EFFecting Digital Freedom
by Gennie Gebhart
We're Halfway to Encrypting the Entire Web
The movement to encrypt the web has reached a milestone. Mozilla recently reported that the average volume of encrypted web traffic on Firefox now surpasses the average unencrypted volume. Google Chrome's figures on HTTPS usage are consistent with that finding, showing that over 50 percent of all pages loaded are protected by HTTPS across different operating systems.
In other words, we're halfway there.
EFF and our members have been pushing for more widespread adoption of HTTPS since 2010. The Firesheep extension had just been released, and it made painfully visible what had been scaring the security community for years: just how easy it was for any network eavesdropper to take over another user's session simply by sniffing packets and copying the victim's cookie. Firesheep only worked so frighteningly well because it took advantage of websites that failed to offer encryption to their users, thus leaving them vulnerable to such trivially easy attacks.
The answer, of course, was HTTPS.
At first, we had to wait for tech giants and large content providers to lead the way in HTTPS implementation. We applauded when Facebook and Twitter implemented HTTPS by default, and when Wikipedia, Reddit, and other popular sites later followed suit. EFF's "Encrypt the Web" report played a big role in tracking and encouraging crypto best practices, and recently we have been encouraged to see other efforts like Secure the News and Pulse track HTTPS progress among news media sites and U.S. government sites respectively.
But the real HTTPS victories have come when smaller, independent websites start to make the shift. This is where Let's Encrypt and Certbot have changed the game, making what was once an expensive, technically demanding process into an easy - and free - task for webmasters across a range of resource and skill levels.
Let's Encrypt is a Certificate Authority (CA) run by the Internet Security Research Group (ISRG) and founded by EFF, Mozilla, and the University of Michigan, with Cisco and Akamai as founding sponsors. In our analysis, Let's Encrypt is the largest CA on the web. Since this past October, Let's Encrypt has exploded from 12 million active certs to over 28 million.
Most of Let's Encrypt's growth has come from giving previously unencrypted sites their first-ever certificates, thus paving the way for a more encrypted web. A large share of these leaps in HTTPS adoption are also thanks to major hosting companies and platforms - like WordPress, Squarespace, and dozens of others - integrating Let's Encrypt and providing HTTPS to their users and customers.
If you have shell access to your hosting provider, you can use EFF's Certbot tool to get a free SSL/TLS certificate from Let's Encrypt and automatically configure your Apache or NGINX server to use it. Certbot will also work with any other CAs that support the Automatic Certificate Management Environment (ACME) protocol. While there are many other clients that implement the ACME protocol to fetch certificates, Certbot is the most extensive client and can automatically configure your webserver to start serving over HTTPS immediately. For Apache, it can also optionally automate security tasks such as tuning cipher suites and enabling important security features such as HTTP-to-HTTPS redirects, Online Certificate Status Protocol (OCSP) stapling, HTTP Strict Transport Security (HSTS), and upgrade-insecure-requests.
While it's good news that we are halfway to an entirely encrypted web, we still have more work to do. We need more wins like the ones we get every time a small website owner - probably just a nerd with a laptop like you and me - offers HTTPS to their users for the first time. If we want a web that is safer from eavesdropping, content hijacking, cookie stealing, and targeted censorship, we need to keep advocating for HTTPS as the default across the web.