Difference between revisions of "Timeline of HTTPS adoption"

From Timelines
Jump to: navigation, search
(Full timeline)
 
(75 intermediate revisions by 3 users not shown)
Line 1: Line 1:
This timeline describes the gradual increase in websites and clients using HTTPS.
+
This timeline gives a history of HTTPS usage and adoption, describing the gradual increase in websites and clients using HTTPS. HTTPS is a secure, encrypted version of HTTP and has been implemented using Sockets Layer (SSL) and Transport Layer Security (TLS). The timeline spans the period from 1994, when HTTPS and SSL were first introduced on {{w|Netscape Navigator}}, to 2019, by which time, thanks to the efforts of Google, Mozilla, and many privacy-focused organizations, HTTPS is ubiquitous and accounts for more traffic than plain, unencrypted HTTP.
 +
 
 +
== Sample questions ==
 +
 
 +
* What were the major Internet standards related to HTTPS and when were they defined? (Sort the Full timeline by "Entity type" and look for the group of rows for which this says "Standard")
 +
* When did various leading news sites migrate to HTTPS, and what challenges did they face while migrating? (Sort the Full timeline by "Entity type" and look for the group of rows for which this says" Website"; scan the "Entity name" column to find the news websites or other sites of interest to you; then read the "Details" column and look at the cited reference)
 +
* How can we get quantitative data on how many sites and how much traffic uses HTTPS? (Sort the Full timeline by "Entity type" and look for the rows for which this says "Report" or "Report/Observatory")
 +
 
 +
== Big picture ==
 +
 
 +
=== Entity types and qualitative details ===
 +
 
 +
HTTPS is an end-to-end protocol. Therefore, it need only be supported by the browser (on the client side) and the server (it could be terminated at the load balancer or proxy or dealt with directly by the process serving the content).
 +
 
 +
Other intermediaries, like Internet Service Providers (ISPs), routers, networking services, etc. do not need to be upgraded to support HTTPS. The main effects on them from the transition to HTTPS are: (a) the ability of their {{w|packet analyzer}}s to sniff traffic reduces, and (b) the volume of traffic they deal with goes up a little bit.
 +
 
 +
{| class="wikitable sortable"
 +
! Entity type !! Broad classification !! Top entity names !! Typical stages !! Details
 +
|-
 +
| Standard || -- || || || This includes standards around client-server communication for HTTPS. Most of these are published by the Internet Engineering Task Force (IETF).
 +
|-
 +
| Browser || Client-side || Chrome, Firefox, Netscape Navigator || Security warning || Beyond initial HTTPS support (which was present in most browsers from the get-go), the main browser evolution has centered around the way security warnings are presented around HTTP versus HTTPS, mixed content, and problems with HTTPS certificates.
 +
|-
 +
| Browser extension || Client-side || Firesheep, HTTPS Everywhere || Vulnerability exploit, security improvement || Browser extensions have played some role in identifying and protecting against vulnerabilities of unencrypted (plain HTTP) connections.
 +
|-
 +
| Website || Server-side || Lots of websites || HTTPS available, opt-in HTTPS-only, default HTTPS-only, HTTPS-only || Websites may start by making HTTPS available, so that people who type https:// in the browser will get the HTTPS website. They may then transition to allowing logged-in users to opt-in to HTTPS-only, so that they will see internal links in HTTPS only and will automatically be redirected from HTTP to HTTPS. The next step is default HTTPS-only, which means that except for users who explicitly opt out, everybody is redirected to HTTPS (this could come in two stages: first rolled out to logged-in users only, then to all). Finally, the HTTPS-only stage is when access over plain HTTP is no longer supported.
 +
|-
 +
| Webmail || Server-side || Gmail, Hotmail, Yahoo! Mail || HTTPS available, opt-in HTTPS-only, default HTTPS-only, HTTPS-only || Similar to the stages for website. However, webmail is generally more sensitive, so the importance of switching to HTTPS is higher, and webmail services switched to HTTPS before websites.
 +
|-
 +
| Search engine || Server-side || Google Search, Bing, Yahoo! Search || HTTPS available, opt-in HTTPS-only, default HTTPS-only, HTTPS-only || Similar to the stages for website. Search engine data is intermediate in sensitivity between websites and webmail, and in terms of the chronological evolution also moved to HTTPS somewhere in between.
 +
|-
 +
| Proxy/load balancer || Server-side || Amazon Web Services || Early SSL termination || Load balancers can manage the SSL/TLS certificates and forward only plain HTTP requests to the servers that have to actually respond to the request.
 +
|-
 +
| CDN || Server-side || Cloudflare, Amazon CloudFront || Custom SSL || {{w|Content delivery network}}s are used to serve static content at low latency and low cost around the world. CDNs have evolved to allow customers to upload their own SSL certificates for content.
 +
|-
 +
| Ecosystem || Server-side || Advertising || || Various backend ecosystems that power the technology and monetization of the web, such as advertising, need to support HTTPS in order to complete the transition to HTTPS.
 +
|}
 +
 
 +
=== Time period grouping ===
 +
 
 +
{| class="wikitable sortable"
 +
! Time period !! Qualitative summary of developments
 +
|-
 +
| 1994–2007 || During this period, many of the standards related to HTTPS (HTTP over SSL, HTTP over TLS, SNI) are published as RFCs by the Internet Engineering Task Force. Certificate authorities (CAs) come into being and the CA/Browser Forum is created. A few sites, generally those related to e-commerce, start using HTTPS.
 +
|-
 +
| 2008–2012 || The move to HTTPS begins, with Google taking the lead, and Twitter and Facebook following. Webmail moves first, then search for logged-in users. The general playbook is: HTTPS available, opt-in HTTPS-only, then default HTTPS-only.
 +
|-
 +
| 2013–2014 || The move to HTTPS continues, with laggers in webmail and search catching up on encryption, and Google beginning encryption even for non-logged-in users. Toward the end of this period, Google begins aggressively pushing for the whole web to go HTTPS, first by stating that HTTPS will be a search ranking signal, then by declaring that Chrome eventually intends to mark all plain HTTP sites as not secure.
 +
|-
 +
| 2015–2017 || This is the period when the move to HTTPS intensifies among a number of ordinary websites. Wikipedia, Reddit, Imgur, and some major newspapers and magazines like the ''New York Times'', ''The Guardian'', ''TechCrunch'', and ''Wired'' go HTTPS. Chrome begins the process of marking plain HTTP sites as Not Secure. Let's Encrypt makes it easy and free for people to move to HTTPS. Google and others set up systematic tracking of the proportion of HTTPS usage, and the period ends with a significant increase in HTTPS use. This period also begins a trend of the Chinese government censoring entire websites after they transition to HTTPS, because it can no longer identify and block individual webpages due to encryption.
 +
|-
 +
| 2018–2019 || With Chrome now marking all plain HTTP sites as not secure, most high-traffic sites that had not yet migrated to HTTPS complete their migration. This includes sites like IMDb, BBC, Wikia/Fandom, Fox News, and many others.
 +
|}
 +
 
  
 
== Full timeline ==
 
== Full timeline ==
Line 6: Line 59:
 
! Year !! Month and date (if available) !! Entity type !! Entity name !! Stage !! Details
 
! Year !! Month and date (if available) !! Entity type !! Entity name !! Stage !! Details
 
|-
 
|-
| 1994 || || Browser || Netspace Navigator || Protocol support || {{w|Netscape Communications}} creates HTTPS for its {{w|Netscape Navigator}} web browser, originally for use with the {{w|Secure Sockets Layer}} (SSL) protocol.
+
| 1994 || || Standard || SSL v1.0 || Protocol || {{w|Netscape Communications}} creates HTTPS for its {{w|Netscape Navigator}} web browser, originally for use with the {{w|Secure Sockets Layer}} (SSL) protocol (SSL version 1.0). Due to security issues, this is never officially published. See {{w|Transport Layer Security#SSL_1.0.2C_2.0_and_3.0}}.
 +
|-
 +
| 1995 || {{dts|February}} || Standard || SSL v2.0 || Protocol || SSL v2.0 is released. It has a number of security flaws. See [[w:Transport Layer Security#SSL_1.0.2C_2.0_and_3.0]].
 +
|-
 +
| 1995 || {{dts|July}} || Server hosting || Netscape || Commercial offering || ''Fortune'' reports that Netscape charges $1,495 for a server and $5,000 for a server with secure communication (i.e., serving traffic over HTTPS).<ref>{{cite web|url = http://fortune.com/2012/02/05/the-rise-of-netscape/|title = The rise of Netscape|last = Sprout|first = Alison|date = July 1, 1995|accessdate = March 11, 2018}}</ref><ref name=jeff>{{cite web|url = https://www.jefftk.com/p/history-of-https-usage|title = History of HTTPS Usage|date = March 8, 2018|accessdate = March 11, 2018|last = Kaufman|first = Jeff}}</ref>
 +
|-
 +
| 1995 || {{dts|September 19}} || Bugfix || || Vulnerability exploit || Two graduate students at the University of California, Berkeley discover a security vulnerability with Netscape Navigator, that also affects HTTPS sites and risks credit card transactions being eavesdropped on.<ref>{{cite web|url = http://www.cnn.com/TECH/9509/netscape_flaw/index.html|title = Netscape: Internet security flaw can be fixed.|date = September 19, 1995|accessdate = March 11, 2018}}</ref><ref>{{cite web|url = http://query.nytimes.com/gst/fullpage.html?res=990CEFDC1131F935A25753C1A963958260&pagewanted=all|title = The New Watchdogs of Digital Commerce|date = October 16, 1995|accessdate = March 11, 2018|publisher = ''New York Times''|last = Markoff|first = John}}</ref><ref name=jeff/>
 +
|-
 +
| 1996 || || Standard || SSL v3.0 || Protocol || SSL v3.0 is released and its specification is drafted. IETF would publish this draft as a historical document in 2011.<ref>{{Cite web|url = https://tools.ietf.org/html/rfc6101|title = The Secure Sockets Layer (SSL) Protocol Version 3.0|date = August 1, 2011|accessdate = November 23, 2017|publisher = [[Internet Engineering Task Force]]}}</ref>
 +
|-
 +
| 1999 || {{dts|January}} || Standard || TLS 1.0 || Protocol || Version 1.0 of the {{w|Transport Layer Security}} (TLS) protocol is published as RFC 2246. TLS would replace SSL as the protocol used for HTTPS.<ref>{{cite web|url = https://tools.ietf.org/html/rfc2246|title = The TLS Protocol Version 1.0|date = January 1, 1999|accessdate = November 23, 2017|publisher = Internet Engineering Task Force}}</ref>
 +
|-
 +
| 2000 || {{dts|May}} || Standard || HTTP over TLS || Protocol || RFC 2818 of the {{w|Internet Engineering Task Force}} (IETF) describes the standard for HTTPS, using HTTP over {{w|Transport Layer Security}} (TLS).<ref>{{cite web|url = https://tools.ietf.org/html/rfc2818|title = HTTP Over TLS|date = May 1, 2000|accessdate = November 23, 2017|publisher = Internet Engineering Task Force}}</ref>
 +
|-
 +
| 2001 || {{dts|July 26}} || || {{w|Wikipedia}} || || {{w|HTTPS}} initial entry is created on {{w|English Wikipedia}}.<ref>{{cite web |title=HTTPS: Revision history |url=https://en.wikipedia.org/w/index.php?title=HTTPS&dir=prev&action=history |website=en.wikipedia.org |accessdate=1 March 2020}}</ref>
 +
|-
 +
| 2003 || {{dts|June}} || Standard || SNI || Protocol || RFS 3546 of the IETF describes a number of augmentations to TLS, including {{w|Server Name Indication}} (SNI).<ref>{{cite web|url = https://tools.ietf.org/html/rfc3546|title = Transport Layer Security (TLS) Extensions|date = June 1, 2003|accessdate = November 20, 2017|publisher = Internet Engineering Task Force}}</ref>
 
|-
 
|-
| 2000 || {{dts|May}} || Standard || RFC 2818 || || RFC 2818 of the {{w|Internet Engineering Task Force}} describes the standard for HTTPS, using HTTP over {{w|Transport Layer Security}} (TLS). This is considered a superior, more secure form of HTTPS than HTTPS over SSL.
+
| 2004 || {{dts|April 1}} || Webmail || Google (Gmail) || HTTPS availability || Gmail, Google's web-based email service, launches. The service is available over HTTPS right from the time of launch.<ref name=jeff/>
 
|-
 
|-
| 2008 || {{dts|July 24}} || Website || Google (Gmail) || Opt-in HTTPS-only || Google adds a setting in Gmail for users to always use HTTPS. Even before this, users could (since the inception of Gmail) access it securely by explicitly typing https:// in the browser. With the new setting, users who have opted in to it will be redirected from HTTP to HTTPS.<ref>{{cite web|url = https://gmail.googleblog.com/2008/07/making-security-easier.html|title = Making security easier|date = July 24, 2008|accessdate = November 19, 2017|last = Rideout|first = Ariel|publisher = Google}}</ref>
+
| 2004 || {{dts|April 14}} || Bugfix || || Vulnerability exploit || Microsoft issues a fix for a bug in its SSL library that allows remote attackers to gain control of unpatched Windows 2000 and Windows NT4 servers offering encrypted services over the internet.<ref>{{cite web|url = https://news.netcraft.com/archives/2004/04/14/microsoft_ssl_vulnerability_gives_attackers_opportunity_to_gain_control_of_leading_banking_sites.html|title = Microsoft SSL Vulnerability gives attackers opportunity to gain control of leading banking sites|date = April 14, 2004|accessdate = March 11, 2018|publisher = Netcraft}}</ref>
 
|-
 
|-
| 2010 || {{dts|January 12}} || Website || Google (Gmail) || Default HTTPS-only || Google switches all Gmail users to redirect to HTTPS; users can change their setings to not redirect to HTTPS. Previously, the default option for this setting was to not redirect, and users had to explicitly choose the option to redirect HTTP to HTTPS.<ref>{{cite web|url = https://gmail.googleblog.com/2010/01/default-https-access-for-gmail.html|title = Default https access for Gmail|date = January 12, 2010|accessdate = November 19, 2017|publisher = Google|last = Schillace|first = Sam}}</ref>
+
|2005 || {{dts|April 20}} || || Microsoft || || A blog post by {{w|Microsoft}} argues that using non-HTTPS login pages is insecure, even if the form submission is to a HTTPS page.<ref>{{cite web|url = https://blogs.msdn.microsoft.com/ie/2005/04/20/tls-and-ssl-in-the-real-world/|title = TLS and SSL in the real world|date = April 20, 2005|accessdate = March 11, 2018}}</ref><ref name=jeff/>
 
|-
 
|-
| 2010 || {{dts|June 17}} || Browser extension || HTTPS Everywhere || || The {{w|Electronic Frontier Foundation}} and {{w|The Tor Project, Inc}} launch {{w|HTTPS Everywhere}}, a {{w|Firefox}} extension, to make Firefox use HTTPS where possible.<ref>{{cite web|url = https://www.eff.org/deeplinks/2010/06/encrypt-web-https-everywhere-firefox-extension|title = Encrypt the Web with the HTTPS Everywhere Firefox Extension|last = Eckersley|first = Peter|date = June 17, 2010|accessdate = November 19, 2017|publisher = Electronic Frontier Foundation}}</ref> The extension would evolve over the coming years. As of 2017, it is supported on Firefox, Chrome, and Opera.<ref name=https-everywhere>{{cite web|url = https://www.eff.org/https-everywhere|title = HTTPS Everywhere|accessdate = November 19, 2017}}</ref>
+
| 2005 || || || || || The {{w|CA/Browser Forum}} is founded. It is a voluntary consortium of certification authorities, vendors of Internet browser software, operating systems, and other PKI-enabled applications that promulgates industry guidelines governing the issuance and management of X.509 v.3 digital certificates that chain to a trust anchor embedded in such applications.
 +
|-
 +
| 2006 || {{dts|April}} || Standard || TLS 1.1 || Protocol || RFC 4346 defines TLS 1.1, the next version of TLS after TLS 1.0.<ref>{{cite web|url = https://tools.ietf.org/html/rfc4346|title = The Transport Layer Security (TLS) Protocol Version 1.1|date = April 1, 2006|accessdate = November 23, 2017|publisher = Internet Engineering Task Force}}</ref>
 +
|-
 +
| 2008 || {{dts|July 24}} || Webmail || Google (Gmail) || Opt-in HTTPS-only || Google adds a setting in Gmail for users to always use HTTPS. Even before this, users could (since the inception of Gmail) access it securely by explicitly typing https:// in the browser. With the new setting, users who have opted in to it will be redirected from HTTP to HTTPS.<ref>{{cite web|url = https://gmail.googleblog.com/2008/07/making-security-easier.html|title = Making security easier|date = July 24, 2008|accessdate = November 19, 2017|last = Rideout|first = Ariel|publisher = Google}}</ref><ref name=jeff/>
 +
|-
 +
| 2008 || {{dts|August}} || Standard || TLS 1.2 || Protocol || RFC 5246 defines TLS 1.2, the next version of TLS after TLS 1.1.<ref>{{Cite web|url = https://tools.ietf.org/html/rfc5246|title = The Transport Layer Security (TLS) Protocol Version 1.2|date = August 1, 2008|accessdate = November 23, 2017|publisher = Internet Engineering Task Force}}</ref>
 +
|-
 +
| 2010 || {{dts|January 12}} || Webmail|| Google (Gmail) || Default HTTPS-only || Google switches all Gmail users to redirect to HTTPS; users can change their setings to not redirect to HTTPS. Previously, the default option for this setting was to not redirect, and users had to explicitly choose the option to redirect HTTP to HTTPS.<ref>{{cite web|url = https://gmail.googleblog.com/2010/01/default-https-access-for-gmail.html|title = Default https access for Gmail|date = January 12, 2010|accessdate = November 19, 2017|publisher = Google|last = Schillace|first = Sam}}</ref><ref name=jeff/>
 +
|-
 +
| 2010 || {{dts|May 21}} || Search engine || Google Search || HTTPS availability || Google makes search available on SSL at https://www.google.com. However, on June 25, they announced that they are moving encrypted search to https://encrypted.google.com because of challenges reported by school districts.<ref>{{cite web|url = https://googleblog.blogspot.com/2010/05/search-more-securely-with-encrypted.html|title = Search more securely with encrypted Google web search|date = May 21, 2010|accessdate = March 11, 2018|publisher = Google Official Blog|last = Roseman|first = Evan}}</ref><ref name=jeff/>
 +
|-
 +
| 2010 || {{dts|June 17}} || Browser extension || HTTPS Everywhere || Security improvement || The {{w|Electronic Frontier Foundation}} and {{w|The Tor Project, Inc}} launch {{w|HTTPS Everywhere}}, a {{w|Firefox}} extension, to make Firefox use HTTPS where possible.<ref>{{cite web|url = https://www.eff.org/deeplinks/2010/06/encrypt-web-https-everywhere-firefox-extension|title = Encrypt the Web with the HTTPS Everywhere Firefox Extension|last = Eckersley|first = Peter|date = June 17, 2010|accessdate = November 19, 2017|publisher = Electronic Frontier Foundation}}</ref> The extension would evolve over the coming years. As of 2017, it is supported on Firefox, Chrome, and Opera.<ref name=https-everywhere>{{cite web|url = https://www.eff.org/https-everywhere|title = HTTPS Everywhere|accessdate = November 19, 2017}}</ref>
 
|-
 
|-
 
| 2010 || {{dts|June 2}} || Browser enhancement || SSL False Start || || A Google team comprising Adam Langley, Nagendra Modadugu, and Bodo Moeller propose SSL False Start, a client-side only change to reduce one round-trip from the SSL handshake.<ref>{{cite web|url = https://tools.ietf.org/html/draft-bmoeller-tls-falsestart-00|title = Transport Layer Security (TLS) False Start|date = June 2, 2010|accessdate = November 19, 2017|publisher = Internet Engineering Task Force}}</ref><ref>{{cite web|url = https://blog.chromium.org/2011/05/ssl-falsestart-performance-results.html|title = SSL FalseStart Performance Results|date = May 18, 2011|accessdate = November 19, 2017|publisher = Chromium blog}}</ref><ref>{{cite web|url = https://www.imperialviolet.org/2010/09/05/blacklisting.html|title = Changing HTTPS|date = September 5, 2010|accessdate = November 19, 2017|publisher = Imperial Violet}}</ref> Despite tests showing that it reduces latency by 30%, the effort would be abandoned in April 2012 because of incompatibility with some servers doing early HTTPS termination.<ref>{{cite web|url = https://arstechnica.com/information-technology/2012/04/google-abandons-noble-experiment-to-make-ssl-less-painful/|title = False Start’s sad demise: Google abandons noble attempt to make SSL less painful|last = Goodin|first = Dan|date = April 12, 2012|accessdate = November 19, 2017}}</ref>
 
