Here at Naked Security, we like HTTPS, the technology that puts the padlock in your browser’s address bar.
Using HTTPS isn’t any sort of silver bullet, of course: crooks can (and do) run encrypted sites, so the presence of a browser padlock doesn’t guarantee that the content you’re looking at is safe and secure.
But HTTPS, which uses encryption all the way from your browser to the server at the other end, has two main purposes:
- The content of your web traffic is encrypted. This includes the URLs that you vists, any form data you fill in, and all the files you download. End-to-end encryption means that other users on the network – such as your neighbour in the coffee shop – can’t “sniff” your network packets and figure out what you’re been doing, or steal personal information out of your HTTP traffic.
- The identity and ownership of the server is vouched for. As well as encrypting the traffic to provide confidentiality, HTTPS protects both the authenticity of the server and the integrity of the data.
In many ways, the second feature of HTTPS is actually the most important.
Sure, HTTPS is far from perfect: crooks can beg, steal or borrow HTTPS certificates, and thereby present fraudulent sites under the guise of someone else.
But without HTTPS, all safety and security bets are off: anyone could set up a server that pretended to be your bank, and anyone could mess with Naked Security articles on the way from us to you, and you’d simply never know.
That’s why we wrote an open letter to Facebook back in 2011, suggesting that the social networking juggernaut ought to use HTTPS by default.
Not just when you logged in or edited your profile, in order to keep your personal data secure, but all the time.
(The brilliantly simple thing about encrypting everything is that you never have to worry about missing that one critical file, form or field.)
Facebook rose to the challenge, in fact, coming to the party by the end of 2012 by turning HTTPS on for everyone.
Many other sites have followed suit since then, with HTTP either phased out, or used only to redirect you to the secure alternative and keep you there.
Until recently, however, adopting HTTPS on your own servers, especially if you were just a hobbyist or small business, was modestly complicated.
HTTPS also used to cost money, both up front and then every year or so to renew your certificates.
Then, a non-profit called Let’s Encrypt came on the scene:
Anyone who has gone through the trouble of setting up a secure website knows what a hassle getting and maintaining a certificate can be. Let’s Encrypt automates away the pain and lets site operators turn on and manage HTTPS with simple commands. Using Let’s Encrypt is free, so there is no need to arrange payment.
The concept is simple: HTTPS makes things harder for eavesdroppers, phishers, scammers and other imposters, so let’s encrypt.
So we were interested to spot a recent tweet from Josh Aas, the head of Let’s Encrypt, and until very recently a Mozilla employee:
The graph above might not look like much, and it only applies to Firefox users (and, indeed, only to Firefox users who have opted in to Mozilla’s Telemetry feature to share anonymised usage data with Mozilla).
Nevertheless, it’s a milestone worth remembering, because it shows the HTTPS-versus-HTTP line sneaking up above 50% for the first time.
So, there’s still a long way to go, but in at least some justifiable way, we can say, “Unencrypted web pages are now in a minority.”
As we mentioned, an encrypted web doesn’t magically make us all safe and secure…
…but at least it makes the web much less of a free-for-all for snooping, surveillance and cybercriminality.
Let’s hope that the first half of our journey to HTTPS was the hard part, and that the second half comes faster and more easily!