Google’s efforts to knock the web into a state of HTTPS-by-default is showing signs of working, with a significant rise in HTTPS traffic on Chrome on Android, Windows, Mac, and Chrome OS.
A year ago Chrome traffic crossed a key threshold, when traffic protected by HTTPS on Windows passed the 50 percent mark. As of October 14, the figure for Chrome on Windows stands at 66 percent.
The percentage of HTTPS page loads on Chrome is growing on all platforms. HTTPS traffic on Android is now 64 percent compared with 42 percent a year ago. HTTPS-protected traffic on Chrome for Mac and ChromeOS is 75 percent, up from 60 percent and 67 percent respectively a year ago.
Google also notes that 71 of the 100 most popular sites have now enabled HTTPS by default, up from 37 a year ago.
According to Google’s HTTPS encryption transparency report, 73 percent of pages loaded in the US using HTTPS in Chrome on Windows, up from 59 percent a year ago.
It reports slightly lower levels in other major markets, such as Brazil, Germany, France, and Russia, but all are trending upwards in a similar fashion. HTTPS page loads in Japan are also rising, but only account for 55 percent of all pages, up from 31 percent a year ago.
Google has created numerous incentives and penalties to encourage and prod developers into enabling HTTPS, from making it a positive ranking signal in search to changing Chrome’s security warnings for HTTP pages and sponsoring the Let’s Encrypt certificate authority, which provides free digital certificates.
Chrome now has over a billion users and Google mandates HTTPS to use newer browser features that allow websites to access hardware, such as a computer’s camera or microphone.
This year, Google began operating its own Root Certificate Authorities to issue SSL certificates for its products and has recently launched a managed SSL service for App Engine customers.
And the company has started enabling enforced or ‘Strict’ HTTPS (HSTS) for its top-level domains (TLDs) such as .foo and .dev to ensure that all sites under these TLDs follow the HSTS policy after acquiring a digital certificate.
Let’s Encrypt meanwhile has been issuing as many as one million certificates per day this year and currently reports that 63 percent of pages loaded by Firefox use HTTPS.
“HTTPS is easier and cheaper than ever before, and it enables both the best performance the web offers and powerful new features that are too sensitive for HTTP,” wrote Emily Schechter, a Chrome security product manager.
All sites under Google’s top-level domains will automatically support HTTP Strict Transport Security.
A supporter of the antivirus industry has defended the practice of intercepting encrypted traffic for malware analysis, but admits vendors need to clean up their act.
Read more on Google and security
- Google bolsters security to prevent another Google Docs phishing attack
- Google Chrome can now spot even brand new phishing pages
- Here’s Google’s biggest secret to not failing at security (TechRepublic)
- Google reports surge in government requests for data
- What is the Google Advanced Protection Program? (CNET)