In addition to things like Let's Encrypt, in more enterprise-y settings, I would also give credit to the slowly dying belief that SSL/TLS is too taxing on servers, and the ability to outsource your SSL/TLS termination to an extremely cheap cloud load balancer as well.
Yes, all this. Although it drives me nuts that people consider SSL to be a deterrent to load times when the average page is as bloated as it is...
But yeah, LetsEncrypt made SSL free, and for us, AWS's free auto-renewing certificates were the thing that made it easy to not have to worry about certificates anymore and to use them gratuitously.
Edit: looking forward to all the Dreamhosts of the world making LetsEncrypt-based SSL standard on even their cheapest plans.
AWS is what I use personally, and their certificate service is a breeze to use. Couple that with the ability to attach the certificate directly to the load balancer (one of the best features of the LB, in my mind), or to a Cloudfront distribution, and it's amazingly simple to have everything running with SSL.
We should also give credit to HTTP/2 (available only through HTTPS). People want the performance increase of HTTP/2 so they are forced to deploy HTTPS.
I really doubt that - support for HTTP/2 is generally still in its infancy, and web servers supporting it haven't made it into LTS releases of most distros yet.
On a talk from Daniel Stenberg earlier this year he told that over 60% of the clients already support HTTP/2.
So there is a real incentive to start supporting it as it nearly always is faster and costs less connections for the server.
I installed HTTP/2 indicator extension for my browser and I am very surprised to see how many sites are already using HTTP/2. It's easily close to a third of the sites I use frequently.
it's not only available through https.
browser only allow http/2 over TLS thats something different.
there is a insecure http/2 version just no browser implements it.
If you're outsourcing your TLS termination to the same people who are running your servers, you've barely made it easier for them to MITM your users. They could easily grab the private key off your server and do it anyway.
That's a big if. I was thinking about services like Cloudflare that terminate SSL close to the user, then tunnel the traffic to your servers. It cuts down on handshake latency and allows for secure distribution of cacheable content easily, but in return you are essentially handing your plaintext over to Cloudflare.
Mid-2015, the US White House Office of Management and Budget released memorandum M-15-13, stating that "Agencies must make all existing websites and services accessible through a secure connection (HTTPS-only, with HSTS) by December 31, 2016." Their reasoning is outlined in the memo- see https://https.cio.gov/
Enabling https on my sites with LE also enabled me to realize how messed up my apache2 configuration files were. certbot-auto did not even know what to do. I had to fix stuff for 2 hours, playing with virtualhosts and other things I did not understand.
But since it is all clean now, I just enabled https on a new blog and certbot-auto handled all the process happily.
2 things pushed me to do all this work:
SEO: Google announced https sites would rank higher
Security: I don't want my blog passwords to travel unencrypted anymore.
I bet Apple transitioning to https-only has played a huge role in this. Even as an iOS developer I think this move was too drastic when there are so many http based websites out there. Nowadays when you build an app and even try to display a non-https image they don't render at all (unless you go through the trouble of customizing the security settings in the bundle, and even this is going to go away soon as far as I know)
There will always be "so many http-based websites out there", as long as there's no forcing function. I look forward to the point where browsers start flagging any use of http as insecure; there's a gradual transition in that direction. It won't take too long after that point for http to disappear completely, with some lingering use in specialized or un-upgradeable devices for a while.
I think we're still missing one more ecosystem component to make such a transition successfully, though: free wildcard certificates through Let's Encrypt.
Based on numbers alone, I'd say LE itself could entirely have caused increase this in adoption - but I assume I'd have to look at the certificate stats myself to confirm this. (Obviously, most of the “top sites” are not going to be using LE certificates - but 1 million websites is a lot of websites)
It's clearly not just Let's Encrypt doing this, though I think Let's Encrypt is contributing a lot in terms of both issuance and changing expectations.
Let's Encrypt is up to almost 4.5M active certificates now, and I haven't checked recently but those certs probably cover 8.5-9M FQDNs.
Now only if web services and programs would update their backends so we have better SNI support.
Only 6 months ago Bingbot didn't index sites using SNI. It's unrealistic that every site goes https and has a dedicated IP address.
If anyone is interested in apps, services that fail with SNI, I have a list. Maybe someone knows more of them. Good to know beforehand you start using SNI.
please make that list public, I think it'd be very helpful to track them down. thanks. (maybe a wiki or a github repo where people can make pull requests)
Letsencrypt has made it a lot easier to create and use certs. But when wanting to counteract the ssl overhead with the use of HTTP/2, it gets a lot harder. Getting HTTP/2 running is still hard on Ubuntu 14.04, the predominant os version out there in the cloud. Recent Nginx versions support HTTP/2 but OpenSSL on 14.04 is missing some negotiation magic called ALPN
The nice thing about CDNs is that if the CDN is good, it will load the assets closest to your visitor, which is nice when normally these are 250ms+ latency :)
It is nice, but the main selling point of HTTP/2 is that latency had much less influence on complete loading times. Lower latency does help, but HTTP/2 really shines on higher latencies
Google has been very clear that going secure will improve SEO. Plus, there are browser features and mobile behaviors (deep linking w/ universal links) that can only be used over an encrypted connection.
