Difference between revisions of "Timeline of HTTPS adoption"
From Timelines
(Created page with "This timeline describes the gradual increase in websites and clients using HTTPS. == Full timeline == {| class="wikitable sortable" ! Year !! Month and date (if available) !...") |
|||
Line 14: | Line 14: | ||
| 2010 || {{dts|January 12}} || Website || Google (GMail) || Default HTTPS-only || Google switches all GMail users to redirect to HTTPS; users can change their setings to not redirect to HTTPS. Previously, the default option for this setting was to not redirect, and users had to explicitly choose the option to redirect HTTP to HTTPS.<ref>{{cite web|url = https://gmail.googleblog.com/2010/01/default-https-access-for-gmail.html|title = Default https access for Gmail|date = January 12, 2010|accessdate = November 19, 2017|publisher = Google|last = Schillace|first = Sam}}</ref> | | 2010 || {{dts|January 12}} || Website || Google (GMail) || Default HTTPS-only || Google switches all GMail users to redirect to HTTPS; users can change their setings to not redirect to HTTPS. Previously, the default option for this setting was to not redirect, and users had to explicitly choose the option to redirect HTTP to HTTPS.<ref>{{cite web|url = https://gmail.googleblog.com/2010/01/default-https-access-for-gmail.html|title = Default https access for Gmail|date = January 12, 2010|accessdate = November 19, 2017|publisher = Google|last = Schillace|first = Sam}}</ref> | ||
|- | |- | ||
− | | 2010 || {{dts|June 17}} || Browser extension || HTTPS Everywhere || || The {{w|Electronic Frontier Foundation}} and {{w|The Tor Project, Inc}} launch HTTPS Everywhere, a {{w|Firefox}} extension, to make Firefox use HTTPS where possible.<ref>{{cite web|url = https://www.eff.org/deeplinks/2010/06/encrypt-web-https-everywhere-firefox-extension|title = Encrypt the Web with the HTTPS Everywhere Firefox Extension|last = Eckersley|first = Peter|date = June 17, 2010|accessdate = November 19, 2017|publisher = Electronic Frontier Foundation}}</ref> The extension would evolve over the coming years. As of 2017, it is supported on Firefox, Chrome, and Opera.<ref name=https-everywhere>{{cite web|url = https://www.eff.org/https-everywhere|title = HTTPS Everywhere|accessdate = November 19, 2017}}</ref> | + | | 2010 || {{dts|June 17}} || Browser extension || HTTPS Everywhere || || The {{w|Electronic Frontier Foundation}} and {{w|The Tor Project, Inc}} launch {{w|HTTPS Everywhere}}, a {{w|Firefox}} extension, to make Firefox use HTTPS where possible.<ref>{{cite web|url = https://www.eff.org/deeplinks/2010/06/encrypt-web-https-everywhere-firefox-extension|title = Encrypt the Web with the HTTPS Everywhere Firefox Extension|last = Eckersley|first = Peter|date = June 17, 2010|accessdate = November 19, 2017|publisher = Electronic Frontier Foundation}}</ref> The extension would evolve over the coming years. As of 2017, it is supported on Firefox, Chrome, and Opera.<ref name=https-everywhere>{{cite web|url = https://www.eff.org/https-everywhere|title = HTTPS Everywhere|accessdate = November 19, 2017}}</ref> |
+ | |- | ||
+ | | 2010 || {{dts|June 2}} || Browser enhancement || SSL False Start || || A Google team comprising Adam Langley, Nagendra Modadugu, and Bodo Moeller propose SSL False Start, a client-side only change to reduce one round-trip from the SSL handshake.