Slashdot Mirror

← Back to Stories (view on slashdot.org)

HTTPS Adoption Has Reached the Tipping Point (troyhunt.com)

Posted by msmash on from the tipping-point dept.

Security expert Troy Hunt, who is perhaps best known for creating Have I Been Pwned data breach service, argues that adoption of HTTPS has reached the tipping point, citing "some really significant things" that have happened in the past few months. From a blog post: We've already passed the halfway mark for requests served over HTTPS -- This was one of the first signs that we'd finally hit that tipping point and it came a few months ago. This is really significant -- Mozilla is now seeing more secure traffic than it is non-secure traffic. Now that doesn't mean that most sites are now HTTPS because that figure above has a huge portion of traffic served from a small number of big sites. Twitter, Facebook, Gmail etc. all do all their things over HTTPS and that keeps that number quite high. Hunt also cited security aficionado Scott Helme's recent analysis which found that the number of websites listed in Alexa's top one million websites that have adopted to HTTPS has more than doubled year from August 2015 to August 2016. Troy adds: Browsers are holding non-secure sites more accountable. Chrome 56 is now holding sites using bad security practices to account (by flagging a "not secure" label in the address bar when you visit such websites). Many sites you wouldn't expect are now going HTTPS by default. (He cites websites such as ArsTechnica, NYTimes as examples). Making more cases for his argument, Hunt adds that HTTPS sites are not slow as they used to be, and that services such as Let's Encrypt and Cloudflare have made it free and east to bring this security feature.

3 of 85 comments (clear)

  1. Web apps have become more dynamic by tepples · · Score: 3, Informative

    The HTTPS negotiation was slower than HTTP, but the actual encryption took valuable server compute resources

    True, TLS increases CPU overhead for a site that just serves static documents. But web applications have also become more dynamic since the late 1990s when SSL (now called TLS) was invented. With more server-side processing for each page view, the fraction of server CPU time devoted to actually sending the resource to the PC has diminished. I grant that the cost is greater than zero, but the benefit is also greater than zero.

    There are solutions today, but none are free

    I thought NGINX as the frontend reverse proxy in front of your application server was free software under the 2-clause BSD license.

  2. Re:HTTPS negotiation was never the "slow" part by guruevi · · Score: 3, Informative

    You need to update your knowledge base, the overhead of SSL vs. non-SSL is on the order of 2-5% with modern CPU. A decent set of Intel Xeons can push upwards of 3GBps (that's 24Gbit/s) in encrypted traffic per CPU. Even before HTTP2 there were various methods of speeding up SSL but the whole thing adds less than 2-3ms even on old hardware with relatively up-to-date web servers.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
  3. Re:Worst Offenders by crow · · Score: 3, Informative

    It must be a recent change, but you're right. I remember it being http except when dealing with transactions. I'm glad I'm wrong. Now I wish I could delete my original post.