visited websites revealed that 20 percent of them supported HTTPS, compared to around 14 percent back in August. That’s an impressive growth rate of over 40 percent in half a year.
There are a number of reasons for the accelerated adoption of HTTPS. Some of the past deployment hurdles are easier to overcome, the costs have come down and there are many incentives to do it now.
One of the longstanding concerns about HTTPS is its perceived negative impact on server resources and page load times. After all, encryption usually comes with a performance penalty so why would HTTPS be any different?
Not only is the impact minor on the backend, but browsing is actually faster for users when HTTPS is turned on. The reason is that modern browsers support HTTP/2, a major revision of the HTTP protocol that brings many performance improvements.
Even though encryption is not a requirement in the official HTTP/2 specification, browser makers have made it mandatory in their implementations. The bottom line is that if you want your users to benefit from the major speed boost in HTTP/2, you need to deploy HTTPS on your website.
The cost of obtaining and renewing the digital certificates needed to deploy HTTPS has been a concern in the past, and rightfully so. Many small businesses and non-commercial entities have likely stayed away from HTTPS for this very reason and even larger companies with many websites and domains in their administration might have been worried about the financial impact.
Fortunately, that should no longer be an issue, at least for websites that don’t require extended validation (EV) certificates. The nonprofit Let’s Encrypt certificate authority launched last year provides domain validation (DV) certificates for free through a process that’s completely automated and easy to use.
From a cryptography and security standpoint there is no difference between DV and EV certificates. The only difference is that the latter requires a stricter verification of the organization requesting the certificate and allows the certificate owner’s name to appear in the browser address bar next to the HTTPS visual indicator.
In addition to Let’s Encrypt, some content delivery networks and cloud services providers, including CloudFlare and Amazon, offer free TLS certificates to their customers.
