Use of HTTPS among top sites is growing, but weirdly so is deprecated HTTP public key pinning

Better than nothing!

By John Leyden

Posted in Security, 27th February 2018 15:03 GMT

The adoption of HTTPS among the top million sites continues to grow with 38.4 per offering secure web connections.

A study by web security expert Scott Helme, published on Tuesday, found that HTTPS adoption by the web's most-visited sites had grown more than 7 percentage points from 30.8 per cent over the last six months since October 2017. Helme's latest biannual web security sitrep threw up the surprising finding that a security technology Google decided to depreciate last October has risen, not shrunk, in popularity.

"The most surprising thing is probably the string growth in HPKP [HTTP public key pinning], a technology being abandoned by many and soon Google Chrome too," Helme told El Reg.

Google said it was abandoning HPKP, a next-generation web crypto technology it initially championed, back in October, as previously reported. Experts including Helme and Ivan Ristic have criticised the technology as being both tricky to apply and potentially calamitous, if incorrectly set up. Fast forward four months and Helme has found that larger sites are less likely to use HPKP, the reverse of the trend for every other metric.

Paul Moore, another infosec expert with a keen interest in web security, praised Helme's latest study. "My only comment would be the lack of a deep/context aware scan... meaning sites which don't use headers [at landing page] may use them elsewhere, as and when they feel necessary... something the scan wouldn't and couldn't reveal."

Web security sitrep. Click to enlarge [source: Scott Helme]

Helme concluded: "Whilst the rate of adoption for HTTPS has slowed, we're still seeing good growth in the numbers. All metrics are seeing positive growth and our push towards an encrypted web is still making great progress."

Certificate authority Let's Encrypt has continued to grow its presence in the top 1 million sites on the web. By contrast there's almost no growth in the use of EV (extended validation) certificates, according to Helme.

The payment industry is due to pull support for TLSv1.0 support within its PCI DSS credit card processing standard from June onwards. Scans run by Helme show that the vast majority of the web's most-visited locales have already prepared for this change by switching to more robust protocols, such as TLSv1.2. ®

Sign up to our NewsletterGet IT in your inbox daily

47 Comments

More from The Register

From July, Chrome will name and shame insecure HTTP websites

Shame! Shame! says carrot-dangling Google

Come in HTTP, your time is up: Google Chrome to shame leaky non-HTTPS sites from January

Web giant will start labeling insecure websites insecure

IETF protects privacy and helps net neutrality with DNS over HTTPS

Yes, this really is called DOH, but this one's far from a face palm

Australian Senate passes meaningless motion that says encryption is very useful

Token effort won't stop not-backdoors legislation

Let's Encrypt plugs hole that let miscreants grab HTTPS web certs for strangers' domains

Shared hosting oversight bites free SSL/TLS certificate org

Blogspot HTTPS extended

Crypto-gurus: Which idiots told the FBI that Feds-only backdoors in encryption are possible?

Brilliant boffins back bullsh*tting bureau bollocking

ISO blocks NSA's latest IoT encryption systems amid murky tales of backdoors and bullying

Experts complain of shoddy tech specs and personal attacks

FREE wildcard HTTPS certs from Let's Encrypt for every Reg reader*

* And everyone else, too, of course

Firefox 52 kills plugins – except Flash – and runs up a red flag for HTTP

New browser also crumbs cookies and finds new ways to speed web apps