In light of COVID-19 precaution measures, we remind that all ImmuniWeb products can be easily configured and safely paid online without any human contact or paperwork.

Total Tests:
Stay in Touch

Weekly newsletter on AI, Application Security & Cybercrime


Your data will stay confidential Private and Confidential

HTTPS usage continues to rise, but implementation still lags behind

Tuesday, November 8, 2016 By Read Time: 2 min.

More than half of pages loaded and two-thirds of total time spent by Chrome desktop users occur via HTTPS, says Google, but implementation not always perfect, as these figures show...


The latest figures from Google illustrate a strong increase in HTTPS traffic, with nearly two-thirds of pages loaded on Chrome OS devices are HTTPS sites, followed closely by Mac, Linux, and Windows. However, while the HTTPS trend continues, implementation varies considerably.

HTTPS usage continues to rise, but implementation still lags behind

Google's HTTPS tracker shows that worldwide the percentage of pages loaded over HTTPS on Chrome on all platforms has passed 50 per cent, up from 40 per cent in mid-2015. On Chrome OS the figure is 67 per cent. Time spent on HTTPS sites currently ranges between 69 per cent to 85 per cent, depending on operating system. However, mobile HTTPS page loads are significantly lower, with Chrome on Android climbing from 29 per cent in mid-2015 to 42 per cent today.

HTTPS usage continues to rise, but implementation still lags behind

Security has always been critical to the web, but challenges involved in site migration have inhibited HTTPS adoption for several years. A web with ubiquitous HTTPS is not the distant future. It’s happening now, with secure browsing becoming standard for users of Chrome”, said Chrome's security team.

Last month separate figures from Mozilla showed that more than 50 per cent of page loads were encrypted with HTTPS for the first time ever.

HTTPS usage continues to rise, but implementation still lags behind

The figures come as Google begins a big push to boost HTTPS adoption by changing the way Chrome flags HTTPS sites. In January, the first stable version of Chrome 56 will label HTTP-only sites that collect passwords or credit cards explicitly as 'Not secure'.

High-Tech Bridge has conducted its own HTTPS research, using their free SSL/TLS checker, and has found that adoption is lagging behind in many cases. In addition, correct implementation is patchy. An assessment of the web servers of a random 161 companies from the Global 2000 list found that while 77 per cent of all tested servers support HTTPS, 19.4 per cent of the servers supporting HTTPS have an untrusted certificate, only 12 per cent were compliant with PCI DSS requirements 2.3 and 4.1 while a known vulnerability such as POODLE over SSL was unpatched in 18.5 per cent. In fact, more than 60 per cent of the servers tested contained at least one vulnerability such as POODLE over SSL, POODLE over TLS, Heartbleed, Client-initiated insecure renegotiation, Client-initiated secure renegotiation and OpenSSL Change-Cipher-Specs bug.

HTTPS usage continues to rise, but implementation still lags behind

The live High-Tech Bridge SSL/TLS stats also show that a surprising number of servers tested are not PCI DSS compliant with just 47 per cent of web servers and 9.7 per cent of email servers passing this month.

Google Transparency Report figures show that just 34 of the world's top 100 sites have now enabled HTTPS by default. Some sites, including Microsoft's search engine Bing and Apple's website, for example, support HTTPS, but don't use that by default. Meanwhile, sites such as bbc.co.uk, Cnn.com and eBay (com and co.uk) don’t support HTTPS yet, Google found.


Mark Mayne has covered the security industry for more than 15 years, editing news for SC Magazine and editing SecurityVibes UK. Mark has a background in national news journalism and tech reporting, and has run b2b and b2c editorial sites.

User Comments
Add Comment
1 responses to "HTTPS usage continues to rise, but implementation still lags behind"
user logo
Kewan 2016-12-14 21:02:26 UTC Comment this
SSL/TLS Server Test requires 3DES to pass HIPAA/NIST test. But 3DES has vulnerability SWEET32 CVE-2016-2183 and OpenSSL 1.1.0 does not include 3DES in default build specification.
↑ Back to Top

Ask a Question