| 2010 || {{dts|June 2}} || Browser enhancement || SSL False Start || || A Google team comprising Adam Langley, Nagendra Modadugu, and Bodo Moeller propose SSL False Start, a client-side only change to reduce one round-trip from the SSL handshake.<ref>{{cite web|url = https://tools.ietf.org/html/draft-bmoeller-tls-falsestart-00|title = Transport Layer Security (TLS) False Start|date = June 2, 2010|accessdate = November 19, 2017|publisher = Internet Engineering Task Force}}</ref><ref>{{cite web|url = https://blog.chromium.org/2011/05/ssl-falsestart-performance-results.html|title = SSL FalseStart Performance Results|date = May 18, 2011|accessdate = November 19, 2017|publisher = Chromium blog}}</ref><ref>{{cite web|url = https://www.imperialviolet.org/2010/09/05/blacklisting.html|title = Changing HTTPS|date = September 5, 2010|accessdate = November 19, 2017|publisher = Imperial Violet}}</ref> Despite tests showing that it reduces latency by 30%, the effort would be abandoned in April 2012 because of incompatibility with some servers doing early HTTPS termination.<ref>{{cite web|url = https://arstechnica.com/information-technology/2012/04/google-abandons-noble-experiment-to-make-ssl-less-painful/|title = False Start’s sad demise: Google abandons noble attempt to make SSL less painful|last = Goodin|first = Dan|date = April 12, 2012|accessdate = November 19, 2017}}</ref>
 
|-
 
|-
| 2010 || {{dts|October 14}} || Proxy/load balancer || AWS Elastic Load Balancing || || AWS Elastic Load Balancing announces support for SSL termination. This means that websites hosted on AWS, behind AWS load balancers, can upload their certificates to the load balancer, and have the load balancer take care of the SSL certificate, so that the servers that receive the actual traffic only have to handle HTTP traffic.<ref>{{cite web|url = https://aws.amazon.com/blogs/aws/elastic-load-balancer-support-for-ssl-termination/|title = AWS Elastic Load Balancing: Support for SSL Termination|date = October 14, 2010|accessdate = November 19, 2017|publisher = Amazon Web Services|last = Barr|first = Jeff}}</ref>
+
| 2010 || {{dts|October}} || Browser extension || Firesheep || Vulnerability exploit || {{w|Firesheep}}, a {{w|Firefox}} browser extension that uses a {{w|packet analyzer}} to intercept unencrypted {{w|session cookie}}s over {{w|Wi-Fi}} networks, is released. The extension highlights the need for greater security, both in terms of websites moving to HTTPS (end-to-end security) and improving security of Wi-Fi.
 +
|-
 +
| 2010 || {{dts|October 14}} || Proxy/load balancer || AWS Elastic Load Balancing || Early SSL termination || AWS Elastic Load Balancing announces support for SSL termination. This means that websites hosted on AWS, behind AWS load balancers, can upload their certificates to the load balancer, and have the load balancer take care of the SSL certificate, so that the servers that receive the actual traffic only have to handle HTTP traffic.<ref>{{cite web|url = https://aws.amazon.com/blogs/aws/elastic-load-balancer-support-for-ssl-termination/|title = AWS Elastic Load Balancing: Support for SSL Termination|date = October 14, 2010|accessdate = November 19, 2017|publisher = Amazon Web Services|last = Barr|first = Jeff}}</ref>
 +
|-
 +
| 2010 || {{dts|November 3}} || Website || GitHub || Default HTTPS-only || In response to the release of Firesheep, GitHub moves to HTTPS for all users; previously full-session SSL was only available to paying users.<ref>{{cite web|url = https://news.netcraft.com/archives/2010/11/03/github-moves-to-ssl-but-remains-firesheepable.html|title = GitHub moves to SSL, but remains Firesheepable|date = November 3, 2010|accessdate = November 20, 2017|publisher = Netcraft}}</ref>
 +
|-
 +
| 2010 || {{dts|November 9}} || Webmail || Hotmail (Microsoft) || Opt-in HTTPS-only || Microsoft lets users of its web-based email service, Hotmail, set HTTPS by default.<ref>{{cite web|url = https://www.cnet.com/news/microsoft-lets-hotmail-users-set-encryption-by-default/|title = Microsoft lets Hotmail users set encryption by default. Microsoft adds full-session encryption option to HOtmail and SSL for SkyDrive, Photos, Docs, and Devices pages.|last = Mills|first = Elinor|date = November 9, 2010|accessdate = November 20, 2017|publisher = ''CNet''}}</ref><ref name=wapo-yahoo-ssl>{{cite web|url = https://www.washingtonpost.com/news/the-switch/wp/2013/10/14/yahoo-to-make-ssl-encryption-the-default-for-webmail-users-finally/?utm_term=.ec5f73b0f28d|title = Yahoo to make SSL encryption the default for Webmail users. Finally.|last = Peterson|first = Andrea|last2 = Gellman|first2 = Barton|last3 = Soltani|first3 = Ashkan|date = October 14, 2013|accessdate = November 20, 2017}}</ref>
 
|-
 
|-
 
| 2011 || {{dts|January}} || Website || Facebook || Opt-in HTTPS-only || {{w|Facebook}} begins allowing logged-in users to opt in to have all their Facebook browsing encrypted by HTTPS.<ref name=facebook-https-default>{{cite web|url = https://techcrunch.com/2012/11/18/facebook-https/|title = Facebook Could Slow Down A Tiny Bit As It Starts Switching All Users To Secure HTTPS Connections|last = Constine|first = Josh|date = November 18, 2012|accessdate = November 19, 2017|publisher = ''TechCrunch''}}</ref>
 
| 2011 || {{dts|January}} || Website || Facebook || Opt-in HTTPS-only || {{w|Facebook}} begins allowing logged-in users to opt in to have all their Facebook browsing encrypted by HTTPS.<ref name=facebook-https-default>{{cite web|url = https://techcrunch.com/2012/11/18/facebook-https/|title = Facebook Could Slow Down A Tiny Bit As It Starts Switching All Users To Secure HTTPS Connections|last = Constine|first = Josh|date = November 18, 2012|accessdate = November 19, 2017|publisher = ''TechCrunch''}}</ref>
 
|-
 
|-
| 2011 || {{dts|January}} || Standard || OCSP stapling || || RFC 6066, introducing OCSP stapling, is published.<ref>{{cite web|url = https://tools.ietf.org/html/rfc6066|title = Transport Layer Security (TLS) Extensions: Extension Definitions|date = January 1, 2011|accessdate = November 19, 2017}}</ref> OCSP stapling is an alternative approach to the {{W|Online Certificate Status Protocol}} llows the presenter of a certificate to bear the resource cost involved in providing OCSP responses by appending ("stapling") a time-stamped OCSP response signed by the CA to the initial TLS handshake, eliminating the need for clients to contact the certificate authority. RFC 6961 would cover the case of multiple OCSP stapling.<ref>{{cite web|url = https://tools.ietf.org/html/rfc6961|title = The Transport Layer Security (TLS) Multiple Certificate Status Request Extension|date = June 1, 2013|accessdate = November 19, 2017}}</ref>
+
| 2011 || {{dts|January}} || Standard || OCSP stapling || Protocol || RFC 6066, introducing OCSP stapling, is published.<ref>{{cite web|url = https://tools.ietf.org/html/rfc6066|title = Transport Layer Security (TLS) Extensions: Extension Definitions|date = January 1, 2011|accessdate = November 19, 2017}}</ref> OCSP stapling is an alternative approach to the {{W|Online Certificate Status Protocol}} that allows the presenter of a certificate to bear the resource cost involved in providing OCSP responses by appending ("stapling") a time-stamped OCSP response signed by the CA to the initial TLS handshake, eliminating the need for clients to contact the certificate authority. RFC 6961 would cover the case of multiple OCSP stapling.<ref>{{cite web|url = https://tools.ietf.org/html/rfc6961|title = The Transport Layer Security (TLS) Multiple Certificate Status Request Extension|date = June 1, 2013|accessdate = November 19, 2017}}</ref>
 
|-
 
|-
 
| 2011 || {{dts|March 15}} || Website || Twitter || Opt-in HTTPS-only || {{w|Twitter}} begins allowing logged-in users to opt in to have all their Twitter browsing encrypted by HTTPS.<ref name=twitter-https-optin>{{cite web|url = https://blog.twitter.com/official/en_us/a/2011/making-twitter-more-secure-https.html|title = Making Twitter more secure: HTTPS|date = March 15, 2011|accessdate = November 19, 2017|publisher = Twitter}}</ref>
 
| 2011 || {{dts|March 15}} || Website || Twitter || Opt-in HTTPS-only || {{w|Twitter}} begins allowing logged-in users to opt in to have all their Twitter browsing encrypted by HTTPS.<ref name=twitter-https-optin>{{cite web|url = https://blog.twitter.com/official/en_us/a/2011/making-twitter-more-secure-https.html|title = Making Twitter more secure: HTTPS|date = March 15, 2011|accessdate = November 19, 2017|publisher = Twitter}}</ref>
Line 28: Line 115:
 
| 2011 || {{dts|July 15}} || Proxy/load balancer || Nginx || || GlobalSign, DigiCert, Comodo and NGINX Inc. announce a joint effort to add OCSP-stapling support to Nginx.<ref>{{cite web|url = https://www.nginx.com/press/globalsign-digicert-and-comodo-collaborate-nginx-improve-online/|title = GlobalSign, DigiCert and Comodo Collaborate with NGINX to Improve Online Trust through Enhanced Certificate Revocation Checking, sign a Sponsorship Agreement. New version of the popular NGINX web server to support OCSP-stapling|date = July 15, 2011|accessdate = November 19, 2017|publisher = NGINX, Inc.}}</ref>
 
| 2011 || {{dts|July 15}} || Proxy/load balancer || Nginx || || GlobalSign, DigiCert, Comodo and NGINX Inc. announce a joint effort to add OCSP-stapling support to Nginx.<ref>{{cite web|url = https://www.nginx.com/press/globalsign-digicert-and-comodo-collaborate-nginx-improve-online/|title = GlobalSign, DigiCert and Comodo Collaborate with NGINX to Improve Online Trust through Enhanced Certificate Revocation Checking, sign a Sponsorship Agreement. New version of the popular NGINX web server to support OCSP-stapling|date = July 15, 2011|accessdate = November 19, 2017|publisher = NGINX, Inc.}}</ref>
 
|-
 
|-
| 2011 || {{dts|October 18}} || Website || Google Search || Default HTTPS-only || Google makes HTTPS (using SSL) the default option for its search users who are logged in on google.com (its US site; regionally branded sites are not affected).<ref>{{cite web|url = https://googleblog.blogspot.in/2011/10/making-search-more-secure.html|title = Making search more secure|date = October 18, 2011|accessdate = November 19, 2017|publisher = Google}}</ref><ref>{{cite web|url = http://www.eweek.com/security/google-makes-https-encryption-default-for-search|title = Google Makes HTTPS Encryption Default for Search|last = Boulton|first = Clint|date = October 18, 2011|accessdate = November 19, 2017|publisher = eweek}}</ref><ref>{{cite web|url = https://searchengineland.com/google-to-begin-encrypting-searches-outbound-clicks-by-default-97435|title = Google To Begin Encrypting Searches & Outbound Clicks By Default With SSL Search|last = Sullivan|first = Danny|date = October 18, 2011|accessdate = November 19, 2017|publisher = Search Engine Land}}</ref> In particular, webmasters receiving traffic from Google Search will no longer be able to know the search terms that led to a specific visit.<ref>{{Cite web|url = https://analytics.googleblog.com/2011/10/making-search-more-secure-accessing.html|title = Making search more secure: Accessing search query data in Google Analytics|date = October 18, 2011|accessdate = November 19, 2017}}</ref><ref>{{cite web|url = https://searchengineland.com/google-puts-a-price-on-privacy-98029|title = Google Puts A Price On Privacy|last = Sullivan|first = Danny|date = October 22, 2011|accessdate = November 19, 2017}}</ref>
+
| 2011 || {{dts|October 18}} || Search engine || Google Search || Default HTTPS-only || Google makes HTTPS (using SSL) the default option for its search users who are logged in on google.com (its US site; regionally branded sites are not affected).<ref>{{cite web|url = https://googleblog.blogspot.com/2011/10/making-search-more-secure.html|title = Making search more secure|date = October 18, 2011|accessdate = November 19, 2017|publisher = Google}}</ref><ref>{{cite web|url = http://www.eweek.com/security/google-makes-https-encryption-default-for-search|title = Google Makes HTTPS Encryption Default for Search|last = Boulton|first = Clint|date = October 18, 2011|accessdate = November 19, 2017|publisher = eweek}}</ref><ref>{{cite web|url = https://searchengineland.com/google-to-begin-encrypting-searches-outbound-clicks-by-default-97435|title = Google To Begin Encrypting Searches & Outbound Clicks By Default With SSL Search|last = Sullivan|first = Danny|date = October 18, 2011|accessdate = November 19, 2017|publisher = Search Engine Land}}</ref> In particular, webmasters receiving traffic from Google Search will no longer be able to know the search terms that led to a specific visit.<ref>{{Cite web|url = https://analytics.googleblog.com/2011/10/making-search-more-secure-accessing.html|title = Making search more secure: Accessing search query data in Google Analytics|date = October 18, 2011|accessdate = November 19, 2017}}</ref><ref>{{cite web|url = https://searchengineland.com/google-puts-a-price-on-privacy-98029|title = Google Puts A Price On Privacy|last = Sullivan|first = Danny|date = October 22, 2011|accessdate = November 19, 2017}}</ref>
 
|-
 
|-
 
| 2012 || {{dts|February 13}} || Website || Twitter || Default HTTPS-only || Twitter makes HTTPS the default for all logged-in users.<ref>{{cite web|url = https://blog.twitter.com/official/en_us/a/2012/securing-your-twitter-experience-with-https.html|title = Securing your Twitter experience with HTTPS|date = February 13, 2012|accessdate = November 19, 2017|publisher = Twitter}}</ref><ref>{{cite web|url = https://blog.codinghorror.com/should-all-web-traffic-be-encrypted/|title = Should All Web Traffic Be Encrypted?|date = February 23, 2012|accessdate = November 19, 2017|publisher = Coding Horror}}</ref><ref>{{cite web|url = https://www.ghacks.net/2012/02/14/twitter-makes-https-default-for-signed-in-users/|title = Twitter Makes HTTPS Default For Signed In Users|last = Brinkmann|first = Martin|date = February 14, 2012|accessdate = November 19, 2017}}</ref>
 
| 2012 || {{dts|February 13}} || Website || Twitter || Default HTTPS-only || Twitter makes HTTPS the default for all logged-in users.<ref>{{cite web|url = https://blog.twitter.com/official/en_us/a/2012/securing-your-twitter-experience-with-https.html|title = Securing your Twitter experience with HTTPS|date = February 13, 2012|accessdate = November 19, 2017|publisher = Twitter}}</ref><ref>{{cite web|url = https://blog.codinghorror.com/should-all-web-traffic-be-encrypted/|title = Should All Web Traffic Be Encrypted?|date = February 23, 2012|accessdate = November 19, 2017|publisher = Coding Horror}}</ref><ref>{{cite web|url = https://www.ghacks.net/2012/02/14/twitter-makes-https-default-for-signed-in-users/|title = Twitter Makes HTTPS Default For Signed In Users|last = Brinkmann|first = Martin|date = February 14, 2012|accessdate = November 19, 2017}}</ref>
 
|-
 
|-
| 2012 || {{dts|March}} || Website || Google Search || Default HTTPS-only || Google makes secure search the default globally for signed-in users. Previously, the change was limited to users on google.com.<ref>{{cite web|url = https://search.googleblog.com/2012/03/bringing-more-secure-search-around.html|title = Bringing more secure search around the globe|date = March 5, 2012|accessdate = November 19, 2017}}</ref>
+
| 2012 || {{dts|March}} || Search engine || Google Search || Default HTTPS-only || Google makes secure search the default globally for signed-in users. Previously, the change was limited to users on google.com.<ref>{{cite web|url = https://search.googleblog.com/2012/03/bringing-more-secure-search-around.html|title = Bringing more secure search around the globe|date = March 5, 2012|accessdate = November 19, 2017}}</ref>
 
|-
 
|-
| 2012 || {{dts|November}} || Website || Facebook || Default HTTPS-only || Facebook rolls out its transition to HTTPS by default for all users, beginning with North America.<ref>{{cite web|url = https://developers.facebook.com/blog/post/2012/11/14/platform-updates--operation-developer-love/|title = Platform Updates: Operation Developer Love|last = Asthana|first = Shireesh|date = November 15, 2012|accessdate = November 19, 2017|publisher = Facebook}}</ref><ref name=facebook-https-default/>
+
| 2012 || {{dts|July 31}} || Webmail || Outlook (formerly Hotmail) (Microsoft) || Default HTTPS-only || With the rebranding of Hotmail as Outlook.com, Microsoft moves to default HTTPS-only for all usersof the web-based email service.<ref name=wapo-yahoo-ssl/>
 +
|-
 +
| 2012 || {{dts|October 9}} || Website || Quora || Opt-in HTTPS-only || On or before this date, question-and-answer website {{w|Quora}} allows logged-in users to opt in to HTTPS-only.<ref>{{cite web|url = https://www.quora.com/Does-Quora-support-HTTPS/answer/Tom-Cook/log|title = Does Quora support HTTPS? Tom Cook's answer log|last = Cook|first = Tom|date = October 9, 2012|accessdate = November 20, 2017}}</ref>
 +
|-
 +
| 2012 || {{dts|November}} || Website || Facebook || Default HTTPS-only || Facebook rolls out its transition to HTTPS by default for all users, beginning with North America.<ref>{{cite web|url = https://developers.facebook.com/blog/post/2012/11/14/platform-updates--operation-developer-love/|title = Platform Updates: Operation Developer Love|last = Asthana|first = Shireesh|date = November 15, 2012|accessdate = November 19, 2017|publisher = Facebook}}</ref><ref name=facebook-https-default/> The move is reported to be completed on August 1, 2013.<ref>{{cite web|url = https://www.facebook.com/notes/facebook-engineering/secure-browsing-by-default/10151590414803920|title = Secure browsing by default|date = August 1, 2013|accessdate = November 20, 2017}}</ref>
 
|-
 
|-
 
| 2012 || {{dts|November 19}} || Standard || RFC 6797 || Default HTTPS-only || The {{w|HTTP Strict Transport Security}} (HSTS) standard is published, after being approved on October 2.<ref>{{cite web|url = https://tools.ietf.org/html/rfc6797|title = HTTP Strict Transport Security (HSTS)|date = November 19, 2012|accessdate = November 19, 2017}}</ref> The standard allows a website to set a header specifying a time period over which the client must connect to the website only via HTTPS. This protects against {{w|protocol downgrade attack}}s and {{w|cookie hijacking}}, and also avoids the extra latency involved in redirecting HTTP to HTTPS.
 
| 2012 || {{dts|November 19}} || Standard || RFC 6797 || Default HTTPS-only || The {{w|HTTP Strict Transport Security}} (HSTS) standard is published, after being approved on October 2.<ref>{{cite web|url = https://tools.ietf.org/html/rfc6797|title = HTTP Strict Transport Security (HSTS)|date = November 19, 2012|accessdate = November 19, 2017}}</ref> The standard allows a website to set a header specifying a time period over which the client must connect to the website only via HTTPS. This protects against {{w|protocol downgrade attack}}s and {{w|cookie hijacking}}, and also avoids the extra latency involved in redirecting HTTP to HTTPS.
 +
|-
 +
| 2013 || {{dts|February}} || || || || The {{w|Certificate Authority Security Council}} is founded by the seven largest [[w:certificate authority|certificate authorities]]: {{w|Comodo}}, {{w|Symantec}}, {{w|Trend Micro}}, {{w|DigiCert}}, {{w|Entrust}}, {{w|GlobalSign}}, and {{w|GoDaddy}}.
 