<ref>{{cite web|url = https://tools.ietf.org/html/draft-bmoeller-tls-falsestart-00|title = Transport Layer Security (TLS) False Start|date = June 2, 2010|accessdate = November 19, 2017|publisher = Internet Engineering Task Force}}</ref><ref>{{cite web|url = https://blog.chromium.org/2011/05/ssl-falsestart-performance-results.html|title = SSL FalseStart Performance Results|date = May 18, 2011|accessdate = November 19, 2017|publisher = Chromium blog}}</ref><ref>{{cite web|url = https://www.imperialviolet.org/2010/09/05/blacklisting.html|title = Changing HTTPS|date = September 5, 2010|accessdate = November 19, 2017|publisher = Imperial Violet}}</ref> Despite tests showing that it reduces latency by 30%, the effort would be abandoned in April 2012 because of incompatible with some servers doing early HTTPS termination.<ref>{{cite web|url = https://arstechnica.com/information-technology/2012/04/google-abandons-noble-experiment-to-make-ssl-less-painful/|title = False Start’s sad demise: Google abandons noble attempt to make SSL less painful|last = Goodin|first = Dan|date = April 12, 2012|accessdate = November 19, 2017}}</ref> | ||
|- | |- | ||
| 2011 || {{dts|January}} || Website || Facebook || Opt-in HTTPS-only || {{w|Facebook}} begins allowing logged-in users to opt in to have all their Facebook browsing encrypted by HTTPS.<ref name=facebook-https-default>{{cite web|url = https://techcrunch.com/2012/11/18/facebook-https/|title = Facebook Could Slow Down A Tiny Bit As It Starts Switching All Users To Secure HTTPS Connections|last = Constine|first = Josh|date = November 18, 2012|accessdate = November 19, 2017|publisher = ''TechCrunch''}}</ref> | | 2011 || {{dts|January}} || Website || Facebook || Opt-in HTTPS-only || {{w|Facebook}} begins allowing logged-in users to opt in to have all their Facebook browsing encrypted by HTTPS.<ref name=facebook-https-default>{{cite web|url = https://techcrunch.com/2012/11/18/facebook-https/|title = Facebook Could Slow Down A Tiny Bit As It Starts Switching All Users To Secure HTTPS Connections|last = Constine|first = Josh|date = November 18, 2012|accessdate = November 19, 2017|publisher = ''TechCrunch''}}</ref> | ||
Line 31: | Line 33: | ||
|- | |- | ||
| 2013 || {{dts|August 21}} (actual release), August 1 (announcement) || Website || Wikipedia || Default HTTPS-only || Wikimedia Foundation turns on HTTPS for all logged-in users (announcement August 1).<ref>{{cite web|url = https://blog.wikimedia.org/2013/08/01/future-https-wikimedia-projects/|title = The future of HTTPS on Wikimedia projects|date = August 1, 2013|accessdate = September 25, 2016|publisher = Wikimedia Foundation|last = Lane|first = Ryan}}</ref><ref>{{cite web|url = https://www.fastcompany.com/3015199/the-code-war/after-nsas-xkeyscore-wikipedia-switches-to-secure-https|title = After NSA's XKeyscore, Wikipedia Switches To Secure HTTPS. The Wikimedia Foundation has announced it's pushing ahead with plans to secure its online systems due to NSA targeting.|last = Eaton|first = Kit|publisher = ''Fast Company''|date = August 2, 2013|accessdate = September 25, 2016}}</ref> | | 2013 || {{dts|August 21}} (actual release), August 1 (announcement) || Website || Wikipedia || Default HTTPS-only || Wikimedia Foundation turns on HTTPS for all logged-in users (announcement August 1).<ref>{{cite web|url = https://blog.wikimedia.org/2013/08/01/future-https-wikimedia-projects/|title = The future of HTTPS on Wikimedia projects|date = August 1, 2013|accessdate = September 25, 2016|publisher = Wikimedia Foundation|last = Lane|first = Ryan}}</ref><ref>{{cite web|url = https://www.fastcompany.com/3015199/the-code-war/after-nsas-xkeyscore-wikipedia-switches-to-secure-https|title = After NSA's XKeyscore, Wikipedia Switches To Secure HTTPS. The Wikimedia Foundation has announced it's pushing ahead with plans to secure its online systems due to NSA targeting.|last = Eaton|first = Kit|publisher = ''Fast Company''|date = August 2, 2013|accessdate = September 25, 2016}}</ref> | ||
+ | |- | ||
