Increase of HTTPS in 2017 also expected in 2018
2017 was an eventful year for the field of SSL and online security. Some developments will also have a significant impact in the coming year. 2018 promises to be an exciting and dynamic year. Let’s take a look at what happened and what will come.
Stimulation of HTTPS
A common thread in 2017 is the stimulation of the use of HTTPS by browsers and governments, and the issuing of free certificates in integrated solutions such as cPanel. Google monitors the use of HTTPS of the top sites worldwide. In the Netherlands, Pulse regularly publishes about developments and use of HTTPS use in the public sector. In addition to monitoring, browsers such as Google Chrome and Mozilla Firefox have tightened their browser warnings several times. At this moment there is an active warning for non-SSL websites with a 'Not Secure' message on all unsecured web pages that contain entry fields.
What are the results?
In February last year, for the first time, browsers measured that more than half of all web pages were loaded via HTTPS. By the end of 2017, this had risen to 66% of all pageloads via Firefox and 69% of the pageloads via Chrome. At the start of January 2018, Qualys measured a share of almost 65% secured websites, whereas 12 months earlier, 51% of all websites were secure. All countries and platforms show a constant increase, without exception.
At Xolphin we see an increase in the demand for DV certificates, while the sales of OV certificates has remained virtually unchanged. Strikingly, we see an increase of approximately 48% in the issuance of EV certificates in 2017 compared to 2016.
The discussion between Google and Symantec, and the acquisition of the Symantec SSL division by DigiCert, are well-known topics. Since December 2017, DigiCert has been issuing Symantec, GeoTrust and Thawte certificates. In 2018, they will focus on reissuing all certificates issued before December 1, 2017. In October 2017, a large investor purchased a majority share from Comodo's certificate branch.
Many techniques and initiatives have added extra control and security to HTTPS usage. Not all techniques have proven to be equally useful in practice. For example, Google has announced that they will stop supporting Public Key Pinning by the end of March 2018, because now there are better alternatives, such as using Certificate Transparency in combination with CAA records. From September 2017, all CAs are obliged to check CAA records. The use of Certificate Transparency would be mandatory for Domain and Organization validation certificates by October 2017, but this deadline has been postponed to April 2018.
The CA/Browser forum has adopted a proposal to further limit the duration of SSL certificates. As of March 1, 2018, all SSL certificates may have a maximum term of 825 days (2 years).
HSTS (HTTP Strict Transport Security) is increasingly used for standard use of HTTPS, so that the use of a secure connection is enforced. At the beginning of January, more than 15% of the SSL secured websites used HSTS. The use of Perfect Forward Secrecy has also increased from 29,6% to 37% in the past year. Use of the HTTP/2 protocol is gradually increasing, from 12% to more than 22% in 2017. In order to use of HTTP/2, most browsers require the use of HTTPS, in order to encourage usage of SSL.
What will happen in 2018?
From May onwards, the new European privacy law (GDPR) will come into effect, whereby unsafe data management will be monitored and chastised more severely. Partly because of this, it is expected that the use of HTTPS will grow even more and the use of secure connections will become the standard.