Google Says 64 Percent of Chrome Traffic On Android Now Protected With HTTPS, 75 Percent On Mac, 66 Percent On Windows

An anonymous reader quotes a report from TechCrunch: Google's push to make the web more secure by flagging sites using insecure HTTP connections appears to be working. The company announced today that 64 percent of Chrome traffic on Android is now protected, up 42 percent from a year ago. In addition, over 75 percent of Chrome traffic on both ChromeOS and Mac is now protected, up from 60 percent on Mac and 67 percent on ChromeOS a year ago. Windows traffic is up to 66 percent from 51 percent. Google also notes that 71 of the top 100 websites now use HTTPS by default, up from 37 percent a year ago. In the U.S., HTTPS usage in Chrome is up from 59 percent to 73 percent. Combined, these metrics paint a picture of fairly rapid progress in the switchover to HTTPS. This is something that Google has been heavily pushing by flagging and pressuring sites that hadn't yet adopted HTTPS.

Well done!

[duke_cheetah2003]

Despite Google's other not so nice activities, I gotta give them a thumbs-up here. Getting the web to transition away from HTTP to HTTPS is fantastic. There's no reason for skimping on your web server anymore, encryption is easy and even crappy virutal machines can serve up HTTPS without issue. Good job Google.

As a side effect, this action they've promoted and encouraged mitigates the new WPA2 insecurity quite nicely. Not such a big deal if WPA2 is broken into, only to expose lots of HTTPS and/or VPN tunneling, and you're back to the drawing board. You just can't have enough security and layers of encryption.

Re: Well done!

Yeah, its not like letsencrypt offering automated certificates for free had anything to do with it.
It was google showing a message about http being insecure.

Re:Well done!

[arth1]

Despite Google's other not so nice activities, I gotta give them a thumbs-up here. Getting the web to transition away from HTTP to HTTPS is fantastic. There's no reason for skimping on your web server anymore, encryption is easy and even crappy virutal machines can serve up HTTPS without issue. Good job Google.

You're too quick go give them credit. Follow the money trail. HTTPS and SPDY makes it far easier to ensure that ads are transmitted, and to whom. That HTTPS largely defeats anonymous proxy caching and other techniques that makes counting ad impressions harder is why Google pursues it; security is how they sell it, despite it being slower, to a high degree defeats bandwidth saving techniques, and requires extra resources on both server and client endpoints.

There's little reason why publicly available non-controversial information should be encrypted, and that makes up the majority of the web. Snooping traffic generally doesn't happen mid-transfer, but at the end point, by companies like Google and their partners. HTTPS does nothing to prevent that.

Re:Well done!

[Anne+Thwacks]

You can keep your thumbs up, but, while anyone can implement HTTPS, few can do so without paying well over the odds for a cert. A cert is issued by a computer after a trivial amount of computing time, on the basis of the most trivial of investigation (probably only a check of the domain registry). This is about $0.1 worth of service, for which you are charged over $50, but there is no competition. various attempts at not for profit cert issuing have been stifled by the big boys.

This is a big time scam.

To promote this scam, Google et al have been deprecating sites with actual information on, in favour of shopping sites and their "affiliates" to the extent that Google searches are massively less useful than in 1997 unless you are a shopper.

Something must be done - I don't care if governments or blockchains are involved, but if everyone is forced to have a cert, they should bloody well be free! If someone is allowed to run a registry, they should be required by law (on pain of billion dollar fines, pitchforks or nuking from high orbit as required) to issue certs to all the domains they register to whoever registered them. The payment card operator is required to verify who owns the card - so the registry, who knows who paid, knows the identity of the domain's owner.

Is this to control who is allowed a Web site?

If everyone needs a certificate, you can hold them back from people or invalidate them.

It just seems like the real reason for this, why should a cat meme site need https for example.

Re:Is this to control who is allowed a Web site?

[swillden]

why should a cat meme site need https for example

To protect the users of the cat meme site from malicious parties on the network between their browser and the cat meme site. I don't mean to keep the cat memes secret, obviously that doesn't matter much. The purpose is to ensure that the code executed by the user's browser is the code sent by the cat meme site, not something else intended to exploit browser vulnerabilities to hijack the user's computer.

For lots of sites we could use a TLS cipher suite that doesn't actually encrypt anything. It's the authenticity and integrity properties of TLS that are valuable for every site. Encryption only matters for some.

Re: Is this to control who is allowed a Web site?

[tepples]

The purpose is to ensure that the code executed by the user's browser is the code sent by the cat meme site, not something else intended to exploit browser vulnerabilities to hijack the user's computer.

The cat meme site doesn't need to run javascript.

Then let me restate the spirit of swillden's comment for the noscript case:

The purpose is to ensure that the HTML markup, CSS code, image data, audio data, and video data interpreted by the user's browser is the HTML markup, CSS code, image data, audio data, and video data sent by the cat meme site, not something else intended to exploit browser vulnerabilities to hijack the user's computer.

That's interesting?

[hcs_$reboot]

That's interesting because, at first glance, the http(s) traffic has nothing to do with the user's computer OS, would it be a Mac or Windows. On average, Windows users tend to visit less secure websites than Mac users. OTOH, people usually don't really choose a website based on if it's https or not - except if it's for a payment, login, or subscription. Or would Windows users be a bit less security sensitive than Mac users, when it comes to performing these private transactions?

Re:That's interesting?

[arth1]

Look for the simplest solutions. Like Mac users visiting shopping sites more. i.e. a correlation between being a consumerist and using a Mac.

Now stop breaking https

[mattr]

Now we just need public wifi to stop breaking https!

And get rate-limited by Let's Encrypt

[tepples]

There's no reason for skimping on your web server anymore, encryption is easy and even crappy virutal machines can serve up HTTPS without issue.

One reason is that your web server is private, and you don't own a domain.

In order to set up HTTPS traffic to the owner of a home router, printer, or NAS, its owner would first have to acquire a domain and a certificate for said device. But as I understand it, most providers of dynamic DNS on a subdomain without charge still aren't in the Public Suffix List. And if the domain in which your subdomain is registered hasn't completed the process to be added to the Public Suffix List, and 20 other customers on the same subdomain have already obtained a certificate from Let's Encrypt in the past week, Let's Encrypt will refuse to issue you a certificate on rate limit grounds. This means that even if you do buy a router, printer, and NAS with Let's Encrypt integration, you'll need to buy a domain for your home LAN and continue to renew it.

Re:How does Google get this?

[swillden]

Remember that Google also performs a security check of every web address to make sure it is not a malware site.

Only if you agreed to turn that on.

It's actually a really good idea from a security perspective, assuming you're comfortable with Google receiving that information. I am... but then I browse logged in to a Google account, and have Web History turned on. I find it very useful to be able to search and review my own browsing history. YMMV, and you have to make the privacy vs security/convenience tradeoff yourself. The controls are there to allow you to do it.