We often hear the complaint here that nobody cares / cared about Snowden's revelations. But to me it seems he did provide a lot of the impetus for having HTTPS virtually everywhere and a lot of the instant messenging apps being end-to-end encrypted. Most of WhatsApp's users are as non-technical as it gets, and yet they use the kind of encryption that only computer enthusiasts were interested in just a couple years ago. It's a great development (all the limitations and caveats notwithstanding) IMO.
I don't know why so many people here are patting themselves on the back over this. This is not the kind of encryption people were talking about in the 90s and 00s. A lot of this encryption is not point-to-point. It merely secures user's interaction with some middleman (or their server). What would the numbers be if you subtracted all the traffic that can be snooped on by Google, Amazon and Cloudflare?
Good news for sure, but note that this isn't a total Internet scan:<p>> We collect data from the browsers of site visitors to our exclusive on-demand network of analytics and social bookmarking products.<p>More details about their samples: <a href="https://netmarketshare.com/methodology" rel="nofollow">https://netmarketshare.com/methodology</a><p>I would be more inclined to trust sources like <a href="https://transparencyreport.google.com/https/overview" rel="nofollow">https://transparencyreport.google.com/https/overview</a> and Firefox Telemetry which come directly from the browsers. But even these do not count data from mobile apps (most of which have to be encrypted now I think), embedded applications, scripts, and APIs.
Also likely because in the past the internet was really diverse. One would visit 20 sites possibly during one session.<p>Today, the landscape looks more like: You visit Google, click some links that open in AMP (still Google), visit some social networks (primarily Twitter and FB-owned properties). These companies already operate TLS-only, which helps these numbers.
That's good. One structural issue with the internet down, many more to go. There is essentially no guarantee that cloud providers don't snoop through memory and steal your keys and sift through your data, for instance. There are just some big companies that we implicitly trust. Whenever the endpoint for encryption /decryption is under the control of a 3rd party, any guarantee of data safety isn't real. We have devices that constantly go out looking for new code to run, with proprietary blobs in firmware, which means they're 3rd party controllable. Control of the internet is in the hands of organizations that can't be held accountable for abuse of power over individuals.<p>I guess I'm just saying I don't have faith that a system (I'm talking about the intersection of technology, government, and business here) which puts so little power in the hands of individuals will do an adequate job of serving their interests in the long term.
We do need HTTP because sometimes public WiFi networks need you to agree to terms before any requests stop being redirected. I recently found <a href="http://neverssl.com" rel="nofollow">http://neverssl.com</a><p>That being said those public WiFi’s shouldn’t be redirecting sites in the first place because for HTTPs sites browsers don’t even let you see the page.
While this milestone is wonderful, don't forget that it can't be decrypted <i>for now</i>. IMO we trust contemporary encryption algorithms too much, putting too much data through the wires that will only increase in value. We aren't at the end of the evolution either: we still don't have really secure random generators everywhere, we are still using key exchange methods that aren't quantum proof. And of course, computer programs (as well as hardware) still have security bugs.
This doesn't mean 90% of all websites. This simply means 90% of web traffic which I'm assuming a good chunk of it comes from a few handful of services such as Netflix and YouTube
No, it didn't. NetMarketShare has a very limited view into these things. Actual data from browser makers<p>Firefox - 80%
<a href="https://letsencrypt.org/stats/" rel="nofollow">https://letsencrypt.org/stats/</a><p>Google -- 88% on Android; 84% on Windows; 91% on Mac; 73% on Linux
<a href="https://transparencyreport.google.com/https/overview?hl=en" rel="nofollow">https://transparencyreport.google.com/https/overview?hl=en</a>
I actually just set up SSL on my EC2 instance after reading this comment section. It was stupid easy, and I can't believe I didn't do it before
Nice. Remember the days when IT professionals would exclaim that this was a bad idea?<p>Seems like it's cyclical thing. DNS over HTTPS is now the big bad technology.
The 50-50 point appears to have only been June 2017, so the cutover rate is really quite rapid. I wonder how quickly we'll see 95%, 99%, and how long the long tail will be.<p><a href="https://netmarketshare.com/report.aspx?options=%7B%22filter%22%3A%7B%7D%2C%22dateLabel%22%3A%22Custom%22%2C%22attributes%22%3A%22share%22%2C%22group%22%3A%22secure%22%2C%22sort%22%3A%7B%22share%22%3A-1%7D%2C%22id%22%3A%22https%22%2C%22dateInterval%22%3A%22Monthly%22%2C%22dateStart%22%3A%222017-05%22%2C%22dateEnd%22%3A%222017-06%22%2C%22hiddenSeries%22%3A%7B%7D%2C%22segments%22%3A%22-1000%22%7D" rel="nofollow">https://netmarketshare.com/report.aspx?options=%7B%22filter%...</a>
One thing we recently started looking at is outbound traffic, i.e. links that people click within our website/app. We're going to publish some results (and joint forces) soon, but I wanted to share here because I feel outbound links are something usually ignored. Yet they can contribute to a significant part of the total Internet traffic.<p>So, upgrading outbound links from http to https (where possible) can be another way to contribute to achieving 100% of the web traffic encrypted.
Excellent progress and a great credit to LetsEncrypt and others that brought free cents to the masses. There’s almost no excuse to not encrypt anymore. The “not secure” shaming of non https sites by major browsers also applied some needed peer pressure.
I’m sorry, but there’s a lot of smart people here. Why is everyone assuming HTTPS means no one is snooping? I presume someone is snooping no matter what.
I know this is good and all, but it does bum me out that Netscape 4.8 works much worse than it did even a few years ago. I prefer it to iCab, which might fair slightly better. Any suggestions for Mac OS 7.6 web browsers that support the minimum encryption required these days?
This is good to keep out moderate bad guys from your data. But the not so much for the NSA. The NSA already captures traffic end to end including the key negotiation and can break the rest <a href="https://arstechnica.com/information-technology/2015/10/how-the-nsa-can-break-trillions-of-encrypted-web-and-vpn-connections/" rel="nofollow">https://arstechnica.com/information-technology/2015/10/how-t...</a>
This statement would be more meaningful had it been phrased something like this: "encrypted web traffic, which most adversaries cannot snoop on, exceeds 90%".<p>There will always be an adversary, far powerful than you, with an ability to snoop on your traffic - be it your ISP, the other endpoint, or owners of the infrastructure that you consume, but do not control.