Earlier this month, a milestone was passed as half of all web traffic became protected by HTTPS.
Mozilla reports that the average volume of encrypted web traffic on Firefox is now higher than the amount of unencrypted traffic. Google’s statistics on Chrome agree with this finding, also showing that more than 50% of their web traffic is HTTPS encrypted. This means we’re halfway to an internet where we are much more protected from eavesdropping, content hijacking, cookie stealing, and censorship. The transition to encrypted traffic comes as a result of a combined effort by large tech companies, content providers and even from users themselves.
It’s been several years since Facebook and Twitter enabled HTTPS by default, and Google has been putting pressure on websites by including encryption as a factor in its search rankings, and displaying warnings whenever an unencrypted site asks for passwords or credit card numbers. Encrypting the entire web however, will require reaching past the larger websites, and getting the smaller ones to encrypt as well. Services like Let’s Encrypt and Certbot have allowed webmasters on a range of skill and resource levels to turn what was once an expensive and demanding task into an easy and approachable one.
Let’s Encrypt is a Certificate Authority (CA) run by the Internet Security Research Group (ISRG) and founded by the Electronic Frontier Foundation (EFF), Mozilla, and the University of Michigan, with Cisco and Akamai as founding sponsors. The CA issues and maintains digital certificates, and EFF’s Certbot tool allows users to get a free certificate from Let’s Encrypt and automatically configure their websites for it. The convenience has allowed Let’s Encrypt to become the internet’s largest encryption authority as of last October.
Until such a point as the entire web is encrypted, there are certain browser extensions and services that can protect you further. HTTPS can only be used by websites that offer it, but some don’t offer it reliably, sometimes linking from secure to unsecured pages, or using standard HTTP as default. In these cases, extensions like HTTPS Everywhere, can help fill in the gaps.