Moving more of the web to HTTPS

Date : 3 Mar 2017

Organisation : Google Chrome

Writer : Parisa Tabriz, Director for Engineering

Every time someone connects to a website or shares information over the Internet, data gets transferred via HTTP, or hypertext transfer protocol. Simply put, HTTP is the basis for communicating on the web. But not all HTTP connections were created equal. Some connections are protected from snooping and so-called ‘man-in-the-middle attacks’ by encryption, while other connections are not. HTTPS is an encrypted HTTP connection, making it more secure. If you own or run a website, implementing HTTPS is important to protect the integrity of your website and to preserve the privacy and security of your users.

Why migrate your site to HTTPS?

Intentionally malicious attackers may exploit unprotected, or unencrypted, communications to trick your website visitors into sharing sensitive information or installing malware that can create security vulnerabilities. There are also those who’ll try to modify or inject intrusive content into your web pages.

HTTPS encryption is the modern-day method of protecting electronic information, just as safes and combination locks protected information on paper in the past. It is a technological implementation of cryptography: information is converted to an unintelligible form—encoded—such that that can only be translated into an understandable form—decoded—with a key. HTTPS isn’t only for banks and online merchants who handle payments or other potentially sensitive information. It’s for every website, and is the future of a secure-by-default web!

HTTPS migration trends

Challenges in site migration discouraged HTTPS adoption for several years. At Google we’ve worked alongside others across the online ecosystem to better understand and address these challenges. We’ve found that over time, the effort required and cost of implementing HTTPS has declined.

Today, secure web browsing over HTTPS is becoming the norm. Desktop users load more than half of the pages they view over HTTPS and spend two-thirds of their time on HTTPS pages. HTTPS is less prevalent on mobile devices, but we see an upward trend there, too.

Percentage of pages loaded over HTTPS by different browsers

Source: HTTPS Report Card, Google Transparency Report

How Google’s keeping people online safe and informed

You can tell if your connection to a website is secure if you see HTTPS (rather than HTTP) in the URL. But we realize that not everyone understands what the “S” stands for. This is why we made it a lot easier for the average Internet user to tell whether their connection is safe by showing a green lock in the address bar in Google Chrome.

Different signals for browser Google Chrome to tell if the connection to a website is secure

As an additional signal, we’ve recently started marking HTTP pages that collect passwords or credit card details as “not secure” in the address bar, as part of a long-term plan to mark all HTTP sites as non-secure.

Address bar of the browser with “not secure” signal

Working towards a web that’s 100% encrypted

To help webmasters with site migration, we’ve published tips to enable sites to transition correctly, and will continue to improve our web fundamentals guidance.

Last year we added an HTTPS Report Card to our Transparency Report that includes data about how HTTPS usage has been increasing over time. It also shows how much of Google’s online properties are HTTPS encrypted, as well as the state of encryption among the most visited sites around the world.

Through these efforts we hope to bring about real change, and move towards a web with ubiquitous HTTPS.