HTTPS Nears Tipping Point

HTTPS adoption is approaching a tipping point. The protocol, which spells out a way to combine the traditional HTTP for accessing web pages with the TLS that keeps communications secure, will at some point become so common that it will effectively replace HTTP. It looks like that day may be just a year or two away.

There is ample precedent for this kind of transition on the Internet. UTF-8 became the predominant character encoding on the Internet in a period of a few months about five years ago. HTTPS went from being a novelty for web-based email, when Gmail adopted it in response to Chinese government hackers, to near-mandatory in the space of three or four years. It may take a longer transition for HTTPS to gain the same kind of dominance over the whole web, but there are good reasons to think that will follow.

HTTPS was introduced for the security of commercial transactions. Most of us first saw it in online shopping carts and checkouts. It was a few years before it became mandatory for those applications, and a few more before it spread to email and discussion forums. Now it is needed in so many places, it is clear that ideally, it should be the default for anything on the web. The threat that makes the best case for HTTPS now is spying: governments recording what web searches you make, competitors sifting through the details of your web traffic to discover what is on your mind and those of your customers.

The specifics of what documents and data are going back and forth are hidden by HTTPS, taking away a host of potential security problems.

If HTTPS is not ubiquitous already, it is because of the technical difficulties of implementing it. As of this writing, for example, it is possible to view this site over HTTPS, but your web browser probably will not permit it, noting a certificate mismatch. That is something that only I as the domain owner can address, and until recently, getting a security certificate was prohibitively expensive for a run-of-the-mill web domain. As of 2018, the certificate itself is no longer the obstacle, but a cluster of technical hurdles remain. It is when these obstacles are mostly solved that ordinary web sites will be able to deliver pages over HTTPS by default.

For now, we face a web that consists of an uneasy patchwork of HTTP and HTTPS. There are secure pages that include unsecured content and vice versa, Security-minded browsers may prevent some of these pages from displaying. Browser add-ons such as HTTPS Everywhere are available to help you navigate this transitional period, but though they can make large commercial sites more secure for the reader, at the same time there is the risk that they may block some content on other sites or even render whole sites inaccessible. The same patience and good humor that helped us get through past Internet transitions will help us get through this one too.

Fish Nation Information Station | Rick Aster’s World | Rick Aster