|-
 
|-
 
| 2013 || {{dts|August 21}} (actual release), August 1 (announcement) || Website || Wikipedia || Default HTTPS-only || Wikimedia Foundation turns on HTTPS for all logged-in users (announcement August 1).<ref>{{cite web|url = https://blog.wikimedia.org/2013/08/01/future-https-wikimedia-projects/|title = The future of HTTPS on Wikimedia projects|date = August 1, 2013|accessdate = September 25, 2016|publisher = Wikimedia Foundation|last = Lane|first = Ryan}}</ref><ref>{{cite web|url = https://www.fastcompany.com/3015199/the-code-war/after-nsas-xkeyscore-wikipedia-switches-to-secure-https|title = After NSA's XKeyscore, Wikipedia Switches To Secure HTTPS. The Wikimedia Foundation has announced it's pushing ahead with plans to secure its online systems due to NSA targeting.|last = Eaton|first = Kit|publisher = ''Fast Company''|date = August 2, 2013|accessdate = September 25, 2016}}</ref>
 
| 2013 || {{dts|August 21}} (actual release), August 1 (announcement) || Website || Wikipedia || Default HTTPS-only || Wikimedia Foundation turns on HTTPS for all logged-in users (announcement August 1).<ref>{{cite web|url = https://blog.wikimedia.org/2013/08/01/future-https-wikimedia-projects/|title = The future of HTTPS on Wikimedia projects|date = August 1, 2013|accessdate = September 25, 2016|publisher = Wikimedia Foundation|last = Lane|first = Ryan}}</ref><ref>{{cite web|url = https://www.fastcompany.com/3015199/the-code-war/after-nsas-xkeyscore-wikipedia-switches-to-secure-https|title = After NSA's XKeyscore, Wikipedia Switches To Secure HTTPS. The Wikimedia Foundation has announced it's pushing ahead with plans to secure its online systems due to NSA targeting.|last = Eaton|first = Kit|publisher = ''Fast Company''|date = August 2, 2013|accessdate = September 25, 2016}}</ref>
 +
|-
 +
| 2013 || {{dts|September}} || Search engine || Google Search || Default HTTPS-only || Google Search moves all searches, even those by users who are not logged in, to HTTPS. The only exception is ad clicks. The change is believed to be a response to concerns about privacy triggered by relevations about [[w:PRISM (surveillance program)|PRISM]], a United States federal government surveillance program.<ref>{{cite web|url = https://searchengineland.com/post-prism-google-secure-searches-172487|title = Post-PRISM, Google Confirms Quietly Moving To Make All Searches Secure, Except For Ad Clicks|last = Sullivan|first = Danny|date = September 23, 2013|accessdate = November 20, 2017}}</ref>
 +
|-
 +
| 2013 || {{dts|September 26}} || Website || Imgur || HTTPS available || Image-hosting service {{w|Imgur}} makes HTTPS available sitewide.<ref>{{cite web|url = https://blog.imgur.com//2013/09/26/100-million-uniques-higher-upload-limits-and-https-support/|title = 100 MILLION UNIQUES, HIGHER UPLOAD LIMITS, AND HTTPS SUPPORT|date = September 26, 2013|accessdate = November 20, 2017}}</ref>
 +
|-
 +
| 2013 || {{dts|October 14}} || Webmail || Yahoo! || Default HTTPS-only || Yahoo! Mail moves to a default of HTTPS-only.<ref name=wapo-yahoo-ssl/>
 
|-
 
|-
 
| 2013 || {{dts|October 24}}, 25 || Website || Internet Archive || Default HTTPS-only || The {{w|Internet Archive}} announces that its websites archive.org (which includes the {{w|Wayback Machine}} at web.archive.org) and openlibrary.org are defaulted to HTTPS-only, though they will still be available over HTTP.<ref>{{cite web|url = http://blog.archive.org/2013/10/25/reader-privacy-at-the-internet-archive/|title = Reader Privacy at the Internet Archive|last = Kahle|first = Brewster|date = October 25, 2013|accessdate = November 19, 2017}}</ref><ref>{{cite web|url = https://bits.blogs.nytimes.com/2013/10/24/internet-archive-will-shield-visitors/|title = Internet Archive Will Shield Visitors|last = Streitfeld|first = David|date = October 24, 2013|accessdate = November 19, 2017|publisher = ''New York Times'' Bits Blog}}</ref><ref>{{cite web|url = https://thenextweb.com/insider/2013/10/25/3-million-users-per-day-internet-archive-switches-https-connections-default/|title = With over 3 million users per day, the Internet Archive switches to HTTPS connections by default|last = Protalinski|first = Emil|date = October 25, 2013|accessdate = November 19, 2017|publisher = ''The Next Web''}}</ref>
 
| 2013 || {{dts|October 24}}, 25 || Website || Internet Archive || Default HTTPS-only || The {{w|Internet Archive}} announces that its websites archive.org (which includes the {{w|Wayback Machine}} at web.archive.org) and openlibrary.org are defaulted to HTTPS-only, though they will still be available over HTTP.<ref>{{cite web|url = http://blog.archive.org/2013/10/25/reader-privacy-at-the-internet-archive/|title = Reader Privacy at the Internet Archive|last = Kahle|first = Brewster|date = October 25, 2013|accessdate = November 19, 2017}}</ref><ref>{{cite web|url = https://bits.blogs.nytimes.com/2013/10/24/internet-archive-will-shield-visitors/|title = Internet Archive Will Shield Visitors|last = Streitfeld|first = David|date = October 24, 2013|accessdate = November 19, 2017|publisher = ''New York Times'' Bits Blog}}</ref><ref>{{cite web|url = https://thenextweb.com/insider/2013/10/25/3-million-users-per-day-internet-archive-switches-https-connections-default/|title = With over 3 million users per day, the Internet Archive switches to HTTPS connections by default|last = Protalinski|first = Emil|date = October 25, 2013|accessdate = November 19, 2017|publisher = ''The Next Web''}}</ref>
 +
|-
 +
| 2014 || {{dts|January 22}} || Search engine || Yahoo! || Default HTTPS-only || Yahoo! Search makes HTTPS-only the default. The change is initially rolled out on yahoo.com, but is expected to be rolled out to other regions as well.<ref>{{cite web|url = https://marketingland.com/yahoo-makes-secure-search-default-71308|title = Yahoo Makes Secure Search The Default|last = Sullivan|first = Danny|date = January 22, 2014|accessdate = November 20, 2017|publisher = MarketingLand}}</ref>
 +
|-
 +
| 2014 || {{dts|January}} || Website || YouTube || Some move to HTTPS || YouTube begins sending traffic over HTTPS, significantly increasing the volume of traffic sent on the web via HTTPS. By September 2014, 50% of YouTube traffic would be sent via HTTPS.<ref name=naylor>{{cite web|url = https://davidtnaylor.com/CostOfTheS.pdf|title = The Cost of the “S” in HTTPS|last = Naylor|first = David|last2 = Finamore|first2 = Alessandro|last3 = Leontiadis|first3 = Ilias|last4 = Grunenberger|first4 = Yan|last5 = Mellia|first5 = Marco|last6 = Munafo|first6 = Maurizio|last7 = Papagiannaki|first7 = Konstantina|last8 = Steenkiste|first8 = Peter}}</ref>
 +
|-
 +
| 2014 || {{dts|February 3}} || Website || Tumblr || Opt-in HTTPS-only || Tumblr gives blog owners the option of switching their blogs to HTTPS-only. NOTE: Unlike some other opt-in HTTPS-only implementations, the option is controlled by website owners rather than website visitors.<ref>{{cite web|url = https://staff.tumblr.com/post/75482980993/you-can-now-take-extra-precaution-against-hackers|title = You can now take extra precaution against hackers and snoops by enabling SSL security on your Tumblr Dashboard.|publisher = Tumblr|date = February 3, 2014|accessdate = April 13, 2019}}</ref> Internet security commentators feel that Tumblr didn't go far enough, and should have switched to default HTTPS-only.<ref>{{cite web|url = https://www.cnet.com/news/tumblr-activates-ssl-but-with-a-catch/|title = Tumblr activates SSL, but with a catch. Tumblr blog owners can encrypt all visits to their sites, as long as they opt in. Why didn't Yahoo just make SSL the default setting?|date = February 3, 2014|accessdate = April 13, 2019}}</ref>
 +
|-
 +
| 2014 || {{dts|March 5}} || CDN || Amazon CloudFront || SNI custom SSL, HTTPS redirection || Amazon CloudFront announces support for customers to use their own SSL certificates through the implementation of {{w|Server Name Indication}}, as well as HTTP to HTTPS redirection (via 301 redirect).
 +
|-
 +
| 2014 || c.{{dts|March 22}} || {{w|Email}} service || Gmail || HTTPS adoption || {{w|Gmail}} goes 100% HTTPS.<ref name="ss"/>
 +
|-
 +
| 2014 || {{dts|June 5}} || Website || WordPress || Default HTTPS-only || {{w|Automattic}}, the parent company of wordpress.com, announces that all wordpress.com subdomains will be moved to default HTTPS-only by the end of 2014.<ref>{{cite web|url = https://en.blog.wordpress.com/2014/06/05/reset-the-net/|title = Reset the Net. If we properly encrypt our sites and devices, we can make mass surveillance much more difficult. We’ll be serving pages only over SSL for all *.wordpress.com subdomains by the end of the year.|last = Siemenski|first = Paul|date = June 5, 2014|accessdate = December 1, 2019|publisher = The WordPress.com Blog}}</ref>
 
|-
 
|-
 
| 2014 || {{dts|July 29}} || App || Instagram || Default HTTPS-only || In response to reports about a zero-day security vulnerability, Instagram co-founder {{w|Mike Krieger}} reveals that the app is being moved over to HTTPS, with some parts of the app already 100% HTTPS.<ref>{{cite web|url = https://www.theinquirer.net/inquirer/news/2357779/instagram-to-use-https-following-discovery-of-gaping-security-hole-in-ios-app|title = Instagram to use HTTPS following discovery of gaping security hole in iOS app. Security expert warns users should not use the app until a patch is released|date = July 29, 2014|accessdate = November 19, 2017|publisher = The Inquirer}}</ref>
 
| 2014 || {{dts|July 29}} || App || Instagram || Default HTTPS-only || In response to reports about a zero-day security vulnerability, Instagram co-founder {{w|Mike Krieger}} reveals that the app is being moved over to HTTPS, with some parts of the app already 100% HTTPS.<ref>{{cite web|url = https://www.theinquirer.net/inquirer/news/2357779/instagram-to-use-https-following-discovery-of-gaping-security-hole-in-ios-app|title = Instagram to use HTTPS following discovery of gaping security hole in iOS app. Security expert warns users should not use the app until a patch is released|date = July 29, 2014|accessdate = November 19, 2017|publisher = The Inquirer}}</ref>
Line 47: Line 158:
 
|-
 
|-
 
| 2014 || {{dts|September 8}} || Website || Reddit || Opt-in HTTPS-only || Reddit gives logged-in users the option of using the site purely on HTTPS.<ref>{{cite web|url = https://redditblog.com/2014/09/08/hell-its-about-time-reddit-now-supports-full-site-https/|title = Hell, It’s About Time – reddit now supports full-site HTTPS|date = September 8, 2014|accessdate = November 19, 2017|publisher = Reddit}}</ref>
 
| 2014 || {{dts|September 8}} || Website || Reddit || Opt-in HTTPS-only || Reddit gives logged-in users the option of using the site purely on HTTPS.<ref>{{cite web|url = https://redditblog.com/2014/09/08/hell-its-about-time-reddit-now-supports-full-site-https/|title = Hell, It’s About Time – reddit now supports full-site HTTPS|date = September 8, 2014|accessdate = November 19, 2017|publisher = Reddit}}</ref>
 +
|-
 +
| 2014 || {{dts|September 29}} || CDN || Cloudflare || Default HTTPS-only || Cloudflare announces that it is rolling out universal SSL for all its users. This only affects connections to Cloudflare, and does not focre websites to upgrade their main site to HTTPS; however, all website owners are encouraged to upgrade their sites as well. In a blog post, Cloudflare CEO Matthew Prince explains the transition and the motivation behind it.<ref>{{cite web|url = https://blog.cloudflare.com/introducing-universal-ssl/|title = Introducing Universal SSL|date = September 29, 2014|accessdate = December 1, 2019|publisher = Cloudflare|last = Prince|first = Matthew}}</ref>
 
|-
 
|-
 
| 2014 || {{dts|November 18}} || Certificate authority || Let's Encrypt || Free HTTPS certificates || {{w|Let's Encrypt}}, a certificate authority service that can issue HTTPS certificates for three months for free (with some limitations on the types of certificate and the conditions under which certificates can be issued), is publicly announced. The service would issue its first certificate on September 14, 2015, and leave beta on April 12, 2016.
 
| 2014 || {{dts|November 18}} || Certificate authority || Let's Encrypt || Free HTTPS certificates || {{w|Let's Encrypt}}, a certificate authority service that can issue HTTPS certificates for three months for free (with some limitations on the types of certificate and the conditions under which certificates can be issued), is publicly announced. The service would issue its first certificate on September 14, 2015, and leave beta on April 12, 2016.
 
|-
 
|-
| 2015 || {{dts|January 18}} || Report/Observatory || HTTPSWatch || State of HTTPS adoption || The oldest Internet Archive snapshot of HTTPSWatch appears to be on this date. The snapshot says that it is inspired by Alex Gaynor's blog posts that were published in November and December 2014, so it is likely to be pretty close to the actual start date.<ref>{{cite web|url = https://web.archive.org/web/20150118231201/https://httpswatch.com/#about|title = HTTPSWatch (About section)|accessdate = January 18, 2015}}</ref><ref>{{cite web|url = https://alexgaynor.net/2014/nov/12/state-of-news-tls/|title = The State of the News and TLS|last = Gaynor|first = Alex|date = November 12, 2015|accessdate = November 20, 2015}}<ref>{{cite web|url = https://alexgaynor.net/2014/dec/30/state-of-news-tls-part-ii/|title = The State of the News and TLS: Part II|last = Gaynor|first = Alex|date = December 30, 2014|accessdate = November 20, 2017}}</ref>
+
| 2014 || {{dts|December 18}} || Browser || Chrome || Security warning || Google Chrome announces its intention of adding warnings for users visiting non-HTTPS websites.<ref>{{cite web|url = http://www.thesempost.com/google-chrome-wants-warn-users-visiting-non-https-sites/|title = Google Chrome Wants to Warn Users Before Visiting All Non-HTTPS Sites|last = Slegg|first = Jennifer|date = December 18, 2014|accessdate = November 20, 2017|publisher = The SEM Post}}</ref> More details are announced in late January 2015.<ref>{{cite web|url = http://www.thesempost.com/first-look-google-chrome-plans-alert-users-non-https-websites/|title = First Look at How Google Chrome Plans to Alert Users to Non-HTTPS Websites|last = Slegg|first = Jennifer|date = January 28, 2015|accessdate = November 20, 2017}}</ref>
 +
|-
 +
| 2015 || {{dts|January 18}} || Report/Observatory || HTTPSWatch || State of HTTPS adoption || The oldest Internet Archive snapshot of HTTPSWatch appears to be on this date. The snapshot says that it is inspired by Alex Gaynor's blog posts that were published in November and December 2014, so it is likely to be pretty close to the actual start date.<ref>{{cite web|url = https://web.archive.org/web/20150118231201/https://httpswatch.com/#about|title = HTTPSWatch (About section)|accessdate = January 18, 2015}}</ref><ref>{{cite web|url = https://alexgaynor.net/2014/nov/12/state-of-news-tls/|title = The State of the News and TLS|last = Gaynor|first = Alex|date = November 12, 2015|accessdate = November 20, 2015}}</ref><ref>{{cite web|url = https://alexgaynor.net/2014/dec/30/state-of-news-tls-part-ii/|title = The State of the News and TLS: Part II|last = Gaynor|first = Alex|date = December 30, 2014|accessdate = November 20, 2017}}</ref>
 
|-
 
|-
 
| 2015 || {{dts|February}} || Browser || Chrome || HTTP/2 || Chrome begins rolling out support for {{w|HTTP/2}}. Chrome supports HTTP/2 only over HTTPS, even though the standard allows for HTTP/2 outside of HTTPS (through the selective use of encryption).<ref>{{cite web|url = https://blog.chromium.org/2015/02/hello-http2-goodbye-spdy.html|title = Hello HTTP/2, Goodbye SPDY|date = February 9, 2015|accessdate = November 19, 2017|publisher = Chromium}}</ref>
 
| 2015 || {{dts|February}} || Browser || Chrome || HTTP/2 || Chrome begins rolling out support for {{w|HTTP/2}}. Chrome supports HTTP/2 only over HTTPS, even though the standard allows for HTTP/2 outside of HTTPS (through the selective use of encryption).<ref>{{cite web|url = https://blog.chromium.org/2015/02/hello-http2-goodbye-spdy.html|title = Hello HTTP/2, Goodbye SPDY|date = February 9, 2015|accessdate = November 19, 2017|publisher = Chromium}}</ref>
 
|-
 
|-
 
| 2015 || {{dts|March 12}} || Website/App || Pinterest || Default HTTPS-only || {{w|Pinterest}} announces that it has moved over to HTTPS, describing the challenges it faced along the way. With the increased security in place due to HTTPS, Pinterest also introduces a paid bug bounty program for the white hat hacker community to find security flaws.<ref>{{cite web|url = https://medium.com/@Pinterest_Engineering/making-pinterest-https-637ec925a8ad|title = Making Pinterest HTTPS|last = Moreno|first = Paul|date = March 12, 2015|accessdate = November 20, 2017|publisher = Pinterest Engineering via Medium}}</ref>
 
| 2015 || {{dts|March 12}} || Website/App || Pinterest || Default HTTPS-only || {{w|Pinterest}} announces that it has moved over to HTTPS, describing the challenges it faced along the way. With the increased security in place due to HTTPS, Pinterest also introduces a paid bug bounty program for the white hat hacker community to find security flaws.<ref>{{cite web|url = https://medium.com/@Pinterest_Engineering/making-pinterest-https-637ec925a8ad|title = Making Pinterest HTTPS|last = Moreno|first = Paul|date = March 12, 2015|accessdate = November 20, 2017|publisher = Pinterest Engineering via Medium}}</ref>
 +
|-
 +
| 2015 || {{dts|March 25}} || Ecosystem || Advertising || Exhortation || Writing for the {{w|Interactive Advertising Bureau}} (IAB), Brendan Riordan-Butterworth calls for the advertising ecosystem to move to HTTPS.<ref>{{cite web|url = https://www.iab.com/adopting-encryption-the-need-for-https/|title = Adopting Encryption: The Need for HTTPS|last = Riordan-Butterworth|first = Brendan|date = March 25, 2015|accessdate = November 20, 2017|publisher = Interactive Advertising Bureau}}</ref>
 +
|-
 +
| 2015 || {{dts|April 13}} || Browser || Firefox || Security warning || Mozilla announces plans to deprecate plain HTTP in their browser, Firefox.<ref>{{cite web|url = https://groups.google.com/forum/#!topic/mozilla.dev.platform/xaGffxAM-hs%5B1-25%5D|title = Intent to deprecate: Insecure HTTP|last = Barnes|first = Richard|date = April 13, 2015|accessdate = November 20, 2017}}</ref><ref>{{cite web|url = http://www.thesempost.com/mozilla-deprecate-http-firefox/|title = Mozilla Announces Plans to Deprecate HTTP in Firefox|date = April 16, 2015|accessdate = November 20, 2017|publisher = The SEM Post}}</ref>
 +
|-
 +
| 2015 || {{dts|May 19}} || Website || Wikipedia || Site-wide censorship due to HTTPS transition || Likely starting around this day (judging from traffic volume), the Chinese government blocks Chinese Wikipedia.<ref>{{cite web|url = https://wikimedia.org/api/rest_v1/metrics/legacy/pagecounts/aggregate/zh.wikipedia/desktop-site/daily/2015050100/2015053123|title = Aggregate page counts for traffic to Chinese Wikipedia for May 2015|accessdate = April 13, 2019}}</ref> The rationale is that, with Wikipedia's coming transition to HTTPS-only, the Chinese government will not be able to identify what page on the site a user is visiting, so blocking the whole site is the only way to implement the goal of blocking specific pages with politically sensitive content. See [[w:Censorship of Wikipedia#China]] for more details.
 +
|-
 +
| 2015 || {{dts|June 8}} || Website || United States government || Default HTTPS-only || The White House {{w|Office of Management and Budget}} issues the HTTPS-Only Standard directive requiring that all United States federal government websites provide service only via HTTPS, with a deadline of end of 2016.<ref>{{Cite web|url = https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2015/m-15-13.pdf|title = Policy to Require Secure Connections across Federal Websites and Web Services|date = June 8, 2015|last = Scott|first = Tony|accessdate = November 20, 2017}}</ref><ref>{{cite web|url = https://obamawhitehouse.archives.gov/blog/2015/06/08/https-everywhere-government|title = HTTPS-Everywhere for Government|last = Scott|first = Tony|date = June 8, 2015|accessdate = November 20, 2017|publisher = Obama White House Archives}}</ref><ref>{{cite web|url = https://www.computerworld.com/article/2933172/government-it/us-to-require-https-for-all-government-websites.html|title = US to require HTTPS for all government websites. All public sites will be required to use the protocol by the end of 2016|last = Williams|first = Martyn|date = June 8, 2015|accessdate = November 20, 2017}}</ref>
 
|-
 
|-
 
| 2015 || {{dts|June 12}} || Website || Wikipedia || Default HTTPS-only || The Wikimedia Foundation publishes a blog post stating that all properties (including Wikipedia) are being switched over to HTTPS; previously, HTTPS was used only for logged-in users. It seems the switch is being made immediately.<ref>{{cite web|url = https://blog.wikimedia.org/2015/06/12/securing-wikimedia-sites-with-https/|title = Securing access to Wikimedia sites with HTTPS|last = Welinder|first = Yana|last2 = Baranetsky|first2 = Victoria|last3 = Black|first3 = Brandon|date = June 12, 2015|accessdate = September 25, 2016|publisher = Wikimedia Foundation}}</ref><ref>{{cite web|url = http://www.welivesecurity.com/2015/06/15/wikipedia-switches-https-default/|title = Wikipedia switches to HTTPS by default|last = Thomas|first = Karl|date = June 15, 2015|accessdate = September 25, 2016|publisher = WeLiveSecurity}}</ref><ref>{{cite web|url = http://arstechnica.com/security/2015/06/wikipedia-goes-all-https-starting-immediately/|title = Wikipedia goes all-HTTPS, starting immediately. "We believe that the time for HTTPS by default is now."|last = Farivar|first = Cyrus|date = June 15, 2015|accessdate = September 25, 2016|publisher = ''ArsTechnica''}}</ref>
 
