back to article A third of you slackers out there still aren't using HTTPS by default

Almost a third of the world wide web's top million sites are still not using HTTPS by default, according to infosec researcher Scott Helme's analysis. In his Top 1 Million Analysis, in which he runs crawlers over a guessable number of websites, Helme published his findings on a variety of common internet security technologies …

  1. karlkarl Silver badge

    If that third suddenly started using encryption, I wonder how much more energy it would take (possibly needlessly if all those sites are doing is displaying pointless adverts anyway).

    1. captain veg Silver badge


      If a site is not exchanging any private and/or sensitive information, what's the point?


      1. adam 40 Silver badge

        Browser fascism

        What annoys me more is when the browser insists on it, this cutting you off from legacy websites (such as web pages on equipment) that will never change.

        1. martinusher Silver badge

          Re: Browser fascism

          I found out about this the hard way when my browser refused to connect to a site quoting some obscure key exchange error. It never occured to me that anyone would be so stupid as to require certificates on all sites because a relative handful of ecommerce sites need it. Althugh there's a huge industry built on the back of it the Web is just not a secure place, we wish it were so and so we all pretend it is like a mass halluncination (and are forever surprised when sites and transactions are compromised).

          But then the web itself is just a huge pile of ever more complex kludges built on a simple idea -- it seems that there's little to no thought about how the system could be made properly secure.

      2. Ken Hagan Gold badge

        Re: exactly

        The point is that "encryption" also includes proof that what you have received is what the site sent you, so man-in-the-middle attacks are harder. Of course, if (like most people?) you are blindly accepting anything that is signed then you'll accept the man-in-the-middle's signed malware so this point isn't actually useful.

        1. Anonymous Coward
          Anonymous Coward

          Re: exactly

          Firefox has that setting to check the cert signature hierarchy up to the top level.

          It's chromium based browsers that rely of Google cache instead. Which is fine for big sites like banks, but since the cache list is not published publicly, and since Chromium based browsers don't check the cert signature hierarchy for sites not in the cache, visiting less-visited sites is inherently risky.

          Chromium could easily offer the option to check the cert signature hierarchy for sites not in the cache, but they do not.

        2. mpi Silver badge

          Re: exactly

          Verifying message integrity and sender authentification are useful when you are downloading critical information such as compiled software, an install iso, etc.

          It is completely pointless when I am reading a simple read-only blog or similar content. I don't need to be able to verify message integrity when I am reading a recipe for pizza dough, a webcomic, read someones thoughts on the social life of dolphins, or follow the newest rant why (spaces, vim, c#) are better than (tabs, emacs, java).

          Not all information is critical.

        3. bombastic bob Silver badge

          Re: exactly

          self-hosted web pages (I like setting up my own frequently used link pages this way) and embedded systems (that only access 'localhost' let's say for a web-based UI) ABSOLUTELY DO NOT NEED HTTPS or SSL (in general).

          For this reason as well, "legacy" (not encrypted) http access MUST remain available.

          And can you imagine implementing SSL on an ARDUINO? You _CAN_ implement a config web page (I have done it) using a wifi or ethernet shield... using "legacy" http.

      3. Vadheterdu

        Re: exactly

        There's web site authentication as well as encrypted communication when using https. The authentication part could be useful even for Joe Blogz's random Wordpress site.

      4. Anonymous Coward
        Anonymous Coward

        Re: exactly

        Preventing injection?

      5. Alan_Peery

        Re: exactly

        What is private or not is not just a measure of what's on the site, but also who is reading it.

        A political example is Tianemen Square with a Chinese reader.

        A religious example is atheistic discussion with a reader from Saudi Arabia.

      6. Anonymous Coward
        Anonymous Coward

        Re: exactly

        well, one reason I was given was that, with unencrypted connection, it's possible to inject something nasty, presumably into the browser's browser.

        p.s. I'm one of those 33.333333% refuseniks. Though by no means in the first 1M... well, I dunno, whatever.

