Use of HTTPS among top sites is growing, but weirdly so is deprecated HTTP public key pinning

Better than nothing!

By John Leyden


The adoption of HTTPS among the top million sites continues to grow with 38.4 per offering secure web connections.

A study by web security expert Scott Helme, published on Tuesday, found that HTTPS adoption by the web's most-visited sites had grown more than 7 percentage points from 30.8 per cent over the last six months since October 2017. Helme's latest biannual web security sitrep threw up the surprising finding that a security technology Google decided to depreciate last October has risen, not shrunk, in popularity.

"The most surprising thing is probably the string growth in HPKP [HTTP public key pinning], a technology being abandoned by many and soon Google Chrome too," Helme told El Reg.

Google said it was abandoning HPKP, a next-generation web crypto technology it initially championed, back in October, as previously reported. Experts including Helme and Ivan Ristic have criticised the technology as being both tricky to apply and potentially calamitous, if incorrectly set up. Fast forward four months and Helme has found that larger sites are less likely to use HPKP, the reverse of the trend for every other metric.

Paul Moore, another infosec expert with a keen interest in web security, praised Helme's latest study. "My only comment would be the lack of a deep/context aware scan... meaning sites which don't use headers [at landing page] may use them elsewhere, as and when they feel necessary... something the scan wouldn't and couldn't reveal."

Web security sitrep. Click to enlarge [source: Scott Helme]

Helme concluded: "Whilst the rate of adoption for HTTPS has slowed, we're still seeing good growth in the numbers. All metrics are seeing positive growth and our push towards an encrypted web is still making great progress."

Certificate authority Let's Encrypt has continued to grow its presence in the top 1 million sites on the web. By contrast there's almost no growth in the use of EV (extended validation) certificates, according to Helme.

The payment industry is due to pull support for TLSv1.0 support within its PCI DSS credit card processing standard from June onwards. Scans run by Helme show that the vast majority of the web's most-visited locales have already prepared for this change by switching to more robust protocols, such as TLSv1.2. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Google Chrome: HTTPS or bust. Insecure HTTP D-Day is tomorrow, folks

On Tues, you lose... if you're not encrypted with a TLS cert (which are free, by the way)

HTTPS crypto-shame: TV Licensing website pulled offline

Telly taxpayers' info sent in the clear

IEEE joins the ranks of non-backdoored strong cryptography defenders

'Exceptional access' is a really bad idea, says standards-setter, but one-off malware is cool

Great, you've moved your website or app to HTTPS. How do you test it? Here's a tool to make local TLS certs painless

Breathe easier knowing you've tested your software properly

Google Chrome update to label HTTP-only sites insecure within WEEKS

Winter HTTPS is coming

From July, Chrome will name and shame insecure HTTP websites

Shame! Shame! says carrot-dangling Google

SEAL up your data just like Microsoft: Redmond open-sources 'simple' homomorphic encryption blueprints

How to work on encrypted data without having to decrypt it first

Give yourselves a pat on the back, top million websites, half of you now use HTTPS

Now for the other half

Warning: Malware, rogue users can spy on some apps' HTTPS crypto – by whipping them with a CAT o' nine TLS

Malicious code can spy on OpenSSL, Apple CoreTLS, etc

Encryption? This time it'll be usable, Thunderbird promises

A generation that tried the PGP plugin weeps