| 2015 || {{dts|June 12}} || Website || Wikipedia || Default HTTPS-only || The Wikimedia Foundation publishes a blog post stating that all properties (including Wikipedia) are being switched over to HTTPS; previously, HTTPS was used only for logged-in users. It seems the switch is being made immediately.<ref>{{cite web|url = https://blog.wikimedia.org/2015/06/12/securing-wikimedia-sites-with-https/|title = Securing access to Wikimedia sites with HTTPS|last = Welinder|first = Yana|last2 = Baranetsky|first2 = Victoria|last3 = Black|first3 = Brandon|date = June 12, 2015|accessdate = September 25, 2016|publisher = Wikimedia Foundation}}</ref><ref>{{cite web|url = http://www.welivesecurity.com/2015/06/15/wikipedia-switches-https-default/|title = Wikipedia switches to HTTPS by default|last = Thomas|first = Karl|date = June 15, 2015|accessdate = September 25, 2016|publisher = WeLiveSecurity}}</ref><ref>{{cite web|url = http://arstechnica.com/security/2015/06/wikipedia-goes-all-https-starting-immediately/|title = Wikipedia goes all-HTTPS, starting immediately. "We believe that the time for HTTPS by default is now."|last = Farivar|first = Cyrus|date = June 15, 2015|accessdate = September 25, 2016|publisher = ''ArsTechnica''}}</ref>
 +
|-
 +
| 2015 || {{dts|June}} || Search engine || Bing || Default HTTPS-only || {{w|Microsoft}} announces that it will make HTTPS-only the default on {{w|Bing}}, its search engine.<ref>{{cite web|url = https://blogs.bing.com/webmaster/2015/06/15/bing-moving-to-encrypt-search-traffic-by-default/|title = Bing Moving to Encrypt Search Traffic by Default|date = June 15, 2015|accessdate = November 20, 2017|publisher = Bing}}</ref><ref>{{cite web|url = https://securityintelligence.com/news/microsoft-to-make-https-a-default-setting-for-bing/|title = Microsoft to Make HTTPS a Default Setting for Bing|last = Schick|first = Shane|date = June 22, 2015|accessdate = November 20, 2017}}</ref>
 
|-
 
|-
 
| 2015 || {{dts|June}} || Website || Reddit || Default HTTPS-only || {{w|Reddit}} switches to HTTPS-only, with users being automatically redirected from HTTP to HTTPS.<ref>{{cite web|url = https://motherboard.vice.com/en_us/article/kbzj7y/reddit-switches-to-https-encryption-by-default|title = Reddit Switches to Encryption By Default. The internet giant will switch to HTTPS by default by the end of the month.|author = Lorenzo Franceschi-Bicchierai|date = June 17, 2015|accessdate = November 19, 2017|publisher = ''Vice''}}</ref><ref>{{cite web|url = https://www.reddit.com/r/redditdev/comments/39zje0/reddit_will_soon_only_be_available_over_https/|title = reddit will soon only be available over HTTPS (self.redditdev)|date = June 16, 2015|accessdate = November 19, 2017|publisher = Reddit}}</ref>
 
| 2015 || {{dts|June}} || Website || Reddit || Default HTTPS-only || {{w|Reddit}} switches to HTTPS-only, with users being automatically redirected from HTTP to HTTPS.<ref>{{cite web|url = https://motherboard.vice.com/en_us/article/kbzj7y/reddit-switches-to-https-encryption-by-default|title = Reddit Switches to Encryption By Default. The internet giant will switch to HTTPS by default by the end of the month.|author = Lorenzo Franceschi-Bicchierai|date = June 17, 2015|accessdate = November 19, 2017|publisher = ''Vice''}}</ref><ref>{{cite web|url = https://www.reddit.com/r/redditdev/comments/39zje0/reddit_will_soon_only_be_available_over_https/|title = reddit will soon only be available over HTTPS (self.redditdev)|date = June 16, 2015|accessdate = November 19, 2017|publisher = Reddit}}</ref>
 +
|-
 +
| 2015 || {{dts|June 30}} (deadline), April 17 (announcement) || Ad network || Google AdWords || HTTPS availability || As part of Google's HTTPS Everywhere initiative, {{w|Google AdWords}} announces, on April 17, some of it progress already made on moving ads to HTTPS (specifically, moving YouTube ads to HTTPS). Also, it is stated that the vast majority of mobile, video, and desktop display ads served to the Google Display Network, AdMob and DoubleClick publishers will be encrypted by June 30, and advertisers using any of the buying platforms, including AdWords and DoubleClick, will be able to serve HTTPS-encrypted display ads to all HTTPS-enabled inventory.<ref>{{cite web|url = https://adwords.googleblog.com/2015/04/ads-take-step-towards-https-everywhere.html|title = Ads Take a Step Towards “HTTPS Everywhere”|date = April 17, 2015|accessdate = November 20, 2017|publisher = Google AdWords}}</ref>
 
|-
 
|-
 
| 2015 || {{dts|October 14}} || Browser || Chrome || Mixed-content || With version 46, Chrome kills off its HTTP-HTTPS "mixed-content" address bar warning. Now, HTTPS pages that load some auxiliary resources (such as images, calls to ad networks, etc.) over HTTP will say https in the address bar without the secure lock or green coloring. The change is based on the idea that mixed HTTP-HTTPS is in fact more secure than pure HTTP, and therefore should not appear scarier, and is intended to "encourage site operators to switch to HTTPS sooner rather than later."<ref>{{cite web|url = https://arstechnica.com/information-technology/2015/10/chrome-finally-kills-off-the-http-https-mixed-content-warning/|title = Chrome finally kills off the HTTP-HTTPS “mixed content” warning. Slightly alarming and not wholly useful yellow triangle is being retired.|last = Anthony|first = Sebastian|date = October 14, 2015|accessdate = November 20, 2017}}</ref><ref>{{cite web|url = http://www.zdnet.com/article/chrome-loosens-up-on-https-mixed-content-warning/|title = Chrome 46 loosens up on HTTPS 'mixed content' warnings. The browser -- known for being a bit overkill -- finally drops its yellow-warning attached to pages with both secure and non-secure content.|last = Whittaker|first = Zack|date = October 14, 2015|accessdate = November 19, 2017}}</ref>
 
| 2015 || {{dts|October 14}} || Browser || Chrome || Mixed-content || With version 46, Chrome kills off its HTTP-HTTPS "mixed-content" address bar warning. Now, HTTPS pages that load some auxiliary resources (such as images, calls to ad networks, etc.) over HTTP will say https in the address bar without the secure lock or green coloring. The change is based on the idea that mixed HTTP-HTTPS is in fact more secure than pure HTTP, and therefore should not appear scarier, and is intended to "encourage site operators to switch to HTTPS sooner rather than later."<ref>{{cite web|url = https://arstechnica.com/information-technology/2015/10/chrome-finally-kills-off-the-http-https-mixed-content-warning/|title = Chrome finally kills off the HTTP-HTTPS “mixed content” warning. Slightly alarming and not wholly useful yellow triangle is being retired.|last = Anthony|first = Sebastian|date = October 14, 2015|accessdate = November 20, 2017}}</ref><ref>{{cite web|url = http://www.zdnet.com/article/chrome-loosens-up-on-https-mixed-content-warning/|title = Chrome 46 loosens up on HTTPS 'mixed content' warnings. The browser -- known for being a bit overkill -- finally drops its yellow-warning attached to pages with both secure and non-secure content.|last = Whittaker|first = Zack|date = October 14, 2015|accessdate = November 19, 2017}}</ref>
 +
|-
 +
| 2016 || {{dts|February}} || Website || Wikipedia || Referrer policy || The Wikimedia Foundation rolls out an update to the HTTPS meta referrer policy, that reveals the Origin rather than the full path of the referring domain. This means that websites that receive traffic from Wikipedia can once again calculate how much traffic they are receiving from Wikipedia, an ability that was lost in the switch to HTTPS. However, unlike the pre-HTTPS situation, full referral paths are not accessible, so websites cannot know what Wikipedia pages are sending traffic to them. For more, see [https://meta.wikimedia.org/wiki/Research:Wikimedia_referrer_policy Research:Wikimedia referrer policy].<ref>{{cite web|url = https://phabricator.wikimedia.org/T87276|title = Set an explicit "Origin When Cross-Origin" referer policy via the meta referrer tag|date = August 18, 2015|accessdate = March 10, 2017}}</ref>
 
|-
 
|-
 
| 2016 || {{dts|March 15}} || Report/Observatory || Google Transparency Report || State of HTTPS adoption || Google announces that it is adding a new section to its Transparency Report to track the progress of HTTPS adoption.<ref>{{cite web|url = https://security.googleblog.com/2016/03/securing-web-together_15.html|title = Securing the web, together|date = March 15, 2016|accessdate = November 19, 2017|publisher = Google Security Blog}}</ref><ref>{{cite web|url = https://www.seroundtable.com/google-https-adoption-rates-21785.html|title = Google Report On HTTPS Adoption Within Google & The Top Web Sites|last = Schwartz|first = Barry|date = March 16, 2016|accessdate = November 19, 2017|publisher = Search Engine Roundtable}}</ref><ref>{{cite web|url = https://www.searchenginejournal.com/googles-transparency-report-to-include-https-adoption-rates/159732/|title = Google’s Transparency Report to Include HTTPS Adoption Rates|date = March 25, 2016|accessdate = November 19, 2017|publisher = Search Engine Journal}}</ref>
 
| 2016 || {{dts|March 15}} || Report/Observatory || Google Transparency Report || State of HTTPS adoption || Google announces that it is adding a new section to its Transparency Report to track the progress of HTTPS adoption.<ref>{{cite web|url = https://security.googleblog.com/2016/03/securing-web-together_15.html|title = Securing the web, together|date = March 15, 2016|accessdate = November 19, 2017|publisher = Google Security Blog}}</ref><ref>{{cite web|url = https://www.seroundtable.com/google-https-adoption-rates-21785.html|title = Google Report On HTTPS Adoption Within Google & The Top Web Sites|last = Schwartz|first = Barry|date = March 16, 2016|accessdate = November 19, 2017|publisher = Search Engine Roundtable}}</ref><ref>{{cite web|url = https://www.searchenginejournal.com/googles-transparency-report-to-include-https-adoption-rates/159732/|title = Google’s Transparency Report to Include HTTPS Adoption Rates|date = March 25, 2016|accessdate = November 19, 2017|publisher = Search Engine Journal}}</ref>
 +
|-
 +
| 2016 || {{dts|March 23}} || || || || Google provides a list of certificate authorities it does not trust.<ref>{{cite web|url = https://www.theregister.co.uk/2016/03/23/google_now_publishing_a_list_of_cas_it_doesnt_trust/|title = Google publishes list of Certificate Authorities it doesn't trust. Thawte experiment aims to expose issuers of dodgy creds|last = Chirgwin|first = Richard|date = March 23, 2016|accessdate = November 20, 2017|publisher = ''The Register''}}</ref>
 +
|-
 +
| 2016 || {{dts|February}} || Browser || Baidu Browser || Vulnerability exploit || The Citizen Lab publishes a report noting vulnerabilities in the Baidu Browser, a popular browser in China, some of which are related to the browser not using HTTPS fully.<ref>{{cite web|url = https://phys.org/news/2016-02-privacy-problems-popular-baidu-browser.html|title = Researchers find privacy problems in popular Baidu browser|last = Gillis|first = Alex|date = February 26, 2016|accessdate = April 13, 2019}}</ref>
 +
|-
 +
| 2016 || {{dts|March 28}} || Browser || QQ Browser || Vulnerability exploit || The Citizen Lab publishes a report noting vulnerabilities in the QQ Browser, a popular browser in China, some of which are related to the browser not using HTTPS fully.<ref>{{cite web|url = https://citizenlab.ca/2016/03/privacy-security-issues-qq-browser/|title = Privacy and Security Issues in QQ Browser|last = Knockel|first = Jeffrey|last2 = Senft|first2 = Adam|last3 = Deibert|first3 = Ron|date = March 28, 2016|accessdate = April 13, 2019|publisher = The Citizen Lab}}</ref>
 +
|-
 +
| 2016 || {{dts|April 8}} || Website || WordPress || Default HTTPS-only || Automattic, the owner of WordPress.com, announces that WordPress custom domains will be switched to default HTTPS-only. Previously, HTTPS-only was enabled only on subdomains of wordpress.com.<ref>{{cite web|url = https://en.blog.wordpress.com/2016/04/08/https-everywhere-encryption-for-all-wordpress-com-sites/|title = HTTPS Everywhere: Encryption for All WordPress.com Sites. We’re proud to support a more secure web — now for all custom domains on WordPress.com.|author = Barry|date = April 8, 2016|accessdate = December 1, 2019|publisher = The WordPress.com Blog}}</ref>
 +
|-
 +
| 2016 || {{dts|April 28}} (first announcement), {{dts|August 15}} (completion) || Website || WIRED || Default HTTPS-only || On April 28, ''WIRED'' announces that its website is going HTTPS-only. The article announcing the transition explains the challenges involved in making sure every digital asset loaded on every page is HTTPS.<ref>{{cite web|url = https://www.wired.com/2016/04/wired-launching-https-security-upgrade/|title = WE'RE GOING HTTPS: HERE'S HOW WIRED IS TACKLING A HUGE SECURITY UPGRADE|last = Tollman|first = Zack|date = April 28, 2016|accessdate = February 11, 2018|publisher = ''WIRED''}}</ref> The transition is announced to be complete on August 15.<ref>{{cite web|url = https://www.wired.com/2016/09/wired-completely-encrypted/|title = How WIRED Completely Encrypted Itself|last = Tollman|first = Zack|date = August 15, 2016|accessdate = December 1, 2019}}</ref>
 +
|-
 +
| 2016 || {{dts|June 14}} || App store service || Apple || Default HTTPS-only || At the {{w|Apple Worldwide Developers Conference}}, Apple announces that it will require all iOS apps to use HTTPS connections by the end of 2016.<ref>{{cite web|url = https://techcrunch.com/2016/06/14/apple-will-require-https-connections-for-ios-apps-by-the-end-of-2016/|title = Apple will require HTTPS connections for iOS apps by the end of 2016|last = Conger|first = Kate|date = June 14, 2016|accessdate = February 11, 2018|publisher = ''TechCrunch''}}</ref>
 
|-
 
|-
 
| 2016 || {{dts|June 15}} || Website || TechCrunch || Default HTTPS-only || Technology new website ''{{w|TechCrunch}}'' announces that it has gone HTTPS-only.<ref>{{Cite web|url = https://techcrunch.com/2016/06/15/techcrunch-has-gone-https/|title = TechCrunch has gone HTTPS|last = Wilke|first = Nicole|date = June 15, 2016|accessdate = November 19, 2017}}</ref>
 
| 2016 || {{dts|June 15}} || Website || TechCrunch || Default HTTPS-only || Technology new website ''{{w|TechCrunch}}'' announces that it has gone HTTPS-only.<ref>{{Cite web|url = https://techcrunch.com/2016/06/15/techcrunch-has-gone-https/|title = TechCrunch has gone HTTPS|last = Wilke|first = Nicole|date = June 15, 2016|accessdate = November 19, 2017}}</ref>
Line 69: Line 210:
 
|-
 
|-
 
| 2016 || {{dts|August}} || Website || Netflix || Default HTTPS-only || {{w|Netflix}} announces that it is adding TLS encryption to all its video streams, and expects to finish the process by year-end.<ref>{{cite web|url = https://medium.com/netflix-techblog/protecting-netflix-viewing-privacy-at-scale-39c675d88f45|title = Protecting Netflix Viewing Privacy at Scale|date = August 8, 2016|accessdate = November 19, 2017|publisher = Netflix on ''Medium''}}</ref><ref>{{cite web|url = https://www.engadget.com/2016/08/09/netflix-https/|title = Netflix explains how and why it's switching to HTTPS streaming. Adding encryption increases privacy for viewers -- and for Netflix.|date = August 9, 2016|accessdate = November 19, 2017}}</ref>
 
| 2016 || {{dts|August}} || Website || Netflix || Default HTTPS-only || {{w|Netflix}} announces that it is adding TLS encryption to all its video streams, and expects to finish the process by year-end.<ref>{{cite web|url = https://medium.com/netflix-techblog/protecting-netflix-viewing-privacy-at-scale-39c675d88f45|title = Protecting Netflix Viewing Privacy at Scale|date = August 8, 2016|accessdate = November 19, 2017|publisher = Netflix on ''Medium''}}</ref><ref>{{cite web|url = https://www.engadget.com/2016/08/09/netflix-https/|title = Netflix explains how and why it's switching to HTTPS streaming. Adding encryption increases privacy for viewers -- and for Netflix.|date = August 9, 2016|accessdate = November 19, 2017}}</ref>
 +
|-
 +
| 2016 || {{dts|August 25}} || Report/Observatory || Mozilla || State of HTTPS adoption || Mozilla, the organization that manages the {{w|Firefox}} browser, creates the Mozilla Observatory to track the web and its security. Among other things, this tracks the state of HTTPS adoption.<ref>{{cite web|url = https://pokeinthe.io/2016/08/25/observatory-by-mozilla-a-new-tool/|title = Observatory by Mozilla: Making the Web Safer|last = King|first = April|date = April 25, 2016|accessdate = November 20, 2017}}</ref><ref>{{cite web|url = http://securityaffairs.co/wordpress/50656/security/mozilla-observatory-tool.html|title = Mozilla launched the Observatory tool to test the security of websites|last = Paganini|first = Pierluigi|date = August 27, 2016|accessdate = November 20, 2017}}</ref>
 +
|-
 +
| 2016 || {{dts|September}} (completion), November 29 (announcement) || Website ||  The Guardian || Default HTTPS-only || ''The Guardian'' announces that it completed its migration to HTTPS-only about two months ago. The announcement post describes the challenges of the migration, including avoiding negative audience and revenue impacts, and keeping older interactive content working. The migration approach is summarized as: migrate one small audience section to HTTPS, identify the problems and track them, and fix the problems that need to be fixed before the next section migration. Three complementary techniques used: monitoring, decoupling backend and frontend migrations (with backend migrations done first), and usage of early adopters (users could opt in to HTTPS-only before moving to default HTTPS-only). Technical details of the migration are also included in the post.<ref>{{cite web|url = https://www.theguardian.com/info/developer-blog/2016/nov/29/the-guardian-has-moved-to-https|title = The Guardian has moved to HTTPS. Discover why and how the Guardian has moved to HTTPS, the secure version of the web protocol that helps to protect user privacy|last = Chauvin|first = Mariot|last2 = Islam|first2 = Huma|date = November 29, 2016|accessdate = April 13, 2019|publisher = The Guardian}}</ref>
 +
|-
 +
| 2016 || {{dts|October 23}} || Website || || || <code>neverssl.com</code> is registered.<ref>{{cite web |title=neverssl.com |url=https://who.is/whois/neverssl.com |website=who.is |accessdate=24 February 2020}}</ref> Motivated by the existence of broken "{{w|Wifi}} capture" networks that don't work well with HTTPS, the site is created "to make logging on a little bit easier".<ref>{{cite web |title=NeverSSL |url=http://neverssl.com/changes |website=neverssl.com/ |accessdate=24 February 2020}}</ref> 
 
|-
 
|-
 
| 2017 || {{dts|January 10}} || Website || New York Times || Default HTTPS-only || The ''New York Times'' announces that it has made a number of its articles default to HTTPS, including the home page, section and topic pages, and all articles published 2014 or later, and that it plans to make the rest of its site HTTPS as well.<ref>{{cite web|url = https://open.blogs.nytimes.com/2017/01/10/https-on-nytimes-com/|title = HTTPS on NYTimes.com|last = Konigsburg|first = Eitan|last2 = Wan|first2 = Vinessa|publisher = ''New York Times'' Open blog|date = January 1, 2010|accessdate = November 19, 2017}}</ref>
 