      7. swm

        Re: exactly

        I am the webmaster for a square dancing website hosted by bluehost. One day I was surprised that pages could be read with both http and https. The links on the website are all relative so if you connect with https all of the pages will be served using https. You get your choice.

        Although I'm not sure of the advantage of encrypting square dance schedules, club news etc.

      8. Anonymous Coward
        Anonymous Coward

        Re: exactly

        If a site is not exchanging any private and/or sensitive information, what's the point?

        A https stream prevents Google competitors offering analysis?

        I mean, there must be a reason why a data thief like Google supports SSL - you can be certain that it's not because they have your interests at heart.

    2. The Man Who Fell To Earth Silver badge

      But my cat wants his privacy

      That's why there's photos of him only his 10,000,000+ closest friends can see via https.

  2. Version 1.0 Silver badge

    HTTPS is secure but ...

    So you get an email with a link to your new purchase order on an HTTPS site and it downloads new_purchase_order.pdf.exe for you?

    Certainly HTTPS is a major security function but don't misinterpret "security" as secure.

  3. Anonymous Coward
    Anonymous Coward

    Reading between the lines.

    It's not that these sites are not using https, it's that they don't have a redirect in place. I. E. if you default to https (which most browsers do), then you will get the https.

    1. Anonymous Coward
      Anonymous Coward

      Re: Reading between the lines.

      We could argue that not having a redirect in place is a good thing from a protocol perspective. With one of my different hats on I would argue that it shouldn't be explicit.

      All that being said, convenience trumps strictness so I'm not surprised that the majority of sites are doing a 301/302 to the https equivalent even though as far as I understand it a 301 with a protocol change is discouraged (I'd find a reference, but it's been a long time)

      As a case in point,if you're running a public artefact repo (sonatype/jfrog etc) and you stick a 301 in to protocol switch http -> https, there's no guarantee that all the build tools in question will play nicely if they're configured for http...

      1. brotherelf

        Re: Reading between the lines.

        … as python-using folks found out a while ago.

        Fortunately, that could be fixed quite easily: browsers already send "upgrade-insecure-requests:1" in the request headers if they want that, so you can redirect conditional on that and that wget from CentOS 5 that doesn't speak TLS 1.2 and doesn't know today's CAs¹ will be none the wiser.

        Combine with a moderately-sized HSTS and, given that Key Pinning is deprecated, you have a reasonably-good-of-both-worlds.

        ¹ if that sounds suspiciously specific, it's because it is. Busybox offered a working wget, once I hid the old openssl from it so it would use its own implementation.

  4. cjcox

    Don't like mandates

    Encryption is always necessary. http is a valid protocol.

    Arbitrarily banning it would be like banning all DC movies in preference to Marvel (and yes, there are those that would support this).

  5. Anonymous Coward
    Anonymous Coward

    My site is purely informational

    I see no need for TLS.

    1. sreynolds

      Re: My site is purely informational

      So you are saying that your information has no value? You are being way too harsh on yourself mate.

      The point of moving to HTTPS was to stop ISP from profiting from your browsing - profits that would be moved from the people that track you. Securing you is of secondary concern.

  6. mpi Silver badge

    Why force HTTPS on simple read-only pages

    ...with no login features or transactions taking place?

    They display text. There is no login, there is no transactions. There are no cookies. The page visitors give up no secrets they aren't giving to their ISPs anyway.

    Forcing "HTTPS Everywhere" on such pages is similar to locking every door in a house, not only the front door. It doesn't increase security,

    1. Anonymous Coward Silver badge
      Paris Hilton

      Re: Why force HTTPS on simple read-only pages

      So that the man-in-the-middle can't inject malware, or adverts, or divert the existing adverts to their own (so they get the revenue)

      And why do you think that it's good to give the consumer ISPs more secrets? BT don't need to know that I have a fetish for midget porn and I wouldn't want them to start advertising such things to the family members who use the same connection.

