Security

Use of HTTPS among top sites is growing, but weirdly so is deprecated HTTP public key pinning

Better than nothing!

By John Leyden

47 SHARE

The adoption of HTTPS among the top million sites continues to grow with 38.4 per offering secure web connections.

A study by web security expert Scott Helme, published on Tuesday, found that HTTPS adoption by the web's most-visited sites had grown more than 7 percentage points from 30.8 per cent over the last six months since October 2017. Helme's latest biannual web security sitrep threw up the surprising finding that a security technology Google decided to depreciate last October has risen, not shrunk, in popularity.

"The most surprising thing is probably the string growth in HPKP [HTTP public key pinning], a technology being abandoned by many and soon Google Chrome too," Helme told El Reg.

Google said it was abandoning HPKP, a next-generation web crypto technology it initially championed, back in October, as previously reported. Experts including Helme and Ivan Ristic have criticised the technology as being both tricky to apply and potentially calamitous, if incorrectly set up. Fast forward four months and Helme has found that larger sites are less likely to use HPKP, the reverse of the trend for every other metric.

Paul Moore, another infosec expert with a keen interest in web security, praised Helme's latest study. "My only comment would be the lack of a deep/context aware scan... meaning sites which don't use headers [at landing page] may use them elsewhere, as and when they feel necessary... something the scan wouldn't and couldn't reveal."

Web security sitrep. Click to enlarge [source: Scott Helme]

Helme concluded: "Whilst the rate of adoption for HTTPS has slowed, we're still seeing good growth in the numbers. All metrics are seeing positive growth and our push towards an encrypted web is still making great progress."

Certificate authority Let's Encrypt has continued to grow its presence in the top 1 million sites on the web. By contrast there's almost no growth in the use of EV (extended validation) certificates, according to Helme.

The payment industry is due to pull support for TLSv1.0 support within its PCI DSS credit card processing standard from June onwards. Scans run by Helme show that the vast majority of the web's most-visited locales have already prepared for this change by switching to more robust protocols, such as TLSv1.2. ®

Sign up to our NewsletterGet IT in your inbox daily

47 Comments

More from The Register

Google Chrome: HTTPS or bust. Insecure HTTP D-Day is tomorrow, folks

On Tues, you lose... if you're not encrypted with a TLS cert (which are free, by the way)

HTTPS crypto-shame: TV Licensing website pulled offline

Telly taxpayers' info sent in the clear

IEEE joins the ranks of non-backdoored strong cryptography defenders

'Exceptional access' is a really bad idea, says standards-setter, but one-off malware is cool

Google Chrome update to label HTTP-only sites insecure within WEEKS

Winter HTTPS is coming

From July, Chrome will name and shame insecure HTTP websites

Shame! Shame! says carrot-dangling Google

Give yourselves a pat on the back, top million websites, half of you now use HTTPS

Now for the other half

No D'oh! DNS-over-HTTPS passes Mozilla performance test

Privacy-protecting domain name system standard closer

Quantum cryptography demo shows no need for ritzy new infrastructure

Telefónica and Huawei shoot freakin' lasers down existing optical networks for QKD

Boffin: Dump hardware number generators for encryption and instead look within

Chip timing could be as effective and harder to hack

How's that encryption coming, buddy? DNS requests routinely spied on, boffins claim

Uninvited middlemen may be messing with message