| 2017 || {{dts|January 10}} || Website || New York Times || Default HTTPS-only || The ''New York Times'' announces that it has made a number of its articles default to HTTPS, including the home page, section and topic pages, and all articles published 2014 or later, and that it plans to make the rest of its site HTTPS as well.<ref>{{cite web|url = https://open.blogs.nytimes.com/2017/01/10/https-on-nytimes-com/|title = HTTPS on NYTimes.com|last = Konigsburg|first = Eitan|last2 = Wan|first2 = Vinessa|publisher = ''New York Times'' Open blog|date = January 1, 2010|accessdate = November 19, 2017}}</ref>
 +
|-
 +
| 2017 || {{dts|January 21}} || Guideline || American Library Association || HTTPS use guideline || The American Library Association publishes a library privacy checklist approved by its intellectual freedom committee. The checklist mentions HTTPS twice. In priority 1 actions, it includes an action "Ensure all existing security certificates for HTTPS/SSL are valid and create a procedure for revalidating them annually." In priority 2 actions, it includes an action "Utilize HTTPS wherever possible." (Ironically, even as of April 2019, the American Library Association website does not properly support HTTPS, with the HTTPS site redirecting to the HTTP site).<ref>{{cite web|url = http://www.ala.org/advocacy/privacy/checklists/overview|title = Library Privacy Checklist - Overview|date = January 21, 2017|accessdate = April 13, 2019|publisher = American Library Association}}</ref>
 +
|-
 +
| 2017 || {{dts|January 25}} || Website || Ars Technica || Default HTTPS-only || ''{{w|Ars Technica}}'' announces that it has switched to default HTTPS-only, and explains details of the move.<ref>{{cite web|url = https://arstechnica.com/information-technology/2017/01/ars-announces-https-by-default-finally/|title = Ars announces HTTPS by default (finally). Doing our part to push the encrypted-by-default vision of the Web.|last = Hutchinson|first = Lee|date = January 25, 2017|accessdate = December 1, 2019|publisher = Ars Technica}}</ref>
 
|-
 
|-
 
| 2017 || {{dts|January}} || Browser || Chrome || Security warning || With version 56, {{w|Google Chrome}} begins marking as "Not Secure" (in the address bar) any webpages collecting sensitive data such as passwords or credit-card information without using HTTPS.<ref name=not-secure-october-plans>{{cite web|url = https://www.searchenginejournal.com/google-is-requiring-https-for-secure-data-in-chrome/183756/|title = Google Is Requiring HTTPS for Secure Data in Chrome|last = Murray|first = Brock|date = January 21, 2017|accessdate = November 19, 2017}}</ref><ref name=zdnet-noose>{{cite web|url = http://www.zdnet.com/article/google-tightens-noose-on-http-chrome-to-stick-not-secure-on-pages-with-search-fields/|title = Google tightens noose on HTTP: Chrome to stick 'Not secure' on pages with search fields. In October, Google will begin phase two of its plan to label all HTTP pages as non-secure.|last = Tung|first = Liam|date = April 28, 2017|accessdate = November 15, 2017|publisher = ZDNet}}</ref>
 
| 2017 || {{dts|January}} || Browser || Chrome || Security warning || With version 56, {{w|Google Chrome}} begins marking as "Not Secure" (in the address bar) any webpages collecting sensitive data such as passwords or credit-card information without using HTTPS.<ref name=not-secure-october-plans>{{cite web|url = https://www.searchenginejournal.com/google-is-requiring-https-for-secure-data-in-chrome/183756/|title = Google Is Requiring HTTPS for Secure Data in Chrome|last = Murray|first = Brock|date = January 21, 2017|accessdate = November 19, 2017}}</ref><ref name=zdnet-noose>{{cite web|url = http://www.zdnet.com/article/google-tightens-noose-on-http-chrome-to-stick-not-secure-on-pages-with-search-fields/|title = Google tightens noose on HTTP: Chrome to stick 'Not secure' on pages with search fields. In October, Google will begin phase two of its plan to label all HTTP pages as non-secure.|last = Tung|first = Liam|date = April 28, 2017|accessdate = November 15, 2017|publisher = ZDNet}}</ref>
 +
|-
 +
| 2017 || {{dts|January 4}} || Website || National Public Radio || Default HTTPS-only || {{w|National Public Radio}} announces that it has transitioned most of its webpages and streaming content to HTTPS, and is making sure that any new content is served through HTTPS.<ref>{{cite web|url = http://digitalservices.npr.org/post/update-https-transition-streams-and-podcasts|title = Update to the HTTPS Transition for Streams and Podcasts|last = Faughan|first = Kate|date = January 4, 2017|accessdate = February 11, 2018|publisher = National Public Radio}}</ref>
 +
|-
 +
| 2017 || {{dts|January 10}} || Website || W Magazine || Default HTTPS-only || A post on the ''Condé Nast'' technology blog, describes the transition of [[w:W (magazine)|W Magazine]], a Conde Nast property, to HTTPS.<ref>{{cite web|url = https://technology.condenast.com/story/securing-w-magazine-our-migration-to-https|title = Securing W Magazine: Our Migration to HTTPS|date = July 10, 2017|accessdate = December 1, 2019|last = Colucci|first = David}}</ref>
 
|-
 
|-
 
| 2017 || {{dts|March 30}} || Website || Pornhub || Default HTTPS-only || {{w|Pornhub}}, the world's largest pornographic video site, switches to HTTPS-only. Sister service YouPorn is scheduled to go HTTPS-only on April 4.<ref>{{cite web|url = https://www.wired.com/2017/03/pornhub-https-encryption/|title = THE WORLD'S BIGGEST PORN SITE GOES ALL-IN ON ENCRYPTION|last = Barrett|first = Brian|date = March 30, 2017|accessdate = November 9, 2017|publisher = ''Wired''}}</ref><ref>{{cite web|url = https://www.theverge.com/2017/3/30/15125048/pornhub-youporn-https-encryption-privacy|title = Pornhub now turns on encryption by default|last = Garun|first = Natt|date = March 30, 2017|accessdate = November 19, 2017|publisher = ''The Verge''}}</ref>
 
| 2017 || {{dts|March 30}} || Website || Pornhub || Default HTTPS-only || {{w|Pornhub}}, the world's largest pornographic video site, switches to HTTPS-only. Sister service YouPorn is scheduled to go HTTPS-only on April 4.<ref>{{cite web|url = https://www.wired.com/2017/03/pornhub-https-encryption/|title = THE WORLD'S BIGGEST PORN SITE GOES ALL-IN ON ENCRYPTION|last = Barrett|first = Brian|date = March 30, 2017|accessdate = November 9, 2017|publisher = ''Wired''}}</ref><ref>{{cite web|url = https://www.theverge.com/2017/3/30/15125048/pornhub-youporn-https-encryption-privacy|title = Pornhub now turns on encryption by default|last = Garun|first = Natt|date = March 30, 2017|accessdate = November 19, 2017|publisher = ''The Verge''}}</ref>
Line 78: Line 233:
 
| 2017 || {{dts|May 22}} || Website || Stack Overflow || Default HTTPS-only || {{w|Stack Overflow}} announces that it has migrated to HTTPS, after four years of work on the migration. All other Stack Exchange websites are also moved over to HTTPS.<ref>{{cite web|url = https://nickcraver.com/blog/2017/05/22/https-on-stack-overflow/|title = HTTPS on Stack Overflow: The End of a Long Road|date = May 22, 2017|accessdate = November 19, 2017|last = Craver|first = Nick}}</ref><ref>{{cite web|url = https://stackoverflow.blog/2017/05/22/stack-overflow-flipped-switch-https/|title = How Stack Overflow Flipped the Switch on HTTPS|last = Taylor|first = Anita|date = May 22, 2017|accessdate = November 19, 2017|publisher = Stack Overflow}}</ref>
 
| 2017 || {{dts|May 22}} || Website || Stack Overflow || Default HTTPS-only || {{w|Stack Overflow}} announces that it has migrated to HTTPS, after four years of work on the migration. All other Stack Exchange websites are also moved over to HTTPS.<ref>{{cite web|url = https://nickcraver.com/blog/2017/05/22/https-on-stack-overflow/|title = HTTPS on Stack Overflow: The End of a Long Road|date = May 22, 2017|accessdate = November 19, 2017|last = Craver|first = Nick}}</ref><ref>{{cite web|url = https://stackoverflow.blog/2017/05/22/stack-overflow-flipped-switch-https/|title = How Stack Overflow Flipped the Switch on HTTPS|last = Taylor|first = Anita|date = May 22, 2017|accessdate = November 19, 2017|publisher = Stack Overflow}}</ref>
 
|-
 
|-
| 2017 || October || Browser || Chrome || Security warning || Starting with version 62, Chrome begins marking all non-HTTPS webpages as "Not Secure" for users in incognito mode.<ref name=zdnet-noose/>
+
| 2017 || May through {{dts|August 16}} || Website || Springer-Verlag || Default HTTPS-only || Publisher Springer transitions its websites to HTTPS, with HTTP redirecting to HTTPS.<ref>{{cite web|url = https://knowledge.exlibrisgroup.com/360_Services/360_Link/Knowledge_Articles/360_Link%3A_Springer_Transition_to_https_--_effective_August_16%2C_2017|title = 360 Link: Springer Transition to https -- effective August 16, 2017|date = August 7, 2017|accessdate = February 11, 2017|publisher = ExLibris Knowledge Center}}</ref><ref>{{cite web|url = https://springeronlineservice.freshdesk.com/support/solutions/articles/6000165911-switching-to-https|title = Switching to HTTPS|publisher = Springer Online Service on Freshdesk|date = September 6, 2017|accessdate = February 11, 2018}}</ref>
 +
|-
 +
| 2017 || {{dts|September 11}} || || || || The Google Security Blog announces Google Chrome's finalized plans to distrust certificates issued by Symantec.<ref>{{cite web|url = https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html|title = Chrome’s Plan to Distrust Symantec Certificates|date = September 11, 2017|accessdate = April 13, 2019|publisher = Google Security Blog|last = O'Brien|first = Devon|last2 = Sleevi|first2 = Ryan|last3 = Whalley|first3 = Andrew}}</ref> The SSL Store blogs about it with some commentary explaining the controversy.<ref>{{cite web|url = https://www.thesslstore.com/blog/google-chrome-distrust-symantec-ssl-certificates/|title = Official: Google Chrome’s Plan to Distrust Symantec SSL Certificates The announcement being circulated simply finalizes an agreement from July|publisher = The SSL Store|date = September 13, 2017|accessdate = April 13, 2019}}</ref>
 +
|-
 +
| 2017 || {{dts|September 13}} || Website || Imgur || Default HTTPS-only || Image-hosting service {{w|Imgur}} defaults to HTTPS-only for all users (both logged-in and others).<ref>{{cite web|url = https://community.imgur.com/t/defaulting-to-https-01-xx-2015-request-fulfilled-as-of-09-13-2017/5146/59|title = Defaulting to https (01-XX-2015) - Request fulfilled as of 09-13-2017!|date = January 29, 2015|accessdate = November 20, 2017}}</ref>
 +
|-
 +
| 2017 || {{dts|October}} || Browser || Chrome || Security warning || Starting with version 62, Chrome begins marking all non-HTTPS webpages as "Not Secure" for users in incognito mode.<ref name=zdnet-noose/>
 
|-
 
|-
 
| 2017 || || Report || Research at Google || State of HTTPS adoption || Research at Google publishes a paper titled ''Measuring HTTPS adoption on the web''.<ref>{{cite web|url = https://research.google.com/pubs/pub46197.html|title = Measuring HTTPS adoption on the web|accessdate = November 20, 2017|last = Feit|first = Adrienne Porter|last2 = Barnes|first2 = Richard|last3 = King|first3 = April|last4 = Palmer|first4 = Chris|last5 = Bentzel|first5 = Chris|last6 = Tabriz|first6 = Parisa}}</ref><ref>{{cite web|url = https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/46197.pdf|title = Measuring HTTPS adoption on the web|accessdate = November 20, 2017|last = Feit|first = Adrienne Porter|last2 = Barnes|first2 = Richard|last3 = King|first3 = April|last4 = Palmer|first4 = Chris|last5 = Bentzel|first5 = Chris|last6 = Tabriz|first6 = Parisa}}</ref>
 
| 2017 || || Report || Research at Google || State of HTTPS adoption || Research at Google publishes a paper titled ''Measuring HTTPS adoption on the web''.<ref>{{cite web|url = https://research.google.com/pubs/pub46197.html|title = Measuring HTTPS adoption on the web|accessdate = November 20, 2017|last = Feit|first = Adrienne Porter|last2 = Barnes|first2 = Richard|last3 = King|first3 = April|last4 = Palmer|first4 = Chris|last5 = Bentzel|first5 = Chris|last6 = Tabriz|first6 = Parisa}}</ref><ref>{{cite web|url = https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/46197.pdf|title = Measuring HTTPS adoption on the web|accessdate = November 20, 2017|last = Feit|first = Adrienne Porter|last2 = Barnes|first2 = Richard|last3 = King|first3 = April|last4 = Palmer|first4 = Chris|last5 = Bentzel|first5 = Chris|last6 = Tabriz|first6 = Parisa}}</ref>
 +
|-
 +
| 2017 || || Standard || TLS 1.3 || Protocol || The standard for TLS 1.3 is under discussion, but not finalized. Browsers support it for a while as the default but then stop due to issues. See [[w:Transport Layer Security#TLS_1.3_.28draft.29]] for more. As of the end of 2017, TLS 1.3 is still not ready.<ref>{{cite web|url = https://blog.cloudflare.com/why-tls-1-3-isnt-in-browsers-yet/|title = Why TLS 1.3 isn't in browsers yet|last = Sullivan|first = Nick|date = December 26, 2017|accessdate = January 28, 2018|publisher = Cloudflare}}</ref>
 +
|-
 +
| 2017 || {{dts|December 30}} || || || || <code>nonhttps.com<code/> is registered.<ref>{{cite web |title=nonhttps.com |url=https://who.is/whois/nonhttps.com |website=who.is |accessdate=24 February 2020}}</ref> Similar to <code>neverssl.com</code>, the site is created to for websites to "guarantee that they will always remain accessible by HTTP".<ref>{{cite web |title=HTTPS |url=https://wikivisually.com/wiki/HTTPS |website=wikivisually.com |accessdate=24 February 2020}}</ref>
 +
|-
 +
| 2018 || {{dts|February 27}} || Certificate authority || Let's Encrypt || Wildcard support || Let's Encrypt plans to make wildcard support fully available on this date, after launching a public test API endpoint for the ACME v2 protocol and wildcard support on January 4, 2018.<ref>{{cite web|url = https://letsencrypt.org/2017/07/06/wildcard-certificates-coming-jan-2018.html|title = Wildcard Certificates Coming January 2018|last = Aas|first = Josh|date = July 6, 2017|accessdate = January 28, 2018|publisher = Let's Encrypt}}</ref>
 +
|-
 +
| 2018 || {{dts|April 1}} || CDN || Cloudflare || Secure DNS resolver || Cloudflare launches 1.1.1.1, a secure DNS resolver that uses both DNS-over-TLS and DNS-over-HTTPS.<ref>{{cite web|url = https://blog.cloudflare.com/announcing-1111/|title = Announcing 1.1.1.1: the fastest, privacy-first consumer DNS service|last = Prince|first = Matthew|date = April 1, 2018|accessdate = December 1, 2019|publisher = Cloudflare}}</ref>
 +
|-
 +
| 2018 || {{dts|April 14}} || Website || IMDb || Default HTTPS-only || Judging from homepage captures on the Internet Archive's Wayback Machine, this is the date that the IMDb transitions from HTTP to default HTTPS-only. See captures for April 13<ref>{{cite web|url = http://web.archive.org/web/20180413090715/http://www.imdb.com/|title = IMDb, as captured on April 13, 2018|date = April 13, 2018|accessdate = April 13, 2019}}</ref> and April 14.<ref>{{cite web|url = http://web.archive.org/web/20180414091804/https://www.imdb.com/|title = IMDb, as captured on April 14, 2018|date = April 14, 2018|accessdate = April 13, 2019}}</ref> There does not appear to be any official announcement of the transition, but a Quora question with answers as late as February 2018 confirms that people noticed that the site was still using plain HTTP till February 2018.<ref>{{cite web|url = https://www.quora.com/Why-does-IMDB-use-http-and-not-HTTPS|title = Why does IMDB use http and not HTTPS?|accessdate = April 13, 2019|publisher = Quora}}</ref>
 +
|-
 +
| 2018 || {{dts|June}} (completion), July 9 (announcement) || Website || BBC || Default HTTPS-only || In a blog post on July 9, 2018, software engineer James Donohue announces that the BBC has completed transitioning its website to HTTPS-only a few weeks ago. The blog post explains some of the technical challenges of migrating the site (which has news content from as far back as 1997, when the site first went online), and the steps involved in completing the migration.<ref>{{cite web|url = https://www.bbc.co.uk/blogs/internet/entries/b0807897-7c07-44eb-8d5f-3b2d081a3951|title = BBC News on HTTPS|date = July 9, 2018|accessdate = April 13, 2019|publisher = BBC|last = Donohue|first = James}}</ref>
 +
|-
 +
| 2018 || {{dts|July 24}} || Website || Whynohttps || Security warning || <code>whynohttps.com</code> launches as a project that tracks the world's largest websites not implementing HTTPS by default.<ref>{{cite web |title=Why No HTTPS? Here's the World's Largest Websites Not Redirecting Insecure Requests to HTTPS |url=https://www.troyhunt.com/why-no-https-heres-the-worlds-largest-websites-not-redirecting-insecure-requests/ |website=troyhunt.com |accessdate=24 February 2020}}</ref><ref>{{cite web |title=Still Why No HTTPS? |url=https://www.troyhunt.com/still-why-no-https/ |website=troyhunt.com |accessdate=24 February 2020}}</ref>
 +
|-
 +
| 2018 || {{dts|July}} (planned date), February 8 (announcement) || Browser || Chrome || Security warning || On February 8, Google Chrome announces that starting with Chrome 68, which will be released in July, all plain HTTP sites will be marked as not secure.<ref>{{cite web|url = https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html|title = A secure web is here to stay|date = February 8, 2018|accessdate = February 11, 2018|publisher = Google Security Blog|last = Schechter|first = Emily}}</ref><ref>{{cite web|url = https://techcrunch.com/2018/02/08/chrome-will-soon-mark-all-unencrypted-pages-as-not-secure/|title = Chrome will soon mark all unencrypted pages as ‘not secure’|last = Lardinois|first = Frederic|date = February 8, 2018|accessdate = February 11, 2018|publisher = ''TechCrunch''}}</ref><ref>{{cite web|url = https://arstechnica.com/gadgets/2018/02/from-july-on-chrome-will-brand-plain-old-http-as-not-secure/|title = From July on, Chrome will brand  plain old HTTP as “Not secure”. The "Not secure" label will go where the padlock would go for an encrypted connection.|last = Bright|first = Peter|date = February 9, 2018|accessdate = February 11, 2018|publisher = ''ArsTechnica''}}</ref> The release happens as scheduled. ''Forbes'' publishes an article naming a few sites that still do not default to HTTPS as of the time of this change to Chrome. The sites include Fox News, the Los Angeles Times, Chicago Tribune, Time, ESPN, NFL Network, NBA, and more. Some of these sites, such as Time and ESPN, still do not default to HTTPS as of April 2019.<ref>{{cite web|url = https://www.forbes.com/sites/kevinmurnane/2018/07/25/here-are-12-well-known-websites-that-chrome-68-labels-not-secure/|title = Fox News, ESPN And 9 Other Well-Known Websites That Chrome 68 Labels 'Not Secure'|last = Murnane|first = Kevin|date = July 25, 2018|accessdate = April 13, 2019|publisher = Forbes}}</ref>
 +
|-
 +
| 2018 || {{dts|August 7}} || Website || BBC || Site-wide censorship due to HTTPS adoption || The BBC website is blocked in China shortly after it migrated to HTTPS-only. For HTTPS websites, it is not possible for intermediaries in the network to identify individual pages being browsed, so the Chinese government needs to block the whole site in order to block access to politically sensitive content.<ref>{{cite web|url = https://www.bbc.com/news/technology-45098190|title = BBC websites blocked in China after security change|date = August 7, 2018|accessdate = April 13, 2019}}</ref>
 +
|-
 +
| 2018 || {{dts|September 24}} || CDN || Cloudflare || Support for encrypted SNI || {{w|Cloudflare}} announces that it is beginning support of encrypted SNI.<ref>{{cite web|url = https://blog.cloudflare.com/esni/|title = Encrypting SNI: Fixing One of the Core Internet Bugs|last = Prince|first = Matthew|date = September 24, 2018|accessdate = December 1, 2019|publisher = Cloudflare}}</ref><ref>{{cite web|url = https://blog.cloudflare.com/encrypted-sni/|title = Encrypt it or lose it: how encrypted SNI works|last = Ghedini|first = Alessandro|date = September 24, 2018|accessdate = December 1, 2019|publisher = Cloudflare}}</ref>
 +
|-
 +
| 2018 || {{dts|October 18}} || Browser || Firefox || Support for encrypted SNI || {{w|Firefox}} announces support for encrypted SNI in the Firefox Nightly build.<ref>{{cite web|url = https://blog.mozilla.org/security/2018/10/18/encrypted-sni-comes-to-firefox-nightly/|title = Encrypted SNI Comes to Firefox Nightly|last = Rescorla|first = Eric|date = October 18, 2018|accessdate = December 1, 2019|publisher = Mozilla}}</ref><ref>{{cite web|url = https://blog.cloudflare.com/encrypt-that-sni-firefox-edition/|title = Encrypt that SNI: Firefox edition|date = October 18, 2018|accessdate = December 1, 2019|publisher = Cloudflare}}</ref>
 +
|-
 +
| 2018 || c.{{dts|November 17}} || Calendar service || {{w|Google Calendar}} || HTTPS adoption || {{w|Google Calendar}} goes 100% HTTPS.<ref name="ss"/>
 +
|-
 +
| 2019 || {{dts|January}} to February; with some early test efforts in October 2018, and some wrap-up work as late as April 11 || Website || Wikia / Fandom || Default HTTPS-only || Fandom Inc., the company previously known as Wikia, moves the bulk of their community wikis from HTTP to HTTPS, while also changing the domain from wikia.com to fandom.com (to be more consistent with the company's new name and branding). Some domains that do not fit with the Fandom brand are moved to wikia.org instead; these are also migrated to HTTPS.<ref>{{cite web|url = https://community.fandom.com/wiki/Help:Fandom_domain_migration|title = Help:Fandom domain migration|accessdate = April 13, 2019|publisher = Fandom Community Central}}</ref>
 +
|-
 +
| 2019 || {{dts|August}} || Browser || Chrome || Interface simplification || With Chrome 76, Google stops showing the leading https and www on urls in the address bar; however, these are shown if you click into the address bar twice. The Chrome team says that this simplifies the experience for most users by removing information that's not relevant to them, but there is some pushback to these claims from people who believe the information is important and should be readily visible.<ref>{{cite web|url = https://www.ghacks.net/2019/08/01/chrome-76-no-more-https-or-www-in-address-bar/|title = Chrome 76: no more https or www in address bar|last = Brinkmann|first = Martin|date = August 16, 2019|accessdate = December 1, 2019}}</ref> Users can still determine if a site is secure by looking for the lock icon; insecure sites will be marked "Not Secure".
 +
|-
 +
| 2019 || c.{{dts|September 28}} || Online advertising platform || Google Ads || HTTPS adoption || Google Ads goes 100% HTTPS.<ref name="ss">{{cite web |title=HTTPS encryption on the web |url=https://transparencyreport.google.com/https/overview |website=transparencyreport.google.com |accessdate=1 March 2020}}</ref>
 +
|-
 +
| 2019 || c.{{dts|September}} || Online video platform || Youtube || HTTPS adoption || {{w|Youtube}} goes 100% HTTPS.<ref name="ss"/>
 +
|-
 