      1. tiggity Silver badge

        Re: Why force HTTPS on simple read-only pages

        I maintain / update information a website for a not for profit local group, its purely read only, just has various info useful to that group*

        Its not hosted by me (using one of the lots of hosting companies out there).

        No need for https for that scenario, so its staying http (if it was free and hassle free to enable https with current hosts then I would, but their certs are non free & not fiddling around to see if its possible to get it to work with a free cert as that's not my idea of a fun way to spend some spare time, lots of things I want to do take precedence over that, even typing these inane reg comments )

        * deliberately not using fb or similar to push out the info as lots of group members don't use social media whereas website open to anyone to read.

        1. Anonymous Coward
          Anonymous Coward

          Re: Why force HTTPS on simple read-only pages

          If your host doesn't give you an easy to install free option, they are pretty crap IMHO.

          HTTPS means that when someone is on some dodgy WiFi somewhere, there's no-one injecting code into your site to compromise or track your users. Same with ISPs, there's a history of ISPs injecting adverts/code into websites, against end user best interests.

          1. hayzoos

            Re: Why force HTTPS on simple read-only pages

            If dodgy WiFi somewhere/your ISP injects adverts/code into "websites", they are pretty crap IMHO. BTW, it is not the websites having adverts/code injected, it is web browsing sessions.

            Realistically, the injection can occur even with HTTPS when adverts/code are being delivered from third party sites which is nearly always these days. <sarcasm>But those third party sites are mostly using HTTPS so they are secure.</sarcasm>

            Additional observation, if advert/code injection is occurring; the problem is deeper than HTTP/HTTPS. The entire communication channel should be encrypted. Maybe use a properly implemented/not crap VPN.

        2. DBH

          Re: Why force HTTPS on simple read-only pages

          Switch your domain registrar to cloudflare and let them handle it. It's free and registering for a free cloudflare account is more than half the job done, should take about 2 minutes

      2. captain veg Silver badge

        Re: Why force HTTPS on simple read-only pages

        This is like speculating that your newsagent might slip advertising flyers into your newspaper. It wouldn't take long before people noticed and started buying their papers elsewhere.


  7. thondwe

    Nice to see demise of EV

    Enterprise Cert vendors always urked me - all it says is I've paid someone else with a credit card to tell you this site is secure. Really the model should have been I've secured my site, do you trust ME and my own minted root cert!

  8. Glen 1

    Phorm Scandal

    People decrying HTTPS on this comment section have short memories.

    Phorm 'partnered' with BT (*Major* UK ISP) to inject ads to non-encrypted websites.

    HTTPS kills it (and similar systems) dead. Bonus points if you don't use your ISPs DNS servers.

    That said, if you're just going to switch to Google's DNS and continue using Googles' browser and mapping services...

    1. mattaw2001

      Re: Phorm Scandal

      I am with you - I can't believe that folks forget multiple home router companies and/or ISPs and/or cell companies have deployed on a large scale:

      1. Injecting ads into normal HTTP web sessions, either over the top of other ads or just straight up "click-thru" pages

      2. overriding DNS "not found" requests to redirect you to their ad spam sites (not quite HTTPS' territory but modern HTTPS will kill some kinds of this evil with CERT pinning). This broke multiple things as you got a valid webpage back, instead of a DNS not-found for every request!

      I'm sorry, but allowing your transport layer to know what is happening, beyond traffic class for QoS is just a bad move - think of it as "forced separation of concerns"? - I now like this phrase...

  9. yaronf

    RSA is still here

    The last few paragraphs of this article are confused and confusing, and really should be rewritten. RSA is in ubiquitous use today by both TLS 1.2 and TLS 1.3 for server authentication, what with almost all certificates out there still based on RSA.

    What's been removed from TLS 1.3 and is deprecated in TLS 1.2 (see RFC 7525) is the RSA *handshake*, as opposed to "first use Diffie-Hellman to establish an encrypted connection, then authenticate with RSA".

    I agree with Scott that people should be moving to ECDSA certificates, but unfortunately this has been slow going.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like