Use of HTTPS among top sites is growing, but weirdly so is deprecated HTTP public key pinning
Better than nothing!
The adoption of HTTPS among the top million sites continues to grow with 38.4 per offering secure web connections.
A study by web security expert Scott Helme, published on Tuesday, found that HTTPS adoption by the web's most-visited sites had grown more than 7 percentage points from 30.8 per cent over the last six months since October 2017. Helme's latest biannual web security sitrep threw up the surprising finding that a security technology Google decided to depreciate last October has risen, not shrunk, in popularity.
"The most surprising thing is probably the string growth in HPKP [HTTP public key pinning], a technology being abandoned by many and soon Google Chrome too," Helme told El Reg.
Google said it was abandoning HPKP, a next-generation web crypto technology it initially championed, back in October, as previously reported. Experts including Helme and Ivan Ristic have criticised the technology as being both tricky to apply and potentially calamitous, if incorrectly set up. Fast forward four months and Helme has found that larger sites are less likely to use HPKP, the reverse of the trend for every other metric.
Paul Moore, another infosec expert with a keen interest in web security, praised Helme's latest study. "My only comment would be the lack of a deep/context aware scan... meaning sites which don't use headers [at landing page] may use them elsewhere, as and when they feel necessary... something the scan wouldn't and couldn't reveal."
Helme concluded: "Whilst the rate of adoption for HTTPS has slowed, we're still seeing good growth in the numbers. All metrics are seeing positive growth and our push towards an encrypted web is still making great progress."
Certificate authority Let's Encrypt has continued to grow its presence in the top 1 million sites on the web. By contrast there's almost no growth in the use of EV (extended validation) certificates, according to Helme.
The payment industry is due to pull support for TLSv1.0 support within its PCI DSS credit card processing standard from June onwards. Scans run by Helme show that the vast majority of the web's most-visited locales have already prepared for this change by switching to more robust protocols, such as TLSv1.2. ®