|}
 
|}
 +
 +
== Numerical and visual data  ==
 +
 +
=== Google Scholar ===
 +
 +
The following table summarizes per-year mentions on Google Scholar as of June 10, 2021.
 +
 +
{| class="sortable wikitable"
 +
! Year
 +
! http
 +
! https
 +
! https security
 +
! https adoption
 +
|-
 +
| 1980 || 145,000 || 196,000 || 33,400 || 4,120
 +
|-
 +
| 1985 || 153,000 || 219,000 || 13,800 || 4,460
 +
|-
 +
| 1990 || 183,000 || 309,000 || 54,200 || 5,880
 +
|-
 +
| 1995 || 341,000 || 436,000 || 19,600 || 7.320
 +
|-
 +
| 2000 || 1,520,000 || 1,300,000 || 68,600 || 14,400
 +
|-
 +
| 2002 || 1,430,000 || 1,360,000 || 41,000 || 19,500
 +
|-
 +
| 2004 || 2,360,000 || 1,650,000 || 82,300 || 37,600
 +
|-
 +
| 2006 || 2,530,000 || 1,730,000 || 132,000 || 70,700
 +
|-
 +
| 2008 || 2,620,000 || 1,800,000 || 172,000 || 102,000
 +
|-
 +
| 2010 || 2,610,000 || 2,020,000 || 271,000 || 130,000
 +
|-
 +
| 2012 || 2,650,000 || 2,240,000 || 365,000 || 166,000
 +
|-
 +
| 2014 || 2,310,000 || 2,230,000 || 481,000 || 187,000
 +
|-
 +
| 2016 || 1,950,000 || 1,870,000 || 606,000 || 179,000 
 +
|-
 +
| 2017 || 1,760,000 || 1,690,000 || 602,000 || 190,000
 +
|-
 +
| 2018 || 1,590,000 || 1,570,000 || 480,000 || 172,000
 +
|-
 +
| 2019 || 901,000 || 1,200,000 || 319,000 || 140,000 
 +
|-
 +
| 2020 || 444,000 || 635,000 || 198,000 || 87,600 
 +
|-
 +
|}
 +
 +
[[File:Http tb.png|thumb|center|700px]]
 +
 +
=== Google Trends ===
 +
 +
The comparative chart below shows {{w|Google Trends}} data HTTPS (Search term) and HTTP (Search term), from March 2004 to March 2021, when the screenshot was taken. Interest is also ranked by country and displayed on world map.<ref>{{cite web |title=HTTPS and HTTP |url=https://trends.google.com/trends/explore?date=all&q=HTTPS,HTTP |website=Google Trends |access-date=14 March 2021}}</ref>
 +
 +
[[File:HTTP and HTTPS gt.png|thumb|center|600px]]
 +
 +
=== Google Ngram Viewer ===
 +
The chart below shows {{w|Google Ngram Viewer}} data for HTTPS and HTTP, from 1989 to 2019.<ref>{{cite web |title=HTTPS and HTTP |url=https://books.google.com/ngrams/graph?content=HTTPS%2CHTTP&year_start=1989&year_end=2019&corpus=26&smoothing=3 |website=books.google.com |access-date=14 March 2021 |language=en}}</ref>
 +
 +
[[File:HTTP and HTTPS ngram.png|thumb|center|700px]]
 +
 +
=== Wikipedia Views ===
 +
The chart below shows pageviews of the English Wikipedia article {{w|HTTPS}} on desktop from December 2007, and on mobile-web, desktop-spider,mobile-web-spider and mobile app, from July 2015; to January 2021.<ref>{{cite web |title=HTTPS |url=https://wikipediaviews.org/displayviewsformultiplemonths.php?page=HTTPS&allmonths=allmonths&language=en&drilldown=all |website=wikipediaviews.org |access-date=24 February 2021}}</ref>
 +
 +
[[File:HTTPS wv.png|thumb|center|400px]]
 +
 +
==Meta information on the timeline==
 +
 +
===How the timeline was built===
 +
 +
The initial version of the timeline was written by [[User:Vipul]].
 +
 +
===What the timeline is still missing===
 +
 +
* {{w|DNS over HTTPS}}: [https://tools.ietf.org/html/rfc8484 RFC]
 +
* {{w|DNS over TLS}}
 +
* Encrypted SNI: [https://datatracker.ietf.org/doc/draft-ietf-tls-esni/ Draft standard]
 +
 +
===Timeline update strategy===
 +
 +
* Keep pace with the latest developments in HTTPS
 +
* Look for articles about websites and services transitioning to HTTPS
 +
* Use the Wayback Machine to identify dates of transition to HTTPS
 +
 +
== See also ==
 +
 +
* [https://www.jefftk.com/p/history-of-https-usage History of HTTPS Usage] by Jeff Kaufman
  
 
== References ==
 
== References ==
  
 
{{reflist|30em}}
 
{{reflist|30em}}

Latest revision as of 12:23, 1 December 2024

This timeline gives a history of HTTPS usage and adoption, describing the gradual increase in websites and clients using HTTPS. HTTPS is a secure, encrypted version of HTTP and has been implemented using Sockets Layer (SSL) and Transport Layer Security (TLS). The timeline spans the period from 1994, when HTTPS and SSL were first introduced on Netscape Navigator, to 2019, by which time, thanks to the efforts of Google, Mozilla, and many privacy-focused organizations, HTTPS is ubiquitous and accounts for more traffic than plain, unencrypted HTTP.

Sample questions

  • What were the major Internet standards related to HTTPS and when were they defined? (Sort the Full timeline by "Entity type" and look for the group of rows for which this says "Standard")
  • When did various leading news sites migrate to HTTPS, and what challenges did they face while migrating? (Sort the Full timeline by "Entity type" and look for the group of rows for which this says" Website"; scan the "Entity name" column to find the news websites or other sites of interest to you; then read the "Details" column and look at the cited reference)
  • How can we get quantitative data on how many sites and how much traffic uses HTTPS? (Sort the Full timeline by "Entity type" and look for the rows for which this says "Report" or "Report/Observatory")

Big picture

Entity types and qualitative details

HTTPS is an end-to-end protocol. Therefore, it need only be supported by the browser (on the client side) and the server (it could be terminated at the load balancer or proxy or dealt with directly by the process serving the content).

Other intermediaries, like Internet Service Providers (ISPs), routers, networking services, etc. do not need to be upgraded to support HTTPS. The main effects on them from the transition to HTTPS are: (a) the ability of their packet analyzers to sniff traffic reduces, and (b) the volume of traffic they deal with goes up a little bit.

Entity type Broad classification Top entity names Typical stages Details
Standard -- This includes standards around client-server communication for HTTPS. Most of these are published by the Internet Engineering Task Force (IETF).
Browser Client-side Chrome, Firefox, Netscape Navigator Security warning Beyond initial HTTPS support (which was present in most browsers from the get-go), the main browser evolution has centered around the way security warnings are presented around HTTP versus HTTPS, mixed content, and problems with HTTPS certificates.
Browser extension Client-side Firesheep, HTTPS Everywhere Vulnerability exploit, security improvement Browser extensions have played some role in identifying and protecting against vulnerabilities of unencrypted (plain HTTP) connections.
Website Server-side Lots of websites HTTPS available, opt-in HTTPS-only, default HTTPS-only, HTTPS-only Websites may start by making HTTPS available, so that people who type https:// in the browser will get the HTTPS website. They may then transition to allowing logged-in users to opt-in to HTTPS-only, so that they will see internal links in HTTPS only and will automatically be redirected from HTTP to HTTPS. The next step is default HTTPS-only, which means that except for users who explicitly opt out, everybody is redirected to HTTPS (this could come in two stages: first rolled out to logged-in users only, then to all). Finally, the HTTPS-only stage is when access over plain HTTP is no longer supported.
Webmail Server-side Gmail, Hotmail, Yahoo! Mail HTTPS available, opt-in HTTPS-only, default HTTPS-only, HTTPS-only Similar to the stages for website. However, webmail is generally more sensitive, so the importance of switching to HTTPS is higher, and webmail services switched to HTTPS before websites.
Search engine Server-side Google Search, Bing, Yahoo! Search HTTPS available, opt-in HTTPS-only, default HTTPS-only, HTTPS-only Similar to the stages for website. Search engine data is intermediate in sensitivity between websites and webmail, and in terms of the chronological evolution also moved to HTTPS somewhere in between.
Proxy/load balancer Server-side Amazon Web Services Early SSL termination Load balancers can manage the SSL/TLS certificates and forward only plain HTTP requests to the servers that have to actually respond to the request.
CDN Server-side Cloudflare, Amazon CloudFront Custom SSL Content delivery networks are used to serve static content at low latency and low cost around the world. CDNs have evolved to allow customers to upload their own SSL certificates for content.
Ecosystem Server-side Advertising Various backend ecosystems that power the technology and monetization of the web, such as advertising, need to support HTTPS in order to complete the transition to HTTPS.

Time period grouping

Time period Qualitative summary of developments
1994–2007 During this period, many of the standards related to HTTPS (HTTP over SSL, HTTP over TLS, SNI) are published as RFCs by the Internet Engineering Task Force. Certificate authorities (CAs) come into being and the CA/Browser Forum is created. A few sites, generally those related to e-commerce, start using HTTPS.
2008–2012 The move to HTTPS begins, with Google taking the lead, and Twitter and Facebook following. Webmail moves first, then search for logged-in users. The general playbook is: HTTPS available, opt-in HTTPS-only, then default HTTPS-only.
2013–2014 The move to HTTPS continues, with laggers in webmail and search catching up on encryption, and Google beginning encryption even for non-logged-in users. Toward the end of this period, Google begins aggressively pushing for the whole web to go HTTPS, first by stating that HTTPS will be a search ranking signal, then by declaring that Chrome eventually intends to mark all plain HTTP sites as not secure.
2015–2017 This is the period when the move to HTTPS intensifies among a number of ordinary websites. Wikipedia, Reddit, Imgur, and some major newspapers and magazines like the New York Times, The Guardian, TechCrunch, and Wired go HTTPS. Chrome begins the process of marking plain HTTP sites as Not Secure. Let's Encrypt makes it easy and free for people to move to HTTPS. Google and others set up systematic tracking of the proportion of HTTPS usage, and the period ends with a significant increase in HTTPS use. This period also begins a trend of the Chinese government censoring entire websites after they transition to HTTPS, because it can no longer identify and block individual webpages due to encryption.
2018–2019 With Chrome now marking all plain HTTP sites as not secure, most high-traffic sites that had not yet migrated to HTTPS complete their migration. This includes sites like IMDb, BBC, Wikia/Fandom, Fox News, and many others.


