
HTTPS Adoption doubled this year - adamnemecek
https://snyk.io/blog/https-breaking-through/
======
atonse
In addition to things like Let's Encrypt, in more enterprise-y settings, I
would also give credit to the slowly dying belief that SSL/TLS is too taxing
on servers, and the ability to outsource your SSL/TLS termination to an
extremely cheap cloud load balancer as well.

~~~
themartorana
Yes, all this. Although it drives me nuts that people consider SSL to be a
deterrent to load times when the average page is as bloated as it is...

But yeah, LetsEncrypt made SSL free, and for us, AWS's free auto-renewing
certificates were the thing that made it easy to not have to worry about
certificates anymore and to use them gratuitously.

Edit: looking forward to all the Dreamhosts of the world making LetsEncrypt-
based SSL standard on even their cheapest plans.

~~~
sliverstorm
Agreed, the main reason most pages are slow these days is because they are
slow- blaming it on SSL is pure scapegoating

------
AWildDHHAppears
There were two things that convinced us to start using it, even for things
like corporate blogs that had no login or user info:

1\. Google saying it would help your page ranking

and

2\. Free Letsencrypt certs

------
brainfire
Mid-2015, the US White House Office of Management and Budget released
memorandum M-15-13, stating that "Agencies must make all existing websites and
services accessible through a secure connection (HTTPS-only, with HSTS) by
December 31, 2016." Their reasoning is outlined in the memo- see
[https://https.cio.gov/](https://https.cio.gov/)

------
antoineMoPa
Enabling https on my sites with LE also enabled me to realize how messed up my
apache2 configuration files were. certbot-auto did not even know what to do. I
had to fix stuff for 2 hours, playing with virtualhosts and other things I did
not understand.

But since it is all clean now, I just enabled https on a new blog and certbot-
auto handled all the process happily.

2 things pushed me to do all this work:

SEO: Google announced https sites would rank higher

Security: I don't want my blog passwords to travel unencrypted anymore.

------
cocktailpeanuts
I bet Apple transitioning to https-only has played a huge role in this. Even
as an iOS developer I think this move was too drastic when there are so many
http based websites out there. Nowadays when you build an app and even try to
display a non-https image they don't render at all (unless you go through the
trouble of customizing the security settings in the bundle, and even this is
going to go away soon as far as I know)

~~~
JoshTriplett
There will _always_ be "so many http-based websites out there", as long as
there's no forcing function. I look forward to the point where browsers start
flagging any use of http as insecure; there's a gradual transition in that
direction. It won't take too long after that point for http to disappear
completely, with some lingering use in specialized or un-upgradeable devices
for a while.

I think we're still missing one more ecosystem component to make such a
transition successfully, though: free wildcard certificates through Let's
Encrypt.

~~~
mintplant
Firefox already marks sites loaded over HTTP with a red slash in the URL bar,
at least on the current Aurora channel build.

~~~
Buge
I thought that was only sites that have a password box on them.

~~~
spikengineer
Yeah. It's only when there is a password box on them or requests things like
location, notifcations support etc.

------
haasn
My first thought when reading this title was “Let's Encrypt”.
[https://letsencrypt.org/2016/06/22/https-progress-
june-2016....](https://letsencrypt.org/2016/06/22/https-progress-
june-2016.html) claims LE has issued 3.8 million live certificates covering 7
million unique domains.

Based on numbers alone, I'd say LE itself could entirely have caused increase
this in adoption - but I assume I'd have to look at the certificate stats
myself to confirm this. (Obviously, most of the “top sites” are not going to
be using LE certificates - but 1 million websites is a lot of websites)

~~~
jaas
It's clearly not just Let's Encrypt doing this, though I think Let's Encrypt
is contributing a lot in terms of both issuance and changing expectations.

Let's Encrypt is up to almost 4.5M active certificates now, and I haven't
checked recently but those certs probably cover 8.5-9M FQDNs.

------
angry-hacker
Now only if web services and programs would update their backends so we have
better SNI support.

Only 6 months ago Bingbot didn't index sites using SNI. It's unrealistic that
every site goes https and has a dedicated IP address.

If anyone is interested in apps, services that fail with SNI, I have a list.
Maybe someone knows more of them. Good to know beforehand you start using SNI.

~~~
jwilk
My short list:

* elinks: [https://bugs.debian.org/797968](https://bugs.debian.org/797968)

* Python before 2.7.9

* Python module httplib2: [https://github.com/httplib2/httplib2/pull/13](https://github.com/httplib2/httplib2/pull/13)

------
magicbuzz
Letsencrypt has made it a lot easier to create and use certs. But when wanting
to counteract the ssl overhead with the use of HTTP/2, it gets a lot harder.
Getting HTTP/2 running is still hard on Ubuntu 14.04, the predominant os
version out there in the cloud. Recent Nginx versions support HTTP/2 but
OpenSSL on 14.04 is missing some negotiation magic called ALPN

[http://serverfault.com/questions/732474/nginx-configured-
wit...](http://serverfault.com/questions/732474/nginx-configured-with-
http2-doesnt-deliver-http-2)

------
arjie
My personal website was on StartSSL. When the cert expired, I just put almost
every VirtualHost on the machine on Let's Encrypt certs.

It's so easy to do and works with multiple Apache sites really well.

------
nijiko
Hello HTTP/2

~~~
leesalminen
I am in love with HTTP/2\. It's made my web application much faster and I rely
less on CDNs.

~~~
thejosh
The nice thing about CDNs is that if the CDN is good, it will load the assets
closest to your visitor, which is nice when normally these are 250ms+ latency
:)

~~~
gnur
It is nice, but the main selling point of HTTP/2 is that latency had much less
influence on complete loading times. Lower latency does help, but HTTP/2
really shines on higher latencies

------
encoderer
Google has been very clear that going secure will improve SEO. Plus, there are
browser features and mobile behaviors (deep linking w/ universal links) that
can only be used over an encrypted connection.

------
0xmohit
I'd be interested in statistics that provide insights into HTTP/2 support. Has
somebody compiled anything?

~~~
achillean
We keep track of it at Shodan: [https://blog.shodan.io/tracking-
http2-0-adoption/](https://blog.shodan.io/tracking-http2-0-adoption/)

The latest number for HTTP/2 support is 700,000 which is up from 115,000 in
December.

------
rocky1138
Is there a search engine which returns only websites that support https?

