Computer security news is usually pretty dismal, from malware crippling the web to ransomware taking down hospitals. But the web is getting safer in an important way.
Today the average volume of encrypted internet traffic finally surpassed the average volume of unencrypted traffic, according to Mozilla, the company behind the popular Firefox web browser. That means when you visit a website, you're now more likely than not to see a little green lock right next to its address. That little lock indicates that the page you visited came to you via HTTPS, the web's secure protocol, rather than plain old HTTP. Mozilla's estimate represents a two-week running average, so the figure could still slide around over the next few days. But this milestone is a still a big deal.
"The significance of this tipping point really can't be overstated," says Ross Schulman, co-director of the New America Foundation's cybersecurity initiative.
Not that you're free from prying eyes entirely: HTTPS doesn't hide the fact that you're visiting a particular website. But it does mean everyone, including internet service providers and the government, will have a harder time seeing what information you're reading or posting to the web. And it can help ensure that when you visit a website, you're seeing what its authors intended. Without encryption, it's all too easy for, say, a repressive government or a malicious hacker to replace Wikipedia entries or other webpages with their own content, or to trick you into downloading malware.
"Billions of users will start to regularly experience a web that is more encrypted than not," says Josh Aas, the co-founder of Let's Encrypt, an organization that's helping millions of sites add HTTPS to their sites for free. "Expectations for security will continue to rise, and as a result we expect to see sites move to HTTPS even faster than they have been."
Web encryption has been around for years. The original HTTPS protocol was released in 1995. Dubbed Secure Socket Layer, or SSL for short, it enabled companies to handle credit card transactions online by protecting your payment details and helping to prove that the merchants you visited were who they said they were. But it's taken years for SSL's successor, Transport Layer Security (TLS), to become widely used outside of credit card payments.
In part, that's because for many years most website owners didn't see the benefit of encrypting everything. But as the ease of stealing unencrypted passwords and delivering altered websites became apparent, wider use of encryption became a priority.
Over the years big sites like Facebook, Google, Wikipedia, the New York Times, and, yes, WIRED, have switched to HTTPS. Google even announced in late 2015 that its search engine would favor sites that use HTTPS over those that don't.
The problem was that it was still fairly hard for smaller sites to use HTTPS. TLS certificates cost money and required more technical know-how to install. But that's starting to change. Let's Encrypt takes care of the financial part by making all certificates free, thanks to corporate and nonprofit donations. Thanks to Let's Encrypt, web hosting services like WordPress.com and Squarespace started offering HTTPS to all of their users for free without much demanding any technical expertise on the part of users. Cloud companies like Amazon and CloudFlare also launched free encryption certificate programs for their users as well, contributing to the snowballing number of sites that led to today's milestone.
"After taking 20 years to get to 40 percent encrypted page loads, it's incredible that the web jumped to 50 percent in just one year," Aas says.
Some web hosts still charge for HTTPS, but Aas argues the dangers of an unencrypted internet create a moral imperative to drop the fees. "We're past the point where treating HTTPS as an add-on is acceptable."
Even then, HTTPS has some serious limitations. In 2014, security researchers discovered a major vulnerability in the software that actually makes HTTPS work. The flaw, known as Heartbleed, dealt a major blow to the world's confidence in the protocol. Almost three years later, 200,000 servers remain vulnerable to Heartbleed, a recent study by Internet of Things search engine Shodan found.