More than half (51.8 per cent) of the Alexa Top 1 Million sites are actively redirecting to HTTPS for the first time.
The milestone was crossed during another strong six months moving towards a fully encrypted web, according to the latest stats from security researcher Scott Helme, published on Friday.
Back in February, at the time of Helme's last data-driven web security sitrep, it looked as if the adoption of HTTPS might have slowed.
"[HTTPS] adoption has picked up again and we're continuing to see that sharp incline sustained," Helme said. "The growth shown here in this graph is unrivalled in any other security mechanism and if you think about the effort required to achieve this, how impressive it is becomes crystal clear."
"The use of PKP is down 18 per cent and the use of PKPRO is also down 5 per cent, so rather than continued growth like all other metrics, we're seeing sites drop the header now," Helme reported. "There are still far more sites lower down the ranking using HPKP, thanks almost exclusively to Tumblr, so the distribution is still the same, but the numbers are a lot less now."
Other security headers, by contrast, are growing in prevalence. There's been an "epic" 40 per cent increase in Content Security Policy (CSP) and a 23 per cent increase in HTTP Strict Transport Security (HSTS), driven by the increase in HTTPS usage, according to Helme.
Google Chrome users visiting unencrypted websites have been confronted with a warning since late July, a factor that will likely push even stronger adoption of HTTPS over the next six months. Helme and his frequent collaborator Troy Hunt created a site, whynohttps.com, that shamed high-profile sites that can load without crypto to coincide with the change in how Google Chrome worked.
The strong growth in HTTPS has been accompanied by an associated rise in the use of certificate authorities. One that seems to be helping the growth in adoption is Let's Encrypt, which is witnessing the sharpest increase in growth. "Its presence in the top 1 million has seen similar growth across the board, from the very top to the very bottom they've increased their presence," Helme said.
Let's Encrypt stats show 147 million active certificates issued, with an average of 930,000 more issued every day. Despite strong growth in HTTPS across the top 1 million sites, EVs (extended validation certificates) have not seen much of that growth at all.
"With such a massive flood of new sites coming to HTTPS and the proposed benefits of EV, I'd have thought we'd at least see a little more increase in the use of EV but we really haven't," Helme noted. He added that his data showed some sites that used to have EV certs have switched from them to either OV (organisation validated) or DV (domain validated) certs.
In his blog post, Helme noted that more secure ECDSA (elliptic curve digital sgnature algorithm) keys aren't grabbing much of the new HTTPS adoption – outdated RSA remains the top choice.
"Adoption is the first step, making improvements after that is a lot easier," Helme told El Reg. "The really good thing is that all of the metrics are improving." ®