Half of Alexa Top 1 Million sites now use HTTPS

Slowly but surely, the Internet is on its way to being 100% encrypted.

According Scott Helme’s latest analysis of the one million most visited websites according to Alexa, 51.8% are actively redirecting to HTTPS. To compare: that percentage was at 38.4 only six months ago.

“The growth (…) is unrivaled in any other security mechanism and if you think about the effort required to achieve this, how impressive it is becomes crystal clear,” he pointed out.

Reasons behind wider HTTPS adoption

There has been a sustained push by the likes of Google to “encrypt the web” and at least part of these results is owed to them. The company has made it clear that HTTPS sites will achieve better ranking on Google Search and its Chrome browser was recently made to label all HTTP sites as “Not secure”.

Helme, along with fellow security pro Troy Hunt, also recently launched a website that shows which of the world most visited websites still load over an insecure connection and offers resources for going the HTTPS route.

Another thing that made it easier for site administrators to encrypt one’s site is the advent of the Let’s Encrypt certificate authority, which offers free security certificates and makes the whole process of getting them and setting them up much easier than it was before.

Let’s Encrypt is currently at the top of the list of certificate issuers that helped all of these sites “go HTTPS”.

Other findings

Helme’s analysis also showed that:

• The use of HTTP Public Key Pinning (a HTTP header/security mechanism that instructs web clients to associate a specific cryptographic public key with a certain web server) is failing. Part of the reason is that Chrome has removed support for it, another is that HPKP is difficult to deploy perfectly and can be misused by attackers.
• There has been a marked increase in CSP (Content Security Policy) and HSTS (HTTP Strict Transport Security) use: 40% and 23%, respectively.
• Security.txt – a file that informs security researchers how to contact the site/company if they want to responsibly disclose vulnerabilities – is gaining popularity.
• RSA crypto keys are still the most popular choice by far, even though ECDSA (elliptic curve digital sgnature algorithm) keys are the more secure option.