+ | | 2014 || {{dts|September 8}} || Website || Reddit || Opt-in HTTPS-only || Reddit gives logged-in users the option of using the site purely on HTTPS.<ref>{{cite web|url = https://redditblog.com/2014/09/08/hell-its-about-time-reddit-now-supports-full-site-https/|title = Hell, It’s About Time – reddit now supports full-site HTTPS|date = September 8, 2014|accessdate = November 19, 2017|publisher = Reddit}}</ref> | ||
+ | |- | ||
+ | | 2014 || {{dts|November 18}} || Certificate authority || Let's Encrypt || Free HTTPS certificates || {{w|Let's Encrypt}}, a certificate authority service that can issue HTTPS certificates for three months for free (with some limitations on the types of certificate and the conditions under which certificates can be issued), is publicly announced. The service would issue its first certificate on September 14, 2015, and leave beta on April 12, 2016. | ||
|- | |- | ||
| 2015 || {{dts|June 12}} || Website || Wikipedia || Default HTTPS-only || The Wikimedia Foundation publishes a blog post stating that all properties (including Wikipedia) are being switched over to HTTPS; previously, HTTPS was used only for logged-in users. It seems the switch is being made immediately.<ref>{{cite web|url = https://blog.wikimedia.org/2015/06/12/securing-wikimedia-sites-with-https/|title = Securing access to Wikimedia sites with HTTPS|last = Welinder|first = Yana|last2 = Baranetsky|first2 = Victoria|last3 = Black|first3 = Brandon|date = June 12, 2015|accessdate = September 25, 2016|publisher = Wikimedia Foundation}}</ref><ref>{{cite web|url = http://www.welivesecurity.com/2015/06/15/wikipedia-switches-https-default/|title = Wikipedia switches to HTTPS by default|last = Thomas|first = Karl|date = June 15, 2015|accessdate = September 25, 2016|publisher = WeLiveSecurity}}</ref><ref>{{cite web|url = http://arstechnica.com/security/2015/06/wikipedia-goes-all-https-starting-immediately/|title = Wikipedia goes all-HTTPS, starting immediately. "We believe that the time for HTTPS by default is now."|last = Farivar|first = Cyrus|date = June 15, 2015|accessdate = September 25, 2016|publisher = ''[[ArsTechnica]]''}}</ref> | | 2015 || {{dts|June 12}} || Website || Wikipedia || Default HTTPS-only || The Wikimedia Foundation publishes a blog post stating that all properties (including Wikipedia) are being switched over to HTTPS; previously, HTTPS was used only for logged-in users. It seems the switch is being made immediately.<ref>{{cite web|url = https://blog.wikimedia.org/2015/06/12/securing-wikimedia-sites-with-https/|title = Securing access to Wikimedia sites with HTTPS|last = Welinder|first = Yana|last2 = Baranetsky|first2 = Victoria|last3 = Black|first3 = Brandon|date = June 12, 2015|accessdate = September 25, 2016|publisher = Wikimedia Foundation}}</ref><ref>{{cite web|url = http://www.welivesecurity.com/2015/06/15/wikipedia-switches-https-default/|title = Wikipedia switches to HTTPS by default|last = Thomas|first = Karl|date = June 15, 2015|accessdate = September 25, 2016|publisher = WeLiveSecurity}}</ref><ref>{{cite web|url = http://arstechnica.com/security/2015/06/wikipedia-goes-all-https-starting-immediately/|title = Wikipedia goes all-HTTPS, starting immediately. "We believe that the time for HTTPS by default is now."|last = Farivar|first = Cyrus|date = June 15, 2015|accessdate = September 25, 2016|publisher = ''[[ArsTechnica]]''}}</ref> | ||
+ | |- | ||
+ | | 2015 || {{dts|June}} || Website || Reddit || Default HTTPS-only || {{w|Reddit}} switches to HTTPS-only, with users being automatically redirected from HTTP to HTTPS.<ref>{{cite web|url = https://motherboard.vice.com/en_us/article/kbzj7y/reddit-switches-to-https-encryption-by-default|title = Reddit Switches to Encryption By Default. The internet giant will switch to HTTPS by default by the end of the month.|author = Lorenzo Franceschi-Bicchierai|date = June 17, 2015|accessdate = NOvember 19, 2017|publisher = ''Vice''}}</ref><ref>{{cite web|url = https://www.reddit.com/r/redditdev/comments/39zje0/reddit_will_soon_only_be_available_over_https/|title = reddit will soon only be available over HTTPS (self.redditdev)|date = June 16, 2015|accessdate = November 19, 2017|publisher = Reddit}}</ref> | ||
