HTTPS usage continues to rise, but implementation still lags behind
More than half of pages loaded and two-thirds of total time spent by Chrome desktop users occur via HTTPS, says Google, but implementation not always perfect, as these figures show...
The latest figures from Google illustrate a strong increase in HTTPS traffic, with nearly two-thirds of pages loaded on Chrome OS devices are HTTPS sites, followed closely by Mac, Linux, and Windows. However, while the HTTPS trend continues, implementation varies considerably.
Google's HTTPS tracker shows that worldwide the percentage of pages loaded over HTTPS on Chrome on all platforms has passed 50 per cent, up from 40 per cent in mid-2015. On Chrome OS the figure is 67 per cent. Time spent on HTTPS sites currently ranges between 69 per cent to 85 per cent, depending on operating system. However, mobile HTTPS page loads are significantly lower, with Chrome on Android climbing from 29 per cent in mid-2015 to 42 per cent today.
“Security has always been critical to the web, but challenges involved in site migration have inhibited HTTPS adoption for several years. A web with ubiquitous HTTPS is not the distant future. It’s happening now, with secure browsing becoming standard for users of Chrome”, said Chrome's security team.
Last month separate figures from Mozilla showed that more than 50 per cent of page loads were encrypted with HTTPS for the first time ever.
The figures come as Google begins a big push to boost HTTPS adoption by changing the way Chrome flags HTTPS sites. In January, the first stable version of Chrome 56 will label HTTP-only sites that collect passwords or credit cards explicitly as 'Not secure'.
High-Tech Bridge has conducted its own HTTPS research, using their free SSL/TLS checker, and has found that adoption is lagging behind in many cases. In addition, correct implementation is patchy. An assessment of the web servers of a random 161 companies from the Global 2000 list found that while 77 per cent of all tested servers support HTTPS, 19.4 per cent of the servers supporting HTTPS have an untrusted certificate, only 12 per cent were compliant with PCI DSS requirements 2.3 and 4.1 while a known vulnerability such as POODLE over SSL was unpatched in 18.5 per cent. In fact, more than 60 per cent of the servers tested contained at least one vulnerability such as POODLE over SSL, POODLE over TLS, Heartbleed, Client-initiated insecure renegotiation, Client-initiated secure renegotiation and OpenSSL Change-Cipher-Specs bug.
The live High-Tech Bridge SSL/TLS stats also show that a surprising number of servers tested are not PCI DSS compliant with just 47 per cent of web servers and 9.7 per cent of email servers passing this month.
Google Transparency Report figures show that just 34 of the world's top 100 sites have now enabled HTTPS by default. Some sites, including Microsoft's search engine Bing and Apple's website, for example, support HTTPS, but don't use that by default. Meanwhile, sites such as bbc.co.uk, Cnn.com and eBay (com and co.uk) don’t support HTTPS yet, Google found.