Half of the top one million sites in the world are now using HTTPS, in a boost for global web security, according to a leading researcher.
Scott Helme revealed that growth had slowed at the start of the year, but picked up again in recent months so that 51.8% of Alexa Top 1 Million sites were redirecting to the secure protocol as of August.
“Looking at the history we've made serious progress in the last couple of years and again we're continuing to see maintained growth which is exactly what we need,” he said. “The web is now well on its way to being 100% encrypted and long may it continue.”
Part of this growth is thanks to Let’s Encrypt, a free, automated certificate authority which claimed a fortnight ago that it added six million HTTPS domains in just five days and now services 124 million.
Another factor is that in July Chrome started warning visitors when they encounter non-HTTPS sites, a move which will certainly see more webmasters get proactive with adoption. Helme himself and fellow security researcher Troy Hunt have also been raising publicity via their whynohttps.com site.
Elsewhere, Helme observed a fall in the use of public key pinning (PKP) following Google’s decision to deprecate the security mechanism. Although it was originally intended to help prevent Man in the Middle attacks, researchers have over recent years claimed that attackers could actually manipulate PKP to their own ends, for example by installing malicious pins.
Helme welcomed the increase in use of some security headers: specifically a 40% increase in CSP and a 23% increase in HSTS.
“Whilst we did see a slight reduction in the use of CSPRO, we saw a considerably larger increase in the use of CSP,” he explained. "My guess on what's most likely happening is that sites are moving from a report only version of a policy to an enforced version, which shows progress in deployments of CSP.”
However, it wasn’t all good news: Extended Validation (EV) certificate use doesn’t seem to have seen much growth, despite the growing popularity of HTTPS.