|- | |- | ||
| 2017 || {{dts|May 22}} || Website || Stack Overflow || Default HTTPS-only || {{w|Stack Overflow}} announces that it has migrated to HTTPS, after four years of work on the migration. All other Stack Exchange websites are also moved over to HTTPS.<ref>{{cite web|url = https://nickcraver.com/blog/2017/05/22/https-on-stack-overflow/|title = HTTPS on Stack Overflow: The End of a Long Road|date = May 22, 2017|accessdate = November 19, 2017|last = Craver|first = Nick}}</ref><ref>{{cite web|url = https://stackoverflow.blog/2017/05/22/stack-overflow-flipped-switch-https/|title = How Stack Overflow Flipped the Switch on HTTPS|last = Taylor|first = Anita|date = May 22, 2017|accessdate = November 19, 2017|publisher = Stack Overflow}}</ref> | | 2017 || {{dts|May 22}} || Website || Stack Overflow || Default HTTPS-only || {{w|Stack Overflow}} announces that it has migrated to HTTPS, after four years of work on the migration. All other Stack Exchange websites are also moved over to HTTPS.<ref>{{cite web|url = https://nickcraver.com/blog/2017/05/22/https-on-stack-overflow/|title = HTTPS on Stack Overflow: The End of a Long Road|date = May 22, 2017|accessdate = November 19, 2017|last = Craver|first = Nick}}</ref><ref>{{cite web|url = https://stackoverflow.blog/2017/05/22/stack-overflow-flipped-switch-https/|title = How Stack Overflow Flipped the Switch on HTTPS|last = Taylor|first = Anita|date = May 22, 2017|accessdate = November 19, 2017|publisher = Stack Overflow}}</ref> | ||
|} | |} | ||
+ | |||
+ | == References == | ||
+ | |||
+ | {{reflist|30em}} |
Revision as of 23:18, 18 November 2017
This timeline describes the gradual increase in websites and clients using HTTPS.
Full timeline
Year | Month and date (if available) | Entity type | Entity name | Stage | Details |
---|---|---|---|---|---|
1994 | Browser | Netspace Navigator | Protocol support | Netscape Communications created HTTPS in 1994 for its Netscape Navigator web browser, originally for use with the Secure Sockets Layer (SSL) protocol. | |
2000 | May | Standard | RFC 2818 | RFC 2818 of the Internet Engineering Task Force describes the standard for HTTPS, using HTTP over {{|Transport Layer Security}} (TLS). This is considered a superior, more secure form of HTTPS than HTTPS over SSL. | |
2008 | July 24 | Website | Google (GMail) | Opt-in HTTPS-only | Google adds a setting in GMail for users to always use HTTPS. Even before this, users could (since the inception of GMail) access it securely by explicitly typing https:// in the browser. With the new setting, users who have opted in to it will be redirected from HTTP to HTTPS.[1] |
2010 | January 12 | Website | Google (GMail) | Default HTTPS-only | Google switches all GMail users to redirect to HTTPS; users can change their setings to not redirect to HTTPS. Previously, the default option for this setting was to not redirect, and users had to explicitly choose the option to redirect HTTP to HTTPS.[2] |
2010 | June 17 | Browser extension | HTTPS Everywhere | The Electronic Frontier Foundation and The Tor Project, Inc launch HTTPS Everywhere, a Firefox extension, to make Firefox use HTTPS where possible.[3] The extension would evolve over the coming years. As of 2017, it is supported on Firefox, Chrome, and Opera.[4] | |
