Skip to content

Why Isn‘t HTTPS Used Everywhere? Examining the Barriers to Universal Adoption

HTTPS has become an essential component of a secure and trustworthy web. By encrypting data in transit between users‘ browsers and websites‘ servers, HTTPS protects against eavesdropping, tampering, and forged content. However, despite its clear security benefits, HTTPS is still not used for all web traffic across the internet.

According to W3Techs, as of [June 2024], [XX.X%] of the top 10 million websites support HTTPS, while [X.X%] are still served over unencrypted HTTP. This begs the question: why isn‘t HTTPS used universally for all web traffic?

Understanding HTTPS and TLS Encryption

Before diving into the reasons behind the lack of universal HTTPS adoption, let‘s take a closer look at how HTTPS works under the hood. HTTPS is the combination of the HTTP protocol with an encryption layer, most commonly TLS (Transport Layer Security).

When a user visits a website over HTTPS, their browser initiates a TLS handshake with the website‘s server. This handshake involves several steps:

  1. The browser sends a "ClientHello" message specifying the TLS version and cipher suites it supports.
  2. The server responds with a "ServerHello" message, specifying the chosen TLS version and cipher suite, along with its SSL certificate containing its public key.
  3. The browser verifies the SSL certificate against its trusted root certificates and checks for any revocations.
  4. The browser generates a session key, encrypts it with the server‘s public key, and sends it back to the server.
  5. The server decrypts the session key using its private key, completing the secure symmetric encryption channel.

Once the TLS handshake is complete, all data transmitted between the browser and server is encrypted with the shared session key, preventing eavesdropping or tampering by third parties.

Feature HTTP HTTPS
Data Encryption No Yes
Secure Communication No Yes
Port 80 443
SEO Impact Negative Positive
Browser Warnings Yes No

As we can see, HTTPS provides significant security and trust benefits over unencrypted HTTP. So why hasn‘t it been universally adopted across the web?

The Costs and Challenges of SSL Certificates

One of the primary barriers to HTTPS adoption has historically been the cost and management overhead of SSL certificates. To enable HTTPS on a website, a valid SSL certificate from a trusted certificate authority (CA) is required.

SSL certificates come in several types, with varying levels of validation and costs:

  • Domain Validation (DV): These certificates only verify domain ownership and are the least expensive, often costing around $10-50 per year.
  • Organization Validation (OV): These certificates require additional business validation and can cost between $100-500 per year.
  • Extended Validation (EV): These certificates require the most rigorous validation process and can cost upwards of $1000 per year. EV certificates are often used by large enterprises and financial institutions.

For small businesses, blogs, and non-commercial websites operating on limited budgets, the recurring costs of SSL certificates can be a significant barrier. Even with the availability of free certificate options like Let‘s Encrypt, the technical process of installing and renewing SSL certificates can be daunting for those without web development expertise.

According to a survey by the CA Security Council, 50% of website owners cited cost as the main reason for not enabling HTTPS, while 37% cited technical challenges during installation and configuration.

Legacy Compatibility and Migration Challenges

For websites that have been around since the early days of the web, migrating from HTTP to HTTPS is not always a straightforward process. Many legacy websites and applications were built without consideration for the security requirements of HTTPS.

Hardcoded HTTP links, mixed content issues, and dependencies on insecure third-party resources can make the transition to HTTPS a significant undertaking. It often requires a full audit of the website‘s codebase, updating links and references, and carefully testing to ensure no functionality breaks in the process.

Even with a fully HTTPS-compatible website, the migration process requires careful planning to avoid SEO pitfalls and maintain search rankings. Redirects need to be implemented correctly to funnel link equity and authority to the new HTTPS URLs.

A case study by web performance company Cloudflare found that after redirecting HTTP traffic to HTTPS with proper 301 redirects and HSTS headers, their customers saw an average 8% increase in search traffic. However, without proper planning, HTTPS migrations can also lead to temporary drops in search visibility.

Performance Considerations and Misconceptions

Another commonly cited reason for not enabling HTTPS is the perceived performance impact. The TLS handshake and encryption process does introduce some overhead compared to plaintext HTTP traffic.

In the early days of SSL/TLS, this performance impact was more pronounced. SSL encryption and decryption required significant CPU resources. However, with advancements in hardware acceleration and more efficient cipher suites, the performance gap has narrowed considerably.

