Use of HTTPS among top sites is growing, but weirdly so is deprecated HTTP public key pinning

Better than nothing!

By John Leyden


The adoption of HTTPS among the top million sites continues to grow with 38.4 per offering secure web connections.

A study by web security expert Scott Helme, published on Tuesday, found that HTTPS adoption by the web's most-visited sites had grown more than 7 percentage points from 30.8 per cent over the last six months since October 2017. Helme's latest biannual web security sitrep threw up the surprising finding that a security technology Google decided to depreciate last October has risen, not shrunk, in popularity.

"The most surprising thing is probably the string growth in HPKP [HTTP public key pinning], a technology being abandoned by many and soon Google Chrome too," Helme told El Reg.

Google said it was abandoning HPKP, a next-generation web crypto technology it initially championed, back in October, as previously reported. Experts including Helme and Ivan Ristic have criticised the technology as being both tricky to apply and potentially calamitous, if incorrectly set up. Fast forward four months and Helme has found that larger sites are less likely to use HPKP, the reverse of the trend for every other metric.

Paul Moore, another infosec expert with a keen interest in web security, praised Helme's latest study. "My only comment would be the lack of a deep/context aware scan... meaning sites which don't use headers [at landing page] may use them elsewhere, as and when they feel necessary... something the scan wouldn't and couldn't reveal."

Web security sitrep. Click to enlarge [source: Scott Helme]

Helme concluded: "Whilst the rate of adoption for HTTPS has slowed, we're still seeing good growth in the numbers. All metrics are seeing positive growth and our push towards an encrypted web is still making great progress."

Certificate authority Let's Encrypt has continued to grow its presence in the top 1 million sites on the web. By contrast there's almost no growth in the use of EV (extended validation) certificates, according to Helme.

The payment industry is due to pull support for TLSv1.0 support within its PCI DSS credit card processing standard from June onwards. Scans run by Helme show that the vast majority of the web's most-visited locales have already prepared for this change by switching to more robust protocols, such as TLSv1.2. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

IEEE joins the ranks of non-backdoored strong cryptography defenders

'Exceptional access' is a really bad idea, says standards-setter, but one-off malware is cool

Google Chrome update to label HTTP-only sites insecure within WEEKS

Winter HTTPS is coming

From July, Chrome will name and shame insecure HTTP websites

Shame! Shame! says carrot-dangling Google

Quantum cryptography demo shows no need for ritzy new infrastructure

Telefónica and Huawei shoot freakin' lasers down existing optical networks for QKD

Come in HTTP, your time is up: Google Chrome to shame leaky non-HTTPS sites from January

Web giant will start labeling insecure websites insecure

Cryptography is the Bombe: Britain's Enigma-cracker on display in new home

Replica war-winner now in Bletchley Park's historic Block H

PayPal reminds users: TLS 1.2 and HTTP/1.1 are no longer optional

Insecure connections will break after June 30th. And it's acquired Hyperwallet, too

IETF protects privacy and helps net neutrality with DNS over HTTPS

Yes, this really is called DOH, but this one's far from a face palm

Australian Senate passes meaningless motion that says encryption is very useful

Token effort won't stop not-backdoors legislation

Wah, encryption makes policing hard, cries UK's National Crime Agency

Ever since Snowden it's been the default – report