2010 | June 2 | Browser enhancement | SSL False Start | A Google team comprising Adam Langley, Nagendra Modadugu, and Bodo Moeller propose SSL False Start, a client-side only change to reduce one round-trip from the SSL handshake.[5][6][7] Despite tests showing that it reduces latency by 30%, the effort would be abandoned in April 2012 because of incompatible with some servers doing early HTTPS termination.[8] | |
2011 | January | Website | Opt-in HTTPS-only | Facebook begins allowing logged-in users to opt in to have all their Facebook browsing encrypted by HTTPS.[9] | |
2011 | March 15 | Website | Opt-in HTTPS-only | Twitter begins allowing logged-in users to opt in to have all their Twitter browsing encrypted by HTTPS.[10] | |
2011 | October 18 | Website | Google Search | Default HTTPS-only | Google makes HTTPS (using SSL) the default option for its search users who are logged in on google.com (its US site; regionally branded sites are not affected).[11][12][13] In particular, webmasters receiving traffic from Google Search will no longer be able to know the search terms that led to a specific visit.[14][15] |
2012 | February 13 | Website | Default HTTPS-only | Twitter makes HTTPS the default for all logged-in users.[16][17][18] | |
2012 | March | Website | Google Search | Default HTTPS-only | Google makes secure search the default globally for signed-in users. Previously, the change was limited to users on google.com.[19] |
2012 | November | Website | Default HTTPS-only | Facebook rolls out its transition to HTTPS by default for all users, beginning with North America.[20][9] | |
2012 | November 19 | Standard | RFC 6797 | Default HTTPS-only | The HTTP Strict Transport Security (HSTS) standard is published, after being approved on October 2.[21] The standard allows a website to set a header specifying a time period over which the client must connect to the website only via HTTPS. This protects against protocol downgrade attacks and cookie hijacking, and also avoids the extra latency involved in redirecting HTTP to HTTPS. |
2013 | August 21 (actual release), August 1 (announcement) | Website | Wikipedia | Default HTTPS-only | Wikimedia Foundation turns on HTTPS for all logged-in users (announcement August 1).[22][23] |
2014 | September 8 | Website | Opt-in HTTPS-only | Reddit gives logged-in users the option of using the site purely on HTTPS.[24] | |
2014 | November 18 | Certificate authority | Let's Encrypt | Free HTTPS certificates | Let's Encrypt, a certificate authority service that can issue HTTPS certificates for three months for free (with some limitations on the types of certificate and the conditions under which certificates can be issued), is publicly announced. The service would issue its first certificate on September 14, 2015, and leave beta on April 12, 2016. |
2015 | June 12 | Website | Wikipedia | Default HTTPS-only | The Wikimedia Foundation publishes a blog post stating that all properties (including Wikipedia) are being switched over to HTTPS; previously, HTTPS was used only for logged-in users. It seems the switch is being made immediately.[25][26][27] |
2015 | June | Website | Default HTTPS-only | Reddit switches to HTTPS-only, with users being automatically redirected from HTTP to HTTPS.[28][29] | |
2017 | May 22 | Website | Stack Overflow | Default HTTPS-only | Stack Overflow announces that it has migrated to HTTPS, after four years of work on the migration. All other Stack Exchange websites are also moved over to HTTPS.[30][31] |
References
- ↑ Rideout, Ariel (July 24, 2008). "Making security easier". Google. Retrieved November 19, 2017.
- ↑ Schillace, Sam (January 12, 2010). "Default https access for Gmail". Google. Retrieved November 19, 2017.
- ↑ Eckersley, Peter (June 17, 2010). "Encrypt the Web with the HTTPS Everywhere Firefox Extension". Electronic Frontier Foundation. Retrieved November 19, 2017.
