back to article Give yourselves a pat on the back, top million websites, half of you now use HTTPS

More than half (51.8 per cent) of the Alexa Top 1 Million sites are actively redirecting to HTTPS for the first time. The milestone was crossed during another strong six months moving towards a fully encrypted web, according to the latest stats from security researcher Scott Helme, published on Friday. Back in February, at …

  1. alain williams Silver badge

    Extended validation certificates

    What is the point of them ?

    OK: I know that they are supposed to give the visitor extra confidence that they are going to somewhere trustworthy & all that, but how many even have a clue what the green padlock means ?

    That is the problem: most neither know nor care. So why pay for something that few notice ?

    1. ivan5

      Re: Extended validation certificates

      Add to that: and also prevents people with older browsers accessing the site.

      1. BillG
        Megaphone

        Let's Encrypt Certificates

        Let's Encrypt stats show 53.5 million active certificates issued, with an average of 600,000 more issued every day.

        From what I've seen Let's Encrypt only offers free 90-day certificates. At the end of the 90-day period you have to have a new certificate issued. So the 600,000 issued daily includes some churn.

        Does anyone offer a free 2-year SSL certificate for general public use (not privately signed)?

        1. Tomato42

          Re: Let's Encrypt Certificates

          @BillG the whole point of LE is to automate the issuance of certificates. And for automated script it doesn't matter if the issuance is every week or every year

          1. BillG

            Re: Let's Encrypt Certificates

            @Tomato42 that's fine if you own the server. But for those of us that pay for hosting that means we need to pay for installing a new certificate every 90 days.

            If I can pay $29 for a one-year Commodo certificate, installed, that makes better financial sense.

            1. Tomato42

              Re: Let's Encrypt Certificates

              @BillG: Then get a better hosting provider that won't nickel and dime you on things that are mandatory for modern web operation (HTTP/2 anyone?)

              1. BillG
                WTF?

                Re: Let's Encrypt Certificates

                @Tomato42 who the hell said they nickle and dime me? I've been with them for 20 years hosting more than a dozen sites off and on, and their hosting has been excellent - more importantly their tech support has been amazing. A choice of Windows and Linux hosting, SmarterMail and SmarterStats (much superior to Google Analytics), cloud services, and a lot more. I'm not going to pout and run off just because I'm charged for installing SSL certificates when technically they are absolutely perfect.

                I'm not one of those people that throws a tantrum because I'm only satisfied 99 out of 100 times. People like that are never happy in life.

                1. Tomato42

                  Re: Let's Encrypt Certificates

                  well, if they are so amazing and you have such good relationship with them – ask them to implement support for automatic provisioning of Let's Encrypt certificates

    2. katrinab Silver badge

      Re: Extended validation certificates

      What's the point of EV?

      If you go to hsbc.co.uk, it tells you the site is owned by HSBC Holdings plc.

      If you go to hsbc-payments.co.uk (seen on a phishing email earlier today), it doesn't, so you know it isn't genuine.

  2. nematoad
    Happy

    I'm not surprised.

    I note with some amusement that the Daily Mail is one of the guilty parties.

    That's probably because the editor and minions feel that HTTPS is a foreign plot to control the voice of the people and by not succumbing they have "Taken back control".

    1. tiggity Silver badge

      Re: I'm not surprised.

      I despise the mail but unless it has ability to login as a user then it could argue https not needed.

      If your website is just content (no matter how dismally click-baity) and users are not trying to give yiou username / password details then it's probably not a high priority.

      I maintain a couple of content based sites (just html, xml, images & css, no JS used) no user login needed and only way those sites will go to https is if hosting provider does it on my behalf as all I'm bothered about is periodically updating content

      1. Anonymous Coward
        Anonymous Coward

        Re: I'm not surprised.

        Doesn't that mean that anyone sitting between your browser and the server can inject whatever they like into the pages served by the server before they reach your browser? Just because a site doesn't need a secure connection to serve its pages, that doesn't mean you should assume you're safe when you visit it.

        1. 0laf
          Go

          Re: I'm not surprised.

          ^ is the often missed point in the conversation. HTTPS protects the inegrity of your website to prevent hotels, cafes and any other seller of captive portal wifi from adding their adverts to your site. It also stops ne'er-do-wells from doing the same to attack customers of your site.

          In fairness this is an point I missed myself for a good while.

          1. Wensleydale Cheese

            Re: I'm not surprised.

            "HTTPS protects the inegrity of your website to prevent hotels, cafes and any other seller of captive portal wifi from adding their adverts to your site. It also stops ne'er-do-wells from doing the same to attack customers of your site.