Full timeline

Year Month and date (if available) Entity type Entity name Stage Details
1994 Standard SSL v1.0 Protocol Netscape Communications creates HTTPS for its Netscape Navigator web browser, originally for use with the Secure Sockets Layer (SSL) protocol (SSL version 1.0). Due to security issues, this is never officially published. See Transport Layer Security#SSL_1.0.2C_2.0_and_3.0.
1995 February Standard SSL v2.0 Protocol SSL v2.0 is released. It has a number of security flaws. See w:Transport Layer Security#SSL_1.0.2C_2.0_and_3.0.
1995 July Server hosting Netscape Commercial offering Fortune reports that Netscape charges $1,495 for a server and $5,000 for a server with secure communication (i.e., serving traffic over HTTPS).[1][2]
1995 September 19 Bugfix Vulnerability exploit Two graduate students at the University of California, Berkeley discover a security vulnerability with Netscape Navigator, that also affects HTTPS sites and risks credit card transactions being eavesdropped on.[3][4][2]
1996 Standard SSL v3.0 Protocol SSL v3.0 is released and its specification is drafted. IETF would publish this draft as a historical document in 2011.[5]
1999 January Standard TLS 1.0 Protocol Version 1.0 of the Transport Layer Security (TLS) protocol is published as RFC 2246. TLS would replace SSL as the protocol used for HTTPS.[6]
2000 May Standard HTTP over TLS Protocol RFC 2818 of the Internet Engineering Task Force (IETF) describes the standard for HTTPS, using HTTP over Transport Layer Security (TLS).[7]
2001 July 26 Wikipedia HTTPS initial entry is created on English Wikipedia.[8]
2003 June Standard SNI Protocol RFS 3546 of the IETF describes a number of augmentations to TLS, including Server Name Indication (SNI).[9]
2004 April 1 Webmail Google (Gmail) HTTPS availability Gmail, Google's web-based email service, launches. The service is available over HTTPS right from the time of launch.[2]
2004 April 14 Bugfix Vulnerability exploit Microsoft issues a fix for a bug in its SSL library that allows remote attackers to gain control of unpatched Windows 2000 and Windows NT4 servers offering encrypted services over the internet.[10]
2005 April 20 Microsoft A blog post by Microsoft argues that using non-HTTPS login pages is insecure, even if the form submission is to a HTTPS page.[11][2]
2005 The CA/Browser Forum is founded. It is a voluntary consortium of certification authorities, vendors of Internet browser software, operating systems, and other PKI-enabled applications that promulgates industry guidelines governing the issuance and management of X.509 v.3 digital certificates that chain to a trust anchor embedded in such applications.
2006 April Standard TLS 1.1 Protocol RFC 4346 defines TLS 1.1, the next version of TLS after TLS 1.0.[12]
2008 July 24 Webmail Google (Gmail) Opt-in HTTPS-only Google adds a setting in Gmail for users to always use HTTPS. Even before this, users could (since the inception of Gmail) access it securely by explicitly typing https:// in the browser. With the new setting, users who have opted in to it will be redirected from HTTP to HTTPS.[13][2]
2008 August Standard TLS 1.2 Protocol RFC 5246 defines TLS 1.2, the next version of TLS after TLS 1.1.[14]
2010 January 12 Webmail Google (Gmail) Default HTTPS-only Google switches all Gmail users to redirect to HTTPS; users can change their setings to not redirect to HTTPS. Previously, the default option for this setting was to not redirect, and users had to explicitly choose the option to redirect HTTP to HTTPS.[15][2]
2010 May 21 Search engine Google Search HTTPS availability Google makes search available on SSL at https://www.google.com. However, on June 25, they announced that they are moving encrypted search to https://encrypted.google.com because of challenges reported by school districts.[16][2]
2010 June 17 Browser extension HTTPS Everywhere Security improvement The Electronic Frontier Foundation and The Tor Project, Inc launch HTTPS Everywhere, a Firefox extension, to make Firefox use HTTPS where possible.[17] The extension would evolve over the coming years. As of 2017, it is supported on Firefox, Chrome, and Opera.[18]
2010 June 2 Browser enhancement SSL False Start A Google team comprising Adam Langley, Nagendra Modadugu, and Bodo Moeller propose SSL False Start, a client-side only change to reduce one round-trip from the SSL handshake.[19][20][21] Despite tests showing that it reduces latency by 30%, the effort would be abandoned in April 2012 because of incompatibility with some servers doing early HTTPS termination.[22]
2010 October Browser extension Firesheep Vulnerability exploit Firesheep, a Firefox browser extension that uses a packet analyzer to intercept unencrypted session cookies over Wi-Fi networks, is released. The extension highlights the need for greater security, both in terms of websites moving to HTTPS (end-to-end security) and improving security of Wi-Fi.
2010 October 14 Proxy/load balancer AWS Elastic Load Balancing Early SSL termination AWS Elastic Load Balancing announces support for SSL termination. This means that websites hosted on AWS, behind AWS load balancers, can upload their certificates to the load balancer, and have the load balancer take care of the SSL certificate, so that the servers that receive the actual traffic only have to handle HTTP traffic.[23]
2010 November 3 Website GitHub Default HTTPS-only In response to the release of Firesheep, GitHub moves to HTTPS for all users; previously full-session SSL was only available to paying users.[24]
2010 November 9 Webmail Hotmail (Microsoft) Opt-in HTTPS-only Microsoft lets users of its web-based email service, Hotmail, set HTTPS by default.[25][26]
2011 January Website Facebook Opt-in HTTPS-only Facebook begins allowing logged-in users to opt in to have all their Facebook browsing encrypted by HTTPS.[27]
2011 January Standard OCSP stapling Protocol RFC 6066, introducing OCSP stapling, is published.[28] OCSP stapling is an alternative approach to the Online Certificate Status Protocol that allows the presenter of a certificate to bear the resource cost involved in providing OCSP responses by appending ("stapling") a time-stamped OCSP response signed by the CA to the initial TLS handshake, eliminating the need for clients to contact the certificate authority. RFC 6961 would cover the case of multiple OCSP stapling.[29]
2011 March 15 Website Twitter Opt-in HTTPS-only Twitter begins allowing logged-in users to opt in to have all their Twitter browsing encrypted by HTTPS.[30]
2011 July 15 Proxy/load balancer Nginx GlobalSign, DigiCert, Comodo and NGINX Inc. announce a joint effort to add OCSP-stapling support to Nginx.[31]
2011 October 18 Search engine Google Search Default HTTPS-only Google makes HTTPS (using SSL) the default option for its search users who are logged in on google.com (its US site; regionally branded sites are not affected).[32][33][34] In particular, webmasters receiving traffic from Google Search will no longer be able to know the search terms that led to a specific visit.[35][36]
2012 February 13 Website Twitter Default HTTPS-only Twitter makes HTTPS the default for all logged-in users.[37][38][39]
2012 March Search engine Google Search Default HTTPS-only Google makes secure search the default globally for signed-in users. Previously, the change was limited to users on google.com.[40]
2012 July 31 Webmail Outlook (formerly Hotmail) (Microsoft) Default HTTPS-only With the rebranding of Hotmail as Outlook.com, Microsoft moves to default HTTPS-only for all usersof the web-based email service.[26]
2012 October 9 Website Quora Opt-in HTTPS-only On or before this date, question-and-answer website Quora allows logged-in users to opt in to HTTPS-only.[41]
2012 November Website Facebook Default HTTPS-only Facebook rolls out its transition to HTTPS by default for all users, beginning with North America.[42][27] The move is reported to be completed on August 1, 2013.[43]
2012 November 19 Standard RFC 6797 Default HTTPS-only The HTTP Strict Transport Security (HSTS) standard is published, after being approved on October 2.[44] The standard allows a website to set a header specifying a time period over which the client must connect to the website only via HTTPS. This protects against protocol downgrade attacks and cookie hijacking, and also avoids the extra latency involved in redirecting HTTP to HTTPS.
2013 February The Certificate Authority Security Council is founded by the seven largest certificate authorities: Comodo, Symantec, Trend Micro, DigiCert, Entrust, GlobalSign, and GoDaddy.
2013 August 21 (actual release), August 1 (announcement) Website Wikipedia Default HTTPS-only Wikimedia Foundation turns on HTTPS for all logged-in users (announcement August 1).[45][46]
2013 September Search engine Google Search Default HTTPS-only Google Search moves all searches, even those by users who are not logged in, to HTTPS. The only exception is ad clicks. The change is believed to be a response to concerns about privacy triggered by relevations about PRISM, a United States federal government surveillance program.[47]
2013 September 26 Website Imgur HTTPS available Image-hosting service Imgur makes HTTPS available sitewide.[48]
2013 October 14 Webmail Yahoo! Default HTTPS-only Yahoo! Mail moves to a default of HTTPS-only.[26]
2013 October 24, 25 Website Internet Archive Default HTTPS-only The Internet Archive announces that its websites archive.org (which includes the Wayback Machine at web.archive.org) and openlibrary.org are defaulted to HTTPS-only, though they will still be available over HTTP.[49][50][51]
2014 January 22 Search engine Yahoo! Default HTTPS-only Yahoo! Search makes HTTPS-only the default. The change is initially rolled out on yahoo.com, but is expected to be rolled out to other regions as well.[52]
2014 January Website YouTube Some move to HTTPS YouTube begins sending traffic over HTTPS, significantly increasing the volume of traffic sent on the web via HTTPS. By September 2014, 50% of YouTube traffic would be sent via HTTPS.[53]
2014 February 3 Website Tumblr Opt-in HTTPS-only Tumblr gives blog owners the option of switching their blogs to HTTPS-only. NOTE: Unlike some other opt-in HTTPS-only implementations, the option is controlled by website owners rather than website visitors.[54] Internet security commentators feel that Tumblr didn't go far enough, and should have switched to default HTTPS-only.[55]
2014 March 5 CDN Amazon CloudFront SNI custom SSL, HTTPS redirection Amazon CloudFront announces support for customers to use their own SSL certificates through the implementation of Server Name Indication, as well as HTTP to HTTPS redirection (via 301 redirect).
2014 c.March 22 Email service Gmail HTTPS adoption Gmail goes 100% HTTPS.[56]
2014 June 5 Website WordPress Default HTTPS-only Automattic, the parent company of wordpress.com, announces that all wordpress.com subdomains will be moved to default HTTPS-only by the end of 2014.[57]
2014 July 29 App Instagram Default HTTPS-only In response to reports about a zero-day security vulnerability, Instagram co-founder Mike Krieger reveals that the app is being moved over to HTTPS, with some parts of the app already 100% HTTPS.[58]
2014 August 6 Search ranking Google Search HTTPS boost Google announces search results will give preference to sites using HTTPS. This added ranking signal would be a "lightweight" ranking boost.[59][60]
2014 September 8 Website Reddit Opt-in HTTPS-only Reddit gives logged-in users the option of using the site purely on HTTPS.[61]
2014 September 29 CDN Cloudflare Default HTTPS-only Cloudflare announces that it is rolling out universal SSL for all its users. This only affects connections to Cloudflare, and does not focre websites to upgrade their main site to HTTPS; however, all website owners are encouraged to upgrade their sites as well. In a blog post, Cloudflare CEO Matthew Prince explains the transition and the motivation behind it.[62]
2014 November 18 Certificate authority Let's Encrypt Free HTTPS certificates Let's Encrypt, a certificate authority service that can issue HTTPS certificates for three months for free (with some limitations on the types of certificate and the conditions under which certificates can be issued), is publicly announced. The service would issue its first certificate on September 14, 2015, and leave beta on April 12, 2016.
2014 December 18 Browser Chrome Security warning Google Chrome announces its intention of adding warnings for users visiting non-HTTPS websites.[63] More details are announced in late January 2015.[64]
2015 January 18 Report/Observatory HTTPSWatch State of HTTPS adoption The oldest Internet Archive snapshot of HTTPSWatch appears to be on this date. The snapshot says that it is inspired by Alex Gaynor's blog posts that were published in November and December 2014, so it is likely to be pretty close to the actual start date.[65][66][67]
2015 February Browser Chrome HTTP/2 Chrome begins rolling out support for HTTP/2. Chrome supports HTTP/2 only over HTTPS, even though the standard allows for HTTP/2 outside of HTTPS (through the selective use of encryption).[68]
2015 March 12 Website/App Pinterest Default HTTPS-only Pinterest announces that it has moved over to HTTPS, describing the challenges it faced along the way. With the increased security in place due to HTTPS, Pinterest also introduces a paid bug bounty program for the white hat hacker community to find security flaws.[69]
2015 March 25 Ecosystem Advertising Exhortation Writing for the Interactive Advertising Bureau (IAB), Brendan Riordan-Butterworth calls for the advertising ecosystem to move to HTTPS.[70]
2015 April 13 Browser Firefox Security warning Mozilla announces plans to deprecate plain HTTP in their browser, Firefox.[71][72]
2015 May 19 Website Wikipedia Site-wide censorship due to HTTPS transition Likely starting around this day (judging from traffic volume), the Chinese government blocks Chinese Wikipedia.[73] The rationale is that, with Wikipedia's coming transition to HTTPS-only, the Chinese government will not be able to identify what page on the site a user is visiting, so blocking the whole site is the only way to implement the goal of blocking specific pages with politically sensitive content. See w:Censorship of Wikipedia#China for more details.
2015 June 8 Website United States government Default HTTPS-only The White House Office of Management and Budget issues the HTTPS-Only Standard directive requiring that all United States federal government websites provide service only via HTTPS, with a deadline of end of 2016.[74][75][76]
2015 June 12 Website Wikipedia Default HTTPS-only The Wikimedia Foundation publishes a blog post stating that all properties (including Wikipedia) are being switched over to HTTPS; previously, HTTPS was used only for logged-in users. It seems the switch is being made immediately.[77][78][79]
2015 June Search engine Bing Default HTTPS-only Microsoft announces that it will make HTTPS-only the default on Bing, its search engine.[80][81]
2015 June Website Reddit Default HTTPS-only Reddit switches to HTTPS-only, with users being automatically redirected from HTTP to HTTPS.[82][83]
2015 June 30 (deadline), April 17 (announcement) Ad network Google AdWords HTTPS availability As part of Google's HTTPS Everywhere initiative, Google AdWords announces, on April 17, some of it progress already made on moving ads to HTTPS (specifically, moving YouTube ads to HTTPS). Also, it is stated that the vast majority of mobile, video, and desktop display ads served to the Google Display Network, AdMob and DoubleClick publishers will be encrypted by June 30, and advertisers using any of the buying platforms, including AdWords and DoubleClick, will be able to serve HTTPS-encrypted display ads to all HTTPS-enabled inventory.[84]
2015 October 14 Browser Chrome Mixed-content With version 46, Chrome kills off its HTTP-HTTPS "mixed-content" address bar warning. Now, HTTPS pages that load some auxiliary resources (such as images, calls to ad networks, etc.) over HTTP will say https in the address bar without the secure lock or green coloring. The change is based on the idea that mixed HTTP-HTTPS is in fact more secure than pure HTTP, and therefore should not appear scarier, and is intended to "encourage site operators to switch to HTTPS sooner rather than later."[85][86]
2016 February Website Wikipedia Referrer policy The Wikimedia Foundation rolls out an update to the HTTPS meta referrer policy, that reveals the Origin rather than the full path of the referring domain. This means that websites that receive traffic from Wikipedia can once again calculate how much traffic they are receiving from Wikipedia, an ability that was lost in the switch to HTTPS. However, unlike the pre-HTTPS situation, full referral paths are not accessible, so websites cannot know what Wikipedia pages are sending traffic to them. For more, see Research:Wikimedia referrer policy.[87]
2016 March 15 Report/Observatory Google Transparency Report State of HTTPS adoption Google announces that it is adding a new section to its Transparency Report to track the progress of HTTPS adoption.[88][89][90]
2016 March 23 Google provides a list of certificate authorities it does not trust.[91]
2016 February Browser Baidu Browser Vulnerability exploit The Citizen Lab publishes a report noting vulnerabilities in the Baidu Browser, a popular browser in China, some of which are related to the browser not using HTTPS fully.[92]
2016 March 28 Browser QQ Browser Vulnerability exploit The Citizen Lab publishes a report noting vulnerabilities in the QQ Browser, a popular browser in China, some of which are related to the browser not using HTTPS fully.[93]
2016 April 8 Website WordPress Default HTTPS-only Automattic, the owner of WordPress.com, announces that WordPress custom domains will be switched to default HTTPS-only. Previously, HTTPS-only was enabled only on subdomains of wordpress.com.[94]
2016 April 28 (first announcement), August 15 (completion) Website WIRED Default HTTPS-only On April 28, WIRED announces that its website is going HTTPS-only. The article announcing the transition explains the challenges involved in making sure every digital asset loaded on every page is HTTPS.[95] The transition is announced to be complete on August 15.[96]
2016 June 14 App store service Apple Default HTTPS-only At the Apple Worldwide Developers Conference, Apple announces that it will require all iOS apps to use HTTPS connections by the end of 2016.[97]
2016 June 15 Website TechCrunch Default HTTPS-only Technology new website TechCrunch announces that it has gone HTTPS-only.[98]
2016 August 1 Website YouTube State of HTTPS adoption YouTube announces that it serves 97% of traffic over HTTPS.[99]
2016 August Website Netflix Default HTTPS-only Netflix announces that it is adding TLS encryption to all its video streams, and expects to finish the process by year-end.[100][101]
2016 August 25 Report/Observatory Mozilla State of HTTPS adoption Mozilla, the organization that manages the Firefox browser, creates the Mozilla Observatory to track the web and its security. Among other things, this tracks the state of HTTPS adoption.[102][103]
2016 September (completion), November 29 (announcement) Website The Guardian Default HTTPS-only The Guardian announces that it completed its migration to HTTPS-only about two months ago. The announcement post describes the challenges of the migration, including avoiding negative audience and revenue impacts, and keeping older interactive content working. The migration approach is summarized as: migrate one small audience section to HTTPS, identify the problems and track them, and fix the problems that need to be fixed before the next section migration. Three complementary techniques used: monitoring, decoupling backend and frontend migrations (with backend migrations done first), and usage of early adopters (users could opt in to HTTPS-only before moving to default HTTPS-only). Technical details of the migration are also included in the post.[104]
2016 October 23 Website neverssl.com is registered.[105] Motivated by the existence of broken "Wifi capture" networks that don't work well with HTTPS, the site is created "to make logging on a little bit easier".[106]
2017 January 10 Website New York Times Default HTTPS-only The New York Times announces that it has made a number of its articles default to HTTPS, including the home page, section and topic pages, and all articles published 2014 or later, and that it plans to make the rest of its site HTTPS as well.[107]
2017 January 21 Guideline American Library Association HTTPS use guideline The American Library Association publishes a library privacy checklist approved by its intellectual freedom committee. The checklist mentions HTTPS twice. In priority 1 actions, it includes an action "Ensure all existing security certificates for HTTPS/SSL are valid and create a procedure for revalidating them annually." In priority 2 actions, it includes an action "Utilize HTTPS wherever possible." (Ironically, even as of April 2019, the American Library Association website does not properly support HTTPS, with the HTTPS site redirecting to the HTTP site).[108]
2017 January 25 Website Ars Technica Default HTTPS-only Ars Technica announces that it has switched to default HTTPS-only, and explains details of the move.[109]
2017 January Browser Chrome Security warning With version 56, Google Chrome begins marking as "Not Secure" (in the address bar) any webpages collecting sensitive data such as passwords or credit-card information without using HTTPS.[110][111]
2017 January 4 Website National Public Radio Default HTTPS-only National Public Radio announces that it has transitioned most of its webpages and streaming content to HTTPS, and is making sure that any new content is served through HTTPS.[112]
2017 January 10 Website W Magazine Default HTTPS-only A post on the Condé Nast technology blog, describes the transition of W Magazine, a Conde Nast property, to HTTPS.[113]
2017 March 30 Website Pornhub Default HTTPS-only Pornhub, the world's largest pornographic video site, switches to HTTPS-only. Sister service YouPorn is scheduled to go HTTPS-only on April 4.[114][115]
2017 May 22 Website Stack Overflow Default HTTPS-only Stack Overflow announces that it has migrated to HTTPS, after four years of work on the migration. All other Stack Exchange websites are also moved over to HTTPS.[116][117]
2017 May through August 16 Website Springer-Verlag Default HTTPS-only Publisher Springer transitions its websites to HTTPS, with HTTP redirecting to HTTPS.[118][119]
2017 September 11 The Google Security Blog announces Google Chrome's finalized plans to distrust certificates issued by Symantec.[120] The SSL Store blogs about it with some commentary explaining the controversy.[121]
2017 September 13 Website Imgur Default HTTPS-only Image-hosting service Imgur defaults to HTTPS-only for all users (both logged-in and others).[122]
2017 October Browser Chrome Security warning Starting with version 62, Chrome begins marking all non-HTTPS webpages as "Not Secure" for users in incognito mode.[111]
2017 Report Research at Google State of HTTPS adoption Research at Google publishes a paper titled Measuring HTTPS adoption on the web.[123][124]
2017 Standard TLS 1.3 Protocol The standard for TLS 1.3 is under discussion, but not finalized. Browsers support it for a while as the default but then stop due to issues. See w:Transport Layer Security#TLS_1.3_.28draft.29 for more. As of the end of 2017, TLS 1.3 is still not ready.[125]
2017 December 30 nonhttps.com<code/> is registered.[126] Similar to <code>neverssl.com, the site is created to for websites to "guarantee that they will always remain accessible by HTTP".[127]
2018 February 27 Certificate authority Let's Encrypt Wildcard support Let's Encrypt plans to make wildcard support fully available on this date, after launching a public test API endpoint for the ACME v2 protocol and wildcard support on January 4, 2018.[128]
2018 April 1 CDN Cloudflare Secure DNS resolver Cloudflare launches 1.1.1.1, a secure DNS resolver that uses both DNS-over-TLS and DNS-over-HTTPS.[129]
2018 April 14 Website IMDb Default HTTPS-only Judging from homepage captures on the Internet Archive's Wayback Machine, this is the date that the IMDb transitions from HTTP to default HTTPS-only. See captures for April 13[130] and April 14.[131] There does not appear to be any official announcement of the transition, but a Quora question with answers as late as February 2018 confirms that people noticed that the site was still using plain HTTP till February 2018.[132]
2018 June (completion), July 9 (announcement) Website BBC Default HTTPS-only In a blog post on July 9, 2018, software engineer James Donohue announces that the BBC has completed transitioning its website to HTTPS-only a few weeks ago. The blog post explains some of the technical challenges of migrating the site (which has news content from as far back as 1997, when the site first went online), and the steps involved in completing the migration.[133]
2018 July 24 Website Whynohttps Security warning whynohttps.com launches as a project that tracks the world's largest websites not implementing HTTPS by default.[134][135]
2018 July (planned date), February 8 (announcement) Browser Chrome Security warning On February 8, Google Chrome announces that starting with Chrome 68, which will be released in July, all plain HTTP sites will be marked as not secure.[136][137][138] The release happens as scheduled. Forbes publishes an article naming a few sites that still do not default to HTTPS as of the time of this change to Chrome. The sites include Fox News, the Los Angeles Times, Chicago Tribune, Time, ESPN, NFL Network, NBA, and more. Some of these sites, such as Time and ESPN, still do not default to HTTPS as of April 2019.[139]
2018 August 7 Website BBC Site-wide censorship due to HTTPS adoption The BBC website is blocked in China shortly after it migrated to HTTPS-only. For HTTPS websites, it is not possible for intermediaries in the network to identify individual pages being browsed, so the Chinese government needs to block the whole site in order to block access to politically sensitive content.[140]
2018 September 24 CDN Cloudflare Support for encrypted SNI Cloudflare announces that it is beginning support of encrypted SNI.[141][142]
2018 October 18 Browser Firefox Support for encrypted SNI Firefox announces support for encrypted SNI in the Firefox Nightly build.[143][144]
2018 c.November 17 Calendar service Google Calendar HTTPS adoption Google Calendar goes 100% HTTPS.[56]
2019 January to February; with some early test efforts in October 2018, and some wrap-up work as late as April 11 Website Wikia / Fandom Default HTTPS-only Fandom Inc., the company previously known as Wikia, moves the bulk of their community wikis from HTTP to HTTPS, while also changing the domain from wikia.com to fandom.com (to be more consistent with the company's new name and branding). Some domains that do not fit with the Fandom brand are moved to wikia.org instead; these are also migrated to HTTPS.[145]
2019 August Browser Chrome Interface simplification With Chrome 76, Google stops showing the leading https and www on urls in the address bar; however, these are shown if you click into the address bar twice. The Chrome team says that this simplifies the experience for most users by removing information that's not relevant to them, but there is some pushback to these claims from people who believe the information is important and should be readily visible.[146] Users can still determine if a site is secure by looking for the lock icon; insecure sites will be marked "Not Secure".
2019 c.September 28 Online advertising platform Google Ads HTTPS adoption Google Ads goes 100% HTTPS.[56]
2019 c.September Online video platform Youtube HTTPS adoption Youtube goes 100% HTTPS.[56]

Numerical and visual data

Google Scholar

The following table summarizes per-year mentions on Google Scholar as of June 10, 2021.

Year http https https security https adoption
1980 145,000 196,000 33,400 4,120
1985 153,000 219,000 13,800 4,460
1990 183,000 309,000 54,200 5,880
1995 341,000 436,000 19,600 7.320
2000 1,520,000 1,300,000 68,600 14,400
2002 1,430,000 1,360,000 41,000 19,500
2004 2,360,000 1,650,000 82,300 37,600
2006 2,530,000 1,730,000 132,000 70,700
2008 2,620,000 1,800,000 172,000 102,000
2010 2,610,000 2,020,000 271,000 130,000
2012 2,650,000 2,240,000 365,000 166,000
2014 2,310,000 2,230,000 481,000 187,000
2016 1,950,000 1,870,000 606,000 179,000
2017 1,760,000 1,690,000 602,000 190,000
2018 1,590,000 1,570,000 480,000 172,000
2019 901,000 1,200,000 319,000 140,000
2020 444,000 635,000 198,000 87,600
Http tb.png

Google Trends

The comparative chart below shows Google Trends data HTTPS (Search term) and HTTP (Search term), from March 2004 to March 2021, when the screenshot was taken. Interest is also ranked by country and displayed on world map.[147]

HTTP and HTTPS gt.png

Google Ngram Viewer

The chart below shows Google Ngram Viewer data for HTTPS and HTTP, from 1989 to 2019.[148]

HTTP and HTTPS ngram.png

Wikipedia Views

The chart below shows pageviews of the English Wikipedia article HTTPS on desktop from December 2007, and on mobile-web, desktop-spider,mobile-web-spider and mobile app, from July 2015; to January 2021.[149]

HTTPS wv.png

Meta information on the timeline

How the timeline was built

The initial version of the timeline was written by User:Vipul.