- ↑ "HTTPS Everywhere". Retrieved November 19, 2017.
- ↑ "Transport Layer Security (TLS) False Start". Internet Engineering Task Force. June 2, 2010. Retrieved November 19, 2017.
- ↑ "SSL FalseStart Performance Results". Chromium blog. May 18, 2011. Retrieved November 19, 2017.
- ↑ "Changing HTTPS". Imperial Violet. September 5, 2010. Retrieved November 19, 2017.
- ↑ Goodin, Dan (April 12, 2012). "False Start's sad demise: Google abandons noble attempt to make SSL less painful". Retrieved November 19, 2017.
- ↑ 9.0 9.1 Constine, Josh (November 18, 2012). "Facebook Could Slow Down A Tiny Bit As It Starts Switching All Users To Secure HTTPS Connections". TechCrunch. Retrieved November 19, 2017.
- ↑ "Making Twitter more secure: HTTPS". Twitter. March 15, 2011. Retrieved November 19, 2017.
- ↑ "Making search more secure". Google. October 18, 2011. Retrieved November 19, 2017.
- ↑ Boulton, Clint (October 18, 2011). "Google Makes HTTPS Encryption Default for Search". eweek. Retrieved November 19, 2017.
- ↑ Sullivan, Danny (October 18, 2011). "Google To Begin Encrypting Searches & Outbound Clicks By Default With SSL Search". Search Engine Land. Retrieved November 19, 2017.
- ↑ "Making search more secure: Accessing search query data in Google Analytics". October 18, 2011. Retrieved November 19, 2017.
- ↑ Sullivan, Danny (October 22, 2011). "Google Puts A Price On Privacy". Retrieved November 19, 2017.
- ↑ "Securing your Twitter experience with HTTPS". Twitter. February 13, 2012. Retrieved November 19, 2017.
- ↑ "Should All Web Traffic Be Encrypted?". Coding Horror. February 23, 2012. Retrieved November 19, 2017.
- ↑ Brinkmann, Martin (February 14, 2012). "Twitter Makes HTTPS Default For Signed In Users". Retrieved November 19, 2017.
- ↑ "Bringing more secure search around the globe". March 5, 2012. Retrieved November 19, 2017.
- ↑ Asthana, Shireesh (November 15, 2012). "Platform Updates: Operation Developer Love". Facebook. Retrieved November 19, 2017.
- ↑ "HTTP Strict Transport Security (HSTS)". November 19, 2012. Retrieved November 19, 2017.
- ↑ Lane, Ryan (August 1, 2013). "The future of HTTPS on Wikimedia projects". Wikimedia Foundation. Retrieved September 25, 2016.
- ↑ Eaton, Kit (August 2, 2013). "After NSA's XKeyscore, Wikipedia Switches To Secure HTTPS. The Wikimedia Foundation has announced it's pushing ahead with plans to secure its online systems due to NSA targeting.". Fast Company. Retrieved September 25, 2016.
- ↑ "Hell, It's About Time – reddit now supports full-site HTTPS". Reddit. September 8, 2014. Retrieved November 19, 2017.
- ↑ Welinder, Yana; Baranetsky, Victoria; Black, Brandon (June 12, 2015). "Securing access to Wikimedia sites with HTTPS". Wikimedia Foundation. Retrieved September 25, 2016.
- ↑ Thomas, Karl (June 15, 2015). "Wikipedia switches to HTTPS by default". WeLiveSecurity. Retrieved September 25, 2016.
- ↑ Farivar, Cyrus (June 15, 2015). "Wikipedia goes all-HTTPS, starting immediately. "We believe that the time for HTTPS by default is now."". ArsTechnica. Retrieved September 25, 2016.
- ↑ Lorenzo Franceschi-Bicchierai (June 17, 2015). "Reddit Switches to Encryption By Default. The internet giant will switch to HTTPS by default by the end of the month.". Vice. Retrieved NOvember 19, 2017. Check date