
HTTPS adoption has reached the tipping point - dhotson
https://www.troyhunt.com/https-adoption-has-reached-the-tipping-point/
======
lucideer
This is very misleading, because it's overwhelmingly skewed toward large
websites run by Google, Facebook, etc.

The statistic is that 50% of page loads are HTTPS - the majority of those page
loads are going to be visits to a very small subset of extremely popular (and
well-resourced) sites, so this stat gives no indication that the remaining 50%
is or will move to HTTPS anytime soon.

The real tipping point will be 50% of unique domains visited being HTTPS. And
a more interesting statistic would where that figure is now, and trend data on
that. I wonder can that stat be extracted from public Mozilla data...

~~~
saywatnow
What this is, is another accidental slide down the slope towards
centralisation of the web. Yes, it's easy for a techie to add a letsencrypt
cert, but browsing with https-by-default I still hit a _lot_ of sites that
lack https - mostly the sort that run with practically zero maintenance for a
non-technical business or community.

Browsers are going to show scary warnings for these (indistinguishable to the
average user from any other warning), and then stop loading them altogether,
and the sites will die only to be reborn (if at all) on facebook.

~~~
CharlesW
> _What this is, is another accidental slide down the slope towards
> centralisation of the web._

Sorry, can you explain? (Not playing "gotcha", I really don't understand.)

~~~
euyyn
He means "a small number of websites by big players" vs "a big number of
websites by modest people".

------
cyberferret
I just upgraded our blog site this week to a new Digital Ocean Ubuntu
instance, and used LetsEncrypt to install an SSL certificate on it. I couldn't
believe just how easy and QUICK it was!

Certainly a far cry from 15 years ago when I used to go through the Spanish
Inquisition to get an SSL certificate, not to mention the cost. LetsEncrypt
has been a game changer.

So too has AWS, with their Certificate Manager. I've been rolling out their
own issued SSL certs to our various Elastic Beanstalk instances as they come
up for renewal. Saving a pile of money, but more importantly, TIME, doing
this.

For me personally, that is the tipping point - making SSL installs on server a
couple of mouse click and less than a minute. Not surprised that it is
becoming increasingly popular given this.

------
ploggingdev
IIRC porn sites receive significant traffic and almost all porn sites serve
content over http only. The post mentions that https is faster than http and
also utilizes resources better than http. Is the statement still valid when
streaming video? (Please note that I visit porn sites only to check if it has
https enabled or not)

~~~
Ono-Sendai
HTTPS is not faster than HTTP.

~~~
erelde
[https://www.troyhunt.com/i-wanna-go-fast-https-massive-
speed...](https://www.troyhunt.com/i-wanna-go-fast-https-massive-speed-
advantage/)

This is by the same author, and there are critics that could be made against
it. In some cases it is faster it seems.

~~~
Ono-Sendai
HTTPS is basically HTTP, on a different port (443 instead of 80), with TLS
encryption on the socket connection. TLS encryption adds overhead, it doesn't
reduce it. Therefore HTTPS is slower.

~~~
Spare_account
Troy's title could be argued to be misleading. The perfomance improvement he's
discussing is actually HTTP/2 against HTTP.

Typically browsers that support HTTP/2.0 require the use of TLS, so with a
little mental gymnastics he's claiming that HTTPS is faster.

Edit: Apologies, I agonised over the wording for so long that 4 other people
answered before me.

~~~
mort96
What kind of mental gymnastics are you talking about? HTTP/2 is faster than
HTTP/1\. In practice, HTTP/2 requires TLS. Therefore, in practice, to get
higher performance, you can achieve better performance with HTTPS than with
HTTP.

~~~
Spare_account
None of what you've said is incorrect. HTTP/2 over TLS is faster than HTTP/1.1
over SSL/TLS.

I referred to Troy's assertion that "HTTPS is faster than HTTP", which is at
best an incomplete statement and to some people completely misleading.

------
jdiez17
Here's a question: how are captive portals going to present the login site if
the user never uses HTTP? I know Android and other mobile OSs probe the
network by requesting a HTTP site. On my laptop, I have to load something like
`example.org` to get redirected.

~~~
NoGravitas
The solution is for captive portals to go away. Captive portals should
absolutely not exist.

~~~
guitarbill
iOS already prints a security warning when connecting to such networks, my
hope is that Apple will simply have phones disconnect from MitM'ed networks in
future, breaking captive portals but making the situation right.

They only really exist where people have no other choice (e.g. hotel). They're
often broken, or unusable on mobile devices with tiny UI. Captive portals are
an abomination and misuse of technology, not to mention a terrible user
experience. And any brand using a captive portal just diminishes my view of
the brand.

~~~
neuland
I totally agree that captive portals suck and we should name and shame anybody
using them, especially ones that are poorly built.

But, there has to be some reason that these exist right?