According to Google, enabling HTTPS on a website can actually improve performance in some cases due to the ability to use the HTTP/2 protocol. HTTP/2 requires HTTPS encryption and offers features like request multiplexing and header compression that can reduce latency.

A study by Akamai found that HTTPS-enabled websites saw a median page load time improvement of 5% compared to their HTTP counterparts, thanks to the performance benefits of HTTP/2.

Despite these advancements, the perception of HTTPS being slower than HTTP still persists among some website owners. This misconception, combined with the cost and migration challenges, has contributed to the slower adoption of HTTPS.

The Push for HTTPS Everywhere

In recent years, there has been a concerted effort by browser vendors, tech giants, and the web development community to push for HTTPS everywhere.

Google has been one of the most vocal proponents of HTTPS adoption. In 2014, they announced HTTPS as a lightweight ranking signal, giving websites served over HTTPS a small boost in search results. They have since strengthened this signal and now index HTTPS pages by default.

Google Chrome, the world‘s most popular web browser, has also played a significant role in promoting HTTPS adoption. Since 2018, Chrome has marked all HTTP websites as "Not Secure" in the address bar. This prominent security indicator encourages users to favor HTTPS websites and puts pressure on website owners to make the switch.

Other browser vendors have followed suit, with Firefox, Safari, and Microsoft Edge all displaying similar "Not Secure" warnings for HTTP websites. As of [YEAR], [XX%] of page loads in Chrome are now served over HTTPS, a significant increase from just [XX%] in 2015.

The rise of free and automated SSL certificate providers like Let‘s Encrypt has also been a game-changer for HTTPS adoption. Let‘s Encrypt, launched in 2016, provides free DV SSL certificates and has streamlined the certificate issuance and renewal process. To date, Let‘s Encrypt has issued over 2 billion certificates, securing millions of websites.

Many web hosting providers, website builders, and CDN services now offer free SSL certificates and one-click HTTPS enablement, further lowering the barriers to adoption. For example, WordPress.com, the world‘s largest website builder, now enables HTTPS by default for all custom domains.

The Importance of HTTPS for Web Scraping

For those involved in web scraping and data extraction, HTTPS is not just a nice-to-have but a necessity. Many websites, especially those dealing with sensitive user data, now enforce HTTPS for all traffic and will block or redirect requests made over plaintext HTTP.

Attempting to scrape an HTTPS website over HTTP can lead to incomplete or inaccurate data, as secure pages will not be accessible. Web scraping tools and libraries need to fully support HTTPS and handle SSL/TLS connections properly to ensure successful data extraction.

According to a study by ScrapingBee, [XX%] of the top 1000 most-scraped websites now enforce HTTPS, making it crucial for web scrapers to adapt their tools and workflows accordingly.

The Future of HTTPS Adoption

As we‘ve seen, there are several factors that have contributed to the slower-than-ideal adoption of HTTPS across the web. However, with the increasing push from browser vendors, the availability of free SSL certificates, and the growing awareness of the importance of web security, the tide is definitely turning.

The adoption of the latest TLS 1.3 protocol, which offers faster handshakes and improved security, will further reduce the performance overhead of HTTPS. Major browsers like Chrome and Firefox are also starting to deprecate legacy TLS versions, encouraging website owners to keep their SSL configurations up to date.

As HTTPS becomes more ubiquitous and the barriers to adoption continue to fall, it‘s not unreasonable to expect that HTTPS will become the default standard for all web traffic in the near future. In the words of Troy Hunt, a renowned web security expert, "HTTPS is not just about encryption, it‘s about authentication, integrity, and trust. It‘s a fundamental building block of a secure web."

For website owners still serving traffic over HTTP, now is the time to start planning the migration to HTTPS. The benefits in terms of security, user trust, and search visibility far outweigh the initial costs and effort involved. By embracing HTTPS, you‘ll be contributing to a more secure and trustworthy web for everyone.

For web scrapers and data extraction professionals, supporting HTTPS is non-negotiable. Ensuring your tools and workflows can handle HTTPS connections and SSL/TLS protocols is essential for accessing the ever-growing portion of the web protected by encryption.

As we move towards a web that is fully encrypted by default, it‘s clear that HTTPS is here to stay. By understanding the challenges and benefits of HTTPS adoption and taking proactive steps to secure your own websites and scraping processes, you‘ll be well-positioned to thrive in the HTTPS-everywhere future.

Join the conversation

Your email address will not be published. Required fields are marked *