What the timeline is still missing

Timeline update strategy

  • Keep pace with the latest developments in HTTPS
  • Look for articles about websites and services transitioning to HTTPS
  • Use the Wayback Machine to identify dates of transition to HTTPS

See also

References

  1. Sprout, Alison (July 1, 1995). "The rise of Netscape". Retrieved March 11, 2018. 
  2. 2.0 2.1 2.2 2.3 2.4 2.5 2.6 Kaufman, Jeff (March 8, 2018). "History of HTTPS Usage". Retrieved March 11, 2018. 
  3. "Netscape: Internet security flaw can be fixed.". September 19, 1995. Retrieved March 11, 2018. 
  4. Markoff, John (October 16, 1995). "The New Watchdogs of Digital Commerce". New York Times. Retrieved March 11, 2018. 
  5. "The Secure Sockets Layer (SSL) Protocol Version 3.0". Internet Engineering Task Force. August 1, 2011. Retrieved November 23, 2017. 
  6. "The TLS Protocol Version 1.0". Internet Engineering Task Force. January 1, 1999. Retrieved November 23, 2017. 
  7. "HTTP Over TLS". Internet Engineering Task Force. May 1, 2000. Retrieved November 23, 2017. 
  8. "HTTPS: Revision history". en.wikipedia.org. Retrieved 1 March 2020. 
  9. "Transport Layer Security (TLS) Extensions". Internet Engineering Task Force. June 1, 2003. Retrieved November 20, 2017. 
  10. "Microsoft SSL Vulnerability gives attackers opportunity to gain control of leading banking sites". Netcraft. April 14, 2004. Retrieved March 11, 2018. 
  11. "TLS and SSL in the real world". April 20, 2005. Retrieved March 11, 2018. 
  12. "The Transport Layer Security (TLS) Protocol Version 1.1". Internet Engineering Task Force. April 1, 2006. Retrieved November 23, 2017. 
  13. Rideout, Ariel (July 24, 2008). "Making security easier". Google. Retrieved November 19, 2017. 
  14. "The Transport Layer Security (TLS) Protocol Version 1.2". Internet Engineering Task Force. August 1, 2008. Retrieved November 23, 2017. 
  15. Schillace, Sam (January 12, 2010). "Default https access for Gmail". Google. Retrieved November 19, 2017. 
  16. Roseman, Evan (May 21, 2010). "Search more securely with encrypted Google web search". Google Official Blog. Retrieved March 11, 2018. 
  17. Eckersley, Peter (June 17, 2010). "Encrypt the Web with the HTTPS Everywhere Firefox Extension". Electronic Frontier Foundation. Retrieved November 19, 2017. 
  18. "HTTPS Everywhere". Retrieved November 19, 2017. 
  19. "Transport Layer Security (TLS) False Start". Internet Engineering Task Force. June 2, 2010. Retrieved November 19, 2017. 
  20. "SSL FalseStart Performance Results". Chromium blog. May 18, 2011. Retrieved November 19, 2017. 
  21. "Changing HTTPS". Imperial Violet. September 5, 2010. Retrieved November 19, 2017. 
  22. Goodin, Dan (April 12, 2012). "False Start's sad demise: Google abandons noble attempt to make SSL less painful". Retrieved November 19, 2017. 
  23. Barr, Jeff (October 14, 2010). "AWS Elastic Load Balancing: Support for SSL Termination". Amazon Web Services. Retrieved November 19, 2017. 
  24. "GitHub moves to SSL, but remains Firesheepable". Netcraft. November 3, 2010. Retrieved November 20, 2017. 
  25. Mills, Elinor (November 9, 2010). "Microsoft lets Hotmail users set encryption by default. Microsoft adds full-session encryption option to HOtmail and SSL for SkyDrive, Photos, Docs, and Devices pages.". CNet. Retrieved November 20, 2017. 
  26. 26.0 26.1 26.2 Peterson, Andrea; Gellman, Barton; Soltani, Ashkan (October 14, 2013). "Yahoo to make SSL encryption the default for Webmail users. Finally.". Retrieved November 20, 2017. 
  27. 27.0 27.1 Constine, Josh (November 18, 2012). "Facebook Could Slow Down A Tiny Bit As It Starts Switching All Users To Secure HTTPS Connections". TechCrunch. Retrieved November 19, 2017. 
  28. "Transport Layer Security (TLS) Extensions: Extension Definitions". January 1, 2011. Retrieved November 19, 2017. 
  29. "The Transport Layer Security (TLS) Multiple Certificate Status Request Extension". June 1, 2013. Retrieved November 19, 2017. 
  30. "Making Twitter more secure: HTTPS". Twitter. March 15, 2011. Retrieved November 19, 2017. 
  31. "GlobalSign, DigiCert and Comodo Collaborate with NGINX to Improve Online Trust through Enhanced Certificate Revocation Checking, sign a Sponsorship Agreement. New version of the popular NGINX web server to support OCSP-stapling". NGINX, Inc. July 15, 2011. Retrieved November 19, 2017. 
  32. "Making search more secure". Google. October 18, 2011. Retrieved November 19, 2017. 
  33. Boulton, Clint (October 18, 2011). "Google Makes HTTPS Encryption Default for Search". eweek. Retrieved November 19, 2017. 
  34. Sullivan, Danny (October 18, 2011). "Google To Begin Encrypting Searches & Outbound Clicks By Default With SSL Search". Search Engine Land. Retrieved November 19, 2017. 
  35. "Making search more secure: Accessing search query data in Google Analytics". October 18, 2011. Retrieved November 19, 2017. 
  36. Sullivan, Danny (October 22, 2011). "Google Puts A Price On Privacy". Retrieved November 19, 2017. 
  37. "Securing your Twitter experience with HTTPS". Twitter. February 13, 2012. Retrieved November 19, 2017. 
  38. "Should All Web Traffic Be Encrypted?". Coding Horror. February 23, 2012. Retrieved November 19, 2017. 
  39. Brinkmann, Martin (February 14, 2012). "Twitter Makes HTTPS Default For Signed In Users". Retrieved November 19, 2017. 
  40. "Bringing more secure search around the globe". March 5, 2012. Retrieved November 19, 2017. 
  41. Cook, Tom (October 9, 2012). "Does Quora support HTTPS? Tom Cook's answer log". Retrieved November 20, 2017. 
  42. Asthana, Shireesh (November 15, 2012). "Platform Updates: Operation Developer Love". Facebook. Retrieved November 19, 2017. 
  43. "Secure browsing by default". August 1, 2013. Retrieved November 20, 2017. 
  44. "HTTP Strict Transport Security (HSTS)". November 19, 2012. Retrieved November 19, 2017. 
  45. Lane, Ryan (August 1, 2013). "The future of HTTPS on Wikimedia projects". Wikimedia Foundation. Retrieved September 25, 2016. 
  46. Eaton, Kit (August 2, 2013). "After NSA's XKeyscore, Wikipedia Switches To Secure HTTPS. The Wikimedia Foundation has announced it's pushing ahead with plans to secure its online systems due to NSA targeting.". Fast Company. Retrieved September 25, 2016. 
  47. Sullivan, Danny (September 23, 2013). "Post-PRISM, Google Confirms Quietly Moving To Make All Searches Secure, Except For Ad Clicks". Retrieved November 20, 2017. 
  48. "100 MILLION UNIQUES, HIGHER UPLOAD LIMITS, AND HTTPS SUPPORT". September 26, 2013. Retrieved November 20, 2017. 
  49. Kahle, Brewster (October 25, 2013). "Reader Privacy at the Internet Archive". Retrieved November 19, 2017. 
  50. Streitfeld, David (October 24, 2013). "Internet Archive Will Shield Visitors". New York Times Bits Blog. Retrieved November 19, 2017. 
  51. Protalinski, Emil (October 25, 2013). "With over 3 million users per day, the Internet Archive switches to HTTPS connections by default". The Next Web. Retrieved November 19, 2017. 
  52. Sullivan, Danny (January 22, 2014). "Yahoo Makes Secure Search The Default". MarketingLand. Retrieved November 20, 2017. 
  53. Naylor, David; Finamore, Alessandro; Leontiadis, Ilias; Grunenberger, Yan; Mellia, Marco; Munafo, Maurizio; Papagiannaki, Konstantina; Steenkiste, Peter. "The Cost of the "S" in HTTPS" (PDF). 
  54. "You can now take extra precaution against hackers and snoops by enabling SSL security on your Tumblr Dashboard.". Tumblr. February 3, 2014. Retrieved April 13, 2019. 
  55. "Tumblr activates SSL, but with a catch. Tumblr blog owners can encrypt all visits to their sites, as long as they opt in. Why didn't Yahoo just make SSL the default setting?". February 3, 2014. Retrieved April 13, 2019. 
  56. 56.0 56.1 56.2 56.3 "HTTPS encryption on the web". transparencyreport.google.com. Retrieved 1 March 2020. 
  57. Siemenski, Paul (June 5, 2014). "Reset the Net. If we properly encrypt our sites and devices, we can make mass surveillance much more difficult. We'll be serving pages only over SSL for all *.wordpress.com subdomains by the end of the year.". The WordPress.com Blog. Retrieved December 1, 2019. 
  58. "Instagram to use HTTPS following discovery of gaping security hole in iOS app. Security expert warns users should not use the app until a patch is released". The Inquirer. July 29, 2014. Retrieved November 19, 2017. 
  59. "HTTPS as a ranking signal". www.google.com. Retrieved Dec 1, 2014. 
  60. Russell, Jon (August 7, 2014). "Google is now ranking websites with HTTPS higher in its search results". The Next Web. Retrieved November 19, 2017. 
  61. "Hell, It's About Time – reddit now supports full-site HTTPS". Reddit. September 8, 2014. Retrieved November 19, 2017. 
  62. Prince, Matthew (September 29, 2014). "Introducing Universal SSL". Cloudflare. Retrieved December 1, 2019. 
  63. Slegg, Jennifer (December 18, 2014). "Google Chrome Wants to Warn Users Before Visiting All Non-HTTPS Sites". The SEM Post. Retrieved November 20, 2017. 
  64. Slegg, Jennifer (January 28, 2015). "First Look at How Google Chrome Plans to Alert Users to Non-HTTPS Websites". Retrieved November 20, 2017. 
  65. "HTTPSWatch (About section)". Retrieved January 18, 2015. 
  66. Gaynor, Alex (November 12, 2015). "The State of the News and TLS". Retrieved November 20, 2015. 
  67. Gaynor, Alex (December 30, 2014). "The State of the News and TLS: Part II". Retrieved November 20, 2017. 
  68. "Hello HTTP/2, Goodbye SPDY". Chromium. February 9, 2015. Retrieved November 19, 2017. 
  69. Moreno, Paul (March 12, 2015). "Making Pinterest HTTPS". Pinterest Engineering via Medium. Retrieved November 20, 2017. 
  70. Riordan-Butterworth, Brendan (March 25, 2015). "Adopting Encryption: The Need for HTTPS". Interactive Advertising Bureau. Retrieved November 20, 2017. 
  71. Barnes, Richard (April 13, 2015). "Intent to deprecate: Insecure HTTP". Retrieved November 20, 2017. 
  72. "Mozilla Announces Plans to Deprecate HTTP in Firefox". The SEM Post. April 16, 2015. Retrieved November 20, 2017. 
  73. "Aggregate page counts for traffic to Chinese Wikipedia for May 2015". Retrieved April 13, 2019. 
  74. Scott, Tony (June 8, 2015). "Policy to Require Secure Connections across Federal Websites and Web Services" (PDF). Retrieved November 20, 2017. 
  75. Scott, Tony (June 8, 2015). "HTTPS-Everywhere for Government". Obama White House Archives. Retrieved November 20, 2017. 
  76. Williams, Martyn (June 8, 2015). "US to require HTTPS for all government websites. All public sites will be required to use the protocol by the end of 2016". Retrieved November 20, 2017. 
  77. Welinder, Yana; Baranetsky, Victoria; Black, Brandon (June 12, 2015). "Securing access to Wikimedia sites with HTTPS". Wikimedia Foundation. Retrieved September 25, 2016. 
  78. Thomas, Karl (June 15, 2015). "Wikipedia switches to HTTPS by default". WeLiveSecurity. Retrieved September 25, 2016. 
  79. Farivar, Cyrus (June 15, 2015). "Wikipedia goes all-HTTPS, starting immediately. "We believe that the time for HTTPS by default is now."". ArsTechnica. Retrieved September 25, 2016. 
  80. "Bing Moving to Encrypt Search Traffic by Default". Bing. June 15, 2015. Retrieved November 20, 2017. 
  81. Schick, Shane (June 22, 2015). "Microsoft to Make HTTPS a Default Setting for Bing". Retrieved November 20, 2017. 
  82. Lorenzo Franceschi-Bicchierai (June 17, 2015). "Reddit Switches to Encryption By Default. The internet giant will switch to HTTPS by default by the end of the month.". Vice. Retrieved November 19, 2017. 
  83. "reddit will soon only be available over HTTPS (self.redditdev)". Reddit. June 16, 2015. Retrieved November 19, 2017. 
  84. "Ads Take a Step Towards "HTTPS Everywhere"". Google AdWords. April 17, 2015. Retrieved November 20, 2017. 
  85. Anthony, Sebastian (October 14, 2015). "Chrome finally kills off the HTTP-HTTPS "mixed content" warning. Slightly alarming and not wholly useful yellow triangle is being retired.". Retrieved November 20, 2017. 
  86. Whittaker, Zack (October 14, 2015). "Chrome 46 loosens up on HTTPS 'mixed content' warnings. The browser -- known for being a bit overkill -- finally drops its yellow-warning attached to pages with both secure and non-secure content.". Retrieved November 19, 2017. 
  87. "Set an explicit "Origin When Cross-Origin" referer policy via the meta referrer tag". August 18, 2015. Retrieved March 10, 2017. 
  88. "Securing the web, together". Google Security Blog. March 15, 2016. Retrieved November 19, 2017. 
  89. Schwartz, Barry (March 16, 2016). "Google Report On HTTPS Adoption Within Google & The Top Web Sites". Search Engine Roundtable. Retrieved November 19, 2017. 
  90. "Google's Transparency Report to Include HTTPS Adoption Rates". Search Engine Journal. March 25, 2016. Retrieved November 19, 2017. 
  91. Chirgwin, Richard (March 23, 2016). "Google publishes list of Certificate Authorities it doesn't trust. Thawte experiment aims to expose issuers of dodgy creds". The Register. Retrieved November 20, 2017. 
  92. Gillis, Alex (February 26, 2016). "Researchers find privacy problems in popular Baidu browser". Retrieved April 13, 2019. 
  93. Knockel, Jeffrey; Senft, Adam; Deibert, Ron (March 28, 2016). "Privacy and Security Issues in QQ Browser". The Citizen Lab. Retrieved April 13, 2019. 
  94. Barry (April 8, 2016). "HTTPS Everywhere: Encryption for All WordPress.com Sites. We're proud to support a more secure web — now for all custom domains on WordPress.com.". The WordPress.com Blog. Retrieved December 1, 2019. 
  95. Tollman, Zack (April 28, 2016). "WE'RE GOING HTTPS: HERE'S HOW WIRED IS TACKLING A HUGE SECURITY UPGRADE". WIRED. Retrieved February 11, 2018. 
  96. Tollman, Zack (August 15, 2016). "How WIRED Completely Encrypted Itself". Retrieved December 1, 2019. 
  97. Conger, Kate (June 14, 2016). "Apple will require HTTPS connections for iOS apps by the end of 2016". TechCrunch. Retrieved February 11, 2018. 
  98. Wilke, Nicole (June 15, 2016). "TechCrunch has gone HTTPS". Retrieved November 19, 2017. 
  99. "YouTube's road to HTTPS". YouTube. August 1, 2016. Retrieved November 19, 2017. 
  100. "Protecting Netflix Viewing Privacy at Scale". Netflix on Medium. August 8, 2016. Retrieved November 19, 2017. 
  101. "Netflix explains how and why it's switching to HTTPS streaming. Adding encryption increases privacy for viewers -- and for Netflix.". August 9, 2016. Retrieved November 19, 2017. 
  102. King, April (April 25, 2016). "Observatory by Mozilla: Making the Web Safer". Retrieved November 20, 2017. 
  103. Paganini, Pierluigi (August 27, 2016). "Mozilla launched the Observatory tool to test the security of websites". Retrieved November 20, 2017. 
  104. Chauvin, Mariot; Islam, Huma (November 29, 2016). "The Guardian has moved to HTTPS. Discover why and how the Guardian has moved to HTTPS, the secure version of the web protocol that helps to protect user privacy". The Guardian. Retrieved April 13, 2019. 
  105. "neverssl.com". who.is. Retrieved 24 February 2020. 
  106. "NeverSSL". neverssl.com/. Retrieved 24 February 2020. 
  107. Konigsburg, Eitan; Wan, Vinessa (January 1, 2010). "HTTPS on NYTimes.com". New York Times Open blog. Retrieved November 19, 2017. 
  108. "Library Privacy Checklist - Overview". American Library Association. January 21, 2017. Retrieved April 13, 2019. 
  109. Hutchinson, Lee (January 25, 2017). "Ars announces HTTPS by default (finally). Doing our part to push the encrypted-by-default vision of the Web.". Ars Technica. Retrieved December 1, 2019. 
  110. Murray, Brock (January 21, 2017). "Google Is Requiring HTTPS for Secure Data in Chrome". Retrieved November 19, 2017. 
  111. 111.0 111.1 Tung, Liam (April 28, 2017). "Google tightens noose on HTTP: Chrome to stick 'Not secure' on pages with search fields. In October, Google will begin phase two of its plan to label all HTTP pages as non-secure.". ZDNet. Retrieved November 15, 2017. 
  112. Faughan, Kate (January 4, 2017). "Update to the HTTPS Transition for Streams and Podcasts". National Public Radio. Retrieved February 11, 2018. 
  113. Colucci, David (July 10, 2017). "Securing W Magazine: Our Migration to HTTPS". Retrieved December 1, 2019. 
  114. Barrett, Brian (March 30, 2017). "THE WORLD'S BIGGEST PORN SITE GOES ALL-IN ON ENCRYPTION". Wired. Retrieved November 9, 2017. 
  115. Garun, Natt (March 30, 2017). "Pornhub now turns on encryption by default". The Verge. Retrieved November 19, 2017. 
  116. Craver, Nick (May 22, 2017). "HTTPS on Stack Overflow: The End of a Long Road". Retrieved November 19, 2017. 
  117. Taylor, Anita (May 22, 2017). "How Stack Overflow Flipped the Switch on HTTPS". Stack Overflow. Retrieved November 19, 2017. 
  118. "360 Link: Springer Transition to https -- effective August 16, 2017". ExLibris Knowledge Center. August 7, 2017. Retrieved February 11, 2017. 
  119. "Switching to HTTPS". Springer Online Service on Freshdesk. September 6, 2017. Retrieved February 11, 2018. 
  120. O'Brien, Devon; Sleevi, Ryan; Whalley, Andrew (September 11, 2017). "Chrome's Plan to Distrust Symantec Certificates". Google Security Blog. Retrieved April 13, 2019. 
  121. "Official: Google Chrome's Plan to Distrust Symantec SSL Certificates The announcement being circulated simply finalizes an agreement from July". The SSL Store. September 13, 2017. Retrieved April 13, 2019. 
  122. "Defaulting to https (01-XX-2015) - Request fulfilled as of 09-13-2017!". January 29, 2015. Retrieved November 20, 2017. 
  123. Feit, Adrienne Porter; Barnes, Richard; King, April; Palmer, Chris; Bentzel, Chris; Tabriz, Parisa. "Measuring HTTPS adoption on the web". Retrieved November 20, 2017. 
  124. Feit, Adrienne Porter; Barnes, Richard; King, April; Palmer, Chris; Bentzel, Chris; Tabriz, Parisa. "Measuring HTTPS adoption on the web" (PDF). Retrieved November 20, 2017. 
  125. Sullivan, Nick (December 26, 2017). "Why TLS 1.3 isn't in browsers yet". Cloudflare. Retrieved January 28, 2018. 
  126. "nonhttps.com". who.is. Retrieved 24 February 2020. 
  127. "HTTPS". wikivisually.com. Retrieved 24 February 2020. 
  128. Aas, Josh (July 6, 2017). "Wildcard Certificates Coming January 2018". Let's Encrypt. Retrieved January 28, 2018. 
  129. Prince, Matthew (April 1, 2018). "Announcing 1.1.1.1: the fastest, privacy-first consumer DNS service". Cloudflare. Retrieved December 1, 2019. 
  130. "IMDb, as captured on April 13, 2018". April 13, 2018. Retrieved April 13, 2019. 
  131. "IMDb, as captured on April 14, 2018". April 14, 2018. Retrieved April 13, 2019. 
  132. "Why does IMDB use http and not HTTPS?". Quora. Retrieved April 13, 2019. 
  133. Donohue, James (July 9, 2018). "BBC News on HTTPS". BBC. Retrieved April 13, 2019. 
  134. "Why No HTTPS? Here's the World's Largest Websites Not Redirecting Insecure Requests to HTTPS". troyhunt.com. Retrieved 24 February 2020. 
  135. "Still Why No HTTPS?". troyhunt.com. Retrieved 24 February 2020. 
  136. Schechter, Emily (February 8, 2018). "A secure web is here to stay". Google Security Blog. Retrieved February 11, 2018. 
  137. Lardinois, Frederic (February 8, 2018). "Chrome will soon mark all unencrypted pages as 'not secure'". TechCrunch. Retrieved February 11, 2018. 
  138. Bright, Peter (February 9, 2018). "From July on, Chrome will brand plain old HTTP as "Not secure". The "Not secure" label will go where the padlock would go for an encrypted connection.". ArsTechnica. Retrieved February 11, 2018. 
  139. Murnane, Kevin (July 25, 2018). "Fox News, ESPN And 9 Other Well-Known Websites That Chrome 68 Labels 'Not Secure'". Forbes. Retrieved April 13, 2019. 
  140. "BBC websites blocked in China after security change". August 7, 2018. Retrieved April 13, 2019. 
  141. Prince, Matthew (September 24, 2018). "Encrypting SNI: Fixing One of the Core Internet Bugs". Cloudflare. Retrieved December 1, 2019. 
  142. Ghedini, Alessandro (September 24, 2018). "Encrypt it or lose it: how encrypted SNI works". Cloudflare. Retrieved December 1, 2019. 
  143. Rescorla, Eric (October 18, 2018). "Encrypted SNI Comes to Firefox Nightly". Mozilla. Retrieved December 1, 2019. 
  144. "Encrypt that SNI: Firefox edition". Cloudflare. October 18, 2018. Retrieved December 1, 2019. 
  145. "Help:Fandom domain migration". Fandom Community Central. Retrieved April 13, 2019. 
  146. Brinkmann, Martin (August 16, 2019). "Chrome 76: no more https or www in address bar". Retrieved December 1, 2019. 
  147. "HTTPS and HTTP". Google Trends. Retrieved 14 March 2021. 
  148. "HTTPS and HTTP". books.google.com. Retrieved 14 March 2021. 
  149. "HTTPS". wikipediaviews.org. Retrieved 24 February 2021.