To get rid of captive portals, there needs to be this functionality in the
underlying protocols:

\- Requiring Terms of Service

\- Showing a special site from the service provider (like the page Starbucks
takes you to after "Accept and Connect")

\- Selecting what kind of connection you want (like at airports and hotels
where there's free and paid)

\- Login to some system the service provider controls (also airports and
hotels w/ paid plans)

\- ... and, potentially other things I haven't seen

Edit: Somewhere else in this thread, kelleboo mentioned this [0]

[0] [https://tools.ietf.org/html/rfc7710](https://tools.ietf.org/html/rfc7710)

~~~
guitarbill
> To get rid of captive portals, there needs to be this functionality in the
> underlying protocols

Not really - I don't think implementing legal considerations into technology
is the way to go. Mainly because laws vary by country and laws also change
independently from technology.

For example, in Germany, EULAs only valid if agreed on at the time of purchase
of the goods or service. If presented after purchase, even if you have to
click some "I agree" button, they are not valid. (And even then, they can't
contradict German consumer law.) I don't believe anybody has sued because of
WiFi, but then the question becomes when does service start? When you connect,
or when you click accept?

Keep in mind that some devices like Nintendo DS' or Kindles can't use captive
portals, better implementations of portals recognise these devices and let
them connect.

In reality, what does the ToS really way, anyway? Don't do illegal stuff - but
that's illegal with or without ToS. For free WiFi, you only have X amount of
traffic - well, it's free WiFi, there's no obligation for for service.

(Put simply, EULAs and ToS' also need to die - but that's a different
discussion.)

Billing is more interesting. One argument is it's 2017 - should we really
encourage billing for basic WiFi when bandwidth is cheap? One solution could
be to give users x amount for free, and only if they use all that use a
captive portal. It's not ideal, but at least it doesn't happen right at the
start. You could also simply have different SSIDs for paid and free.

~~~
neuland
> Not really - I don't think implementing legal considerations into technology
> is the way to go.

I think that's totally fair to say. But just know that the immediate answer
from Starbucks or whoever at that point is "Ok, then we'll continue doing what
we have to do".

With the ToS/EULA, I think it's really a cover-all protection measure. So, if
there's something that the user is doing that is illegal, the service provider
is not liable for the user. For example, I go to Starbucks and torrent Star
Wars; Disney sues Starbucks for facilitating me or whatever.

But I think your last point is where the argument breaks down. Yes, WiFi
should probably be free at this point. But, there are tons of reasons that are
valid (even marginally) someone would want to have someone connect to some
website before connecting to the rest of internet. Without providing some way
to do that, the terrible hacks will continue.

------
exodust
If my little web page containing a few photos of flowers is never moved to
HTTPS, is that bad in any practical sense at all?

Is there any plausible scenario whereby visiting such a basic site without any
forms or data collection over HTTP is in some way a disadvantage to HTTPS?

~~~
caf
Sure. A MITM can inject javascript into the HTML the user receives from your
site (just like the Comcast bandwidth cap example in the article) that causes
the browser to open phishing or browser exploit pages.

~~~
exodust
Ok, fair enough. MITM attacks seems to be the consensus and good enough reason
to move the flower page over to HTTPS.

------
tobltobs
What is the situation with available Adsense ads? Do I still have to except
lower inventories of HTTPS enabled ads and thereby less income if I switch to
HTTPS? I understand that this depends on the target audience. Did anybody
experienced a drop at the beginning and later recovering?

------
Mindless2112
I'll believe we've hit the tipping point when I type "example.com" into the
browser address bar and it takes me to
[https://example.com](https://example.com) rather than
[http://example.com](http://example.com).

------
arbuge
For us this came with cPanel started including it by default. All you needed
to do was a few lines in your .htaccess to forward all http requests to their
equivalent https ones. Almost all our sites except for a few edge cases are
switched over now.

------
sp332
It's definitely hit a tipping point for me. I installed HTTP Nowhere a couple
of weeks ago and hardly ever run into a site I can't at least load up in the
Internet Archive!

------
mzzter
Services like cloudflare make it dead-easy to set up https. The more one-click
https setups there are the faster we'll vault right over the tipping point.

------
_pdp_
Sorry but I disagree.

Please install PanicMode browser extension for Chrome
([https://chrome.google.com/webstore/detail/panic-
mode/lamdafc...](https://chrome.google.com/webstore/detail/panic-
mode/lamdafciglhnjofdfejeepoemldmblkb)) and try to surf the web for a day. You
will know what I mean as soon as you go through this experiment.

Disclaimer: I am the author of this extension. I wrote the extension for
personal reasons and it is very simplistic in nature. If you turn PanicMode on
it will replace every outgoing [http://](http://) url with
[https://](https://). It does nothing else besides that and unlike HTTPS
Everywhere it has no exceptions list or special handling of the top 100 sites,
etc. The site you are visiting should either support [https://](https://) or
it will blow up in your face, which is exactly what happens 90% of the time.

Edit: Besides just because Firefox is seeing more HTTPS traffic means nothing
if all the traffic comes from Facebook, Google, YouTube and a few others. Yes,
there is more traffic and yes it is encrypted but does it really say anything
about the state of the web? Someone needs to put this data out to make it
clear.

~~~
cpeterso
"HTTP Nowhere" is a Firefox extension that blocks all non-HTTPS requests. It
doesn't try to rewrite HTTP requests to HTTPS, though.

[https://addons.mozilla.org/en-US/firefox/addon/http-
nowhere/](https://addons.mozilla.org/en-US/firefox/addon/http-nowhere/)

~~~
Teapot
I can easily configure NoScript to only use HTTPS on, say, ¤.cn . Sites that
downgrade-redirects to [http://](http://) gets stuck in a loop. Annoying for
everyone, so it raises awareness.

The prefs.js syntax is, noscript.httpsForced "¤.cn\n¤.ru\n __*.uk "

Edits: ¤ characters are asterisks.