            In fairness this is an point I missed myself for a good while."

            Agreed. Troy Hunt's Youtube video Here's Why Your Static Website Needs HTTPS (duration 24:18) points out the MITM problem and problems such as browser hijacking and crypto-mining to the mix of "Things that can go wrong with plain HTTP for your website visitors".

          2. nagyeger

            Re: I'm not surprised.

            Yes, this would be the point that makes me think of rolling out HSTS. But I'm also thinking of dumping TLSv1, and those two decisions put together means some of our readers (the ones with android 4 devices) get kicked off the site....

            Maybe I need to convince relevant people we need a mobile version of the site which does older TLS versions, and conditional redirects / header setting.

        2. DavCrav

          Re: I'm not surprised.

          "Just because a site doesn't need a secure connection to serve its pages, that doesn't mean you should assume you're safe when you visit it."

          Since they were talking about the Daily Mail, I think the bad actors have already injected nasty stuff into the pages. In fact, hackers are likely to make the page better, not worse.

      2. Tom -1

        @tiggity Re: I'm not surprised.

        As the daily mail site, unlike yours, does feature login (with the option of logging in using facebook, or twitter, or a google account; with your email address as a username) it does have the ability to log in as a user. However the login page does use https, so they aren't completely crazy. Just thoroughly crazy, as they apparently think it's OK that anyone who can get in between user and site can delete anything they don't like from (and add any junk they do like to) what people will see on any page but the login page.

  3. Charlie Clark Silver badge

    Alexa data set is poor

    Not least because it contains a lot of duplicate hosts but also because it's not very representative httparchive recently switched to using the CrUX dataset, which is both more representative because Google has all those websites providing the anonymised data, and doesn't have duplicate hosts. This data set puts https at around 75% websites.

  4. CAPS LOCK

    Point me to site encryption instructions for the ...

    ... lazy and hopeless.

    1. Anonymous Coward
      Anonymous Coward

      Re: Point me to site encryption instructions for the ...

      ... lazy and hopeless.

      Sure - letsencrypt.org

      I know, as for some reason I recognise the description.

      1. holmegm

        Re: Point me to site encryption instructions for the ...

        And unless you want to renew it yourself every couple of months (or rig up a script yourself to do it), just get a host that integrates it into cPanel and auto-renews it for you.

        Hey, he did say for the lazy and hopeless. We have to stick together.

    2. holmegm

      Re: Point me to site encryption instructions for the ...

      "Point me to site encryption instructions for the ...... lazy and hopeless."

      1. Move your site to SiteGround.

      2. Enable Let's Encrypt (in cPanel)

      3. You're done.

    3. OhThatGuy
      IT Angle

      Re: Point me to site encryption instructions for the ...

      You might start at https://letsencrypt.org/getting-started/.

      In my case laziness is at the level of using Synology Diskstation for a web server, and there it is easy to configure LE support ;-)

  5. GrumpenKraut
    Flame

    image: keyboard with...

    ...one key having a word on it related with the article's content.

    Pretty please let that die!

  6. Anonymous Coward
    Anonymous Coward

    HTTPS? Too little too late for the Facebook HIVE era

    The Web for me these days is STARTPAGE.com 'Proxy'.

    If I can't open a webpage using that, I don't even bother...

  7. Matt Black

    El Reg?

    Doesn’t seem so long ago this site changed over to https...

  8. Jay Lenovo
    Devil

    Uppity web standards

    Better sites have trusted certificates. Po' folk browse on port 80

    Stop this prejudiced madness.

    How about something more useful like "Warning!, You've landed on a Google Service page, all your data will be slurped".

  9. Tomato42

    ECDSA?

    In his blog post, Helme noted that more secure ECDSA

    ECDSA is not more secure than RSA, it's just faster for the currently necessary security margins. And once quantum computers enter the picture they are much less secure.

  10. Anonymous Coward
    Anonymous Coward

    Time to move providers

    I guess it's time we moved off of GoDaddy. We have a pretty simple static site, nothing critical or sensitive, but for some of the reasons mentioned above (thanks for the info and links, guys) we'll be moving to HTTPS. Since we don't have anything critical, I'd like to just set up Lets Encrypt, but we have a basic WP site on GoDaddy. GoDaddy also happens to sell SSL certs, so no way to use LE. Time to start hunting for a new provider. We'll probably ride it our until our GoDaddy hosting is due for renewal.

    1. Anonymous Coward
      Anonymous Coward

      Re: Time to move providers

      Dreamhost provide Let’s Encrypt for Wordpress sites and automatically update them every 90 days, free of extra charge.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon