HyperText Transfer Protocol Secure (abbreviated as HTTPS) is a mechanism that allows a web browser or app to securely connect with a website. The main objective of HTTPS is to authenticate the visited website and protect privacy and integrity of the exchanged data.
For Google, HTTPS has become a very important mission especially in recent years.
As the company explains:
"Security is a top priority at Google. We are investing and working to make sure that our sites and services provide modern HTTPS by default. We're committed to making the web a safer place not only for Google users, but for all users. HTTPS makes it difficult for Internet Service Providers, governments and others to watch what you're doing online."
In brief, Google wants HTTPS not only at Google but in the world!
How Google Motivates HTTPS Migration?
On 06/08/2014 Google announced that HTTPS would become a ranking signal which made a huge impact on the Internet and motivated many websites to move from HTTP to HTTPS. Since then Google constantly showed it's will in order to create an HTTPS world.
Big and established websites were hesitating about moving to HTTPS becouse of 30x redirects due to Pagerank dilution. Therefore recently Google's Gary Illyes confirms 301, 302, 30x redirects do not lose any Pagerank value anymore.
Supporting HTTP2 on Chrome only if encrypted
HTTP/2 requires the use of encryption consequently a website should support HTTPS in the first place to be able to serve HTTP/2. This requirement is due to major browsers (Mozilla Firefox and Google Chrome) which have stated that they will only support HTTP/2 when it is used over an encrypted connection.
Marking HTTP sites as Non Secure on Chrome
Chrome’s security team announced on 08/09/2016 as a short-term plan that the browser will start marking HTTP sites that transmit passwords or credit cards as non-secure, beginning in January 2017. As part of a long-term plan they will mark all HTTP sites as non-secure.
Eventual treatment of all HTTP pages in Chrome will be
HTTPS Across Google
According to Google's statistics, 85 percent of requests sent from around the world to Google's servers used encrypted connections by the end of July 2016. That was 47 percent at the end of 2013. It seems google has done a good job in terms of HTTPS at it's own side.
This chart represents the percentage of requests to Google’s servers that used encrypted connections.
Handout/Google from https://www.google.com/transparencyreport/https/
HTTPS On Google
Below are Google's as well as some top sites HTTPS migration dates
Although Google moved to HTTPS long before many top websites such as Twitter, Facebook or Wikipedia, it was the last bringing HTTP Strict Transport Security(HSTS) to Google among them. Besides, as announced on Google Blog, HSTS is brought for the moment only to www.google.com. You can find more about HSTS and Google in this article HSTS on Google.com.
HTTPS On Top Sites
Google shared the data concerning a list of top 100 non Google sites on the Internet and their HTTPS states in February 2016. According to Google the sites in this list accounts for approximately 25% of all website traffic worldwide.
It is pointed out that the sites in the list will not be changed till the end of 2016 but their HTTPS states are updated regularly. I checked the report on 11/09/2016.
Out of top 100 non Google sites
- 46 Top Sites Work On HTTPS
- 39 Top Sites Have Modern TLS Configuration
- 36 Top Sites Have Default HTTPS
The results are not very promising in terms of HTTPS migration in the world. Google wishes HTTPS on top 100 most trafficked (non Google) sites on the Internet by the end of 2016. Unfortunately it will not become real however, for sure migration will be accelerated after Chrome will be marking as "Not Secure" insecure HTTP sites beginning in January 2017 and then eventually all http sites.
Please find Google's HTTPS report at https://www.google.com/transparencyreport/https/grid/
Have comments, questions or feedback about this article? Please do share them with us here.
If you like this article