Almost since the web was created, HTTPS has been a vital protection for users of eCommerce stores and other sites that deal with financial data or data that falls under specific regulatory protections like HIPAA. But for many small businesses – and not-so-small businesses that should know better – HTTPS adoption has been slow.
Over the last few years, adoption slowly crept upwards as site owners responded to growing concerns about online security from ordinary users. Most of the people reading this article have long understood the necessity of encryption for sensitive data, but for ordinary users, it’s been less of an issue. Without demand from users or industry regulation, site owners had little incentive to invest in SSL certificates, especially given the complexity involved.
During 2016, the trend towards secure sites reached a tipping point. Google Chrome tracks SSL adoption, and 2016 is the first year that more than half of the sites loaded by Chrome used HTTPS. It’s a significant milestone and indicates owners of the most popular websites have recognized that, on the modern web, a site without HTTPS is at a disadvantage.
This doesn’t mean over 50 percent of sites have adopted SSL, just that more than half of the most commonly loaded sites have. In practical terms, the difference isn’t all that significant because most day-to-day interactions on the web are protected.
Let’s Encrypt has played a major role in bringing SSL to more sites. As I mentioned earlier, owners of smaller sites and blogs had little incentive to pay for SSL validation and deal with the technical complexity of implementing HTTPS. Let’s Encrypt almost entirely removed both pain points by making SSL certificates free and providing a system to automatically install certificates on many common server configurations.
Google also had a part to play. By making HTTPS a ranking signal, the company appealed directly to site owners’ self-interest. They may not have been overly concerned about encrypting data, but search engine rankings are always top-of-mind.
We’re approaching a consensus that sites should be secure by default. Rather than asking, “Do I have any reason to encrypt this data?” we’re gradually coming round to the idea that there’s no good reason not to encrypt.
That position is likely to be solidified next year as browser developers begin to issue warnings for sites that don’t offer secure HTTPS connections.
Until now, browsers have indicated when sites were protected, but had nothing to say about sites without HTTPS. In 2017, that default will change and browsers will begin to display interface elements that make a lack of HTTPS obvious to users.
By this time next year, I’m hopeful I’ll be writing about how HTTPS adoption has risen sharply once again – and we’ll be all the safer for it.