HTTPS growth continues and changes in browser display
30 March 2020
The year 2018 was a turning point for the use of SSL, with HTTPS becoming the standard. This trend has continued - In October 2019 no less than 94% of all visited web pages in Chrome were loaded on all platforms via HTTPS. Next to positive, these developments also have unintended negative consequences that grow steadily. What else happened in 2019, and what do we expect for this year?
The SSL Market in numbers
Mobile HTTPS visits via Android stayed behind for quite some time. By now, the 71% from two years ago increased to the current 92% Android HTTPS visits. Furthermore the time visitors spend on HTTPS sites is almost 100%. This indicates that visitors have a general preference for HTTPS over HTTP.
The number of SSL certificates is steadily increasing: in March this year Built With detected 145,000,000 active SSL certificates on the entire internet. Let's Encrypt dominates as a publisher of DV certificates. In the area of EV SSL, Sectigo and DigiCert have the largest share with 78% together.
And what about the Netherlands? The total number of .nl websites using a valid SSL certificate has increased by almost 50% to more than 1.33 million in the past 19 months, according to SIDN. The number of new certificates from commercial CAs has increased by 29%. In addition to a strong increase in the number of DV certificates, we see that the number of OV certificates has also increased significantly, from 26,000 in March 2019 to 70,000 in March 2020.
The padlock is not necessarily safe and reliable
Of course most of us already knew, but research also confirms that the use of HTTPS in general is no longer a guarantee for a reliable website. Almost all phishing websites nowadays use HTTPS and therefore show a 'reliable' lock. For this, practically only DV certificates are being used and with 0.4% almost no EV certificates - these are very difficult to obtain because of the strict controls for issuance.
Visitors mistakenly believe that the lock implies a safe website, which is also caused by the information spread about it - many advisory bodies and organizations such as trade associations and financial institutions advise (or did so until recently) visitors to pay attention to the lock. One other thing that does not help either, is the fact that every browser uses a different view, and browsers constantly change the appearance of HTTPS
As a result, some parties call the lock misleading - after all, the lock in the browser does not mean that a website is reliable, which many visitors think, but only that the exchanged data is encrypted.
Partly because of this, Google has changed the color of the lock from green to gray in the past year, and they have also announced the plan to no longer show the lock at all by 2021 in the Chrome browser
Other changes in HTTPS display
From version 70 per October 2019, the frequently used browser Mozilla Firefox marks all web pages without an HTTPS connection as unsafe. The browser follows the example of Google Chrome, which has been warning about unsecured connections since 2018. Safari followed in March last year.
Another noticeable change in terms of browser display was Chrome no longer displaying the company name in the (green) address bar of EV certificates since last year. Chrome has been busy for some time pushing HTTPS as standard and simplifying the display of domain names. For example, they have recently stopped showing HTTP or HTTPS for the domain name, and the display of an EV SSL certificate is nowadays gray instead of green.
Since September and October last year respectively, Chrome and Firefox are no longer displaying the company name and country code with EV SSL directly in the url bar. The company name is now shown in the "Page Info" block, this is the pop-up that you will immediately see when you click on the lock next to the domain name in the url bar. And as expected, this change provokes much discussion.
A look ahead
Of course this remains an expectation, but based on our experience in the sector since 2002, we dare to make a conservative estimate.
- Despite the disappearance of the most noticeable visual indicator of EV SSL, the importance of EV certificates will not decrease. On the one hand because the organization is still visible, namely within one mouse click, on the other because of the rapidly-increasing misuse of less strictly controlled SSL certificates for phishing purposes.
- Due to increasing internet crime, the need for online monitoring will continue to grow, for example by using scanning tools that detect malware. As a result and as business driver, the CAs respond to this by offering smart products combined with SSL certificates.
- Google's proposal for a further limitation of the maximum period of validity of SSL certificates to 1 year was canceled last September, because a majority of the members of the CA / Browser Forum voted against this, which makes the change appear to have been canceled for the time being. But because there are also many proponents, there is a chance that the duration will still be limited this year. For example, the limit to 1 year as of November 1, 2019 has already been implemented for all PKIoverheid certificates, and Apple will also implement this for the Safari browser as of September 1, 2020.
- The use of HTTPS will increase even more, and more attention will be paid to the correct configuration. The GDPR was a big boost in Europe last year, and regulatory changes are continuing. At the end of last year, by publishing a draft decision, the Dutch government expressed the intention to make the use of HTTPS and HSTS compulsory for all publicly accessible government websites. There are no requirements for the type or validation level of the certificates, but the use of old TLS versions is limited. There is still room for improvement, which is demonstrated by the fact that despite the 94% measured by Google, a much smaller percentage actually has a secure website.
- The popularity of digital signatures is rapidly increasing due to the many advantages, European standardization and the growing number of applications. Digital signatures are also a safe and reliable solution for working from home to optimize the digital work process within an organization. At the end of last year, Xolphin launched the new Ensured label for digital PDF signing, using Adobe trusted digital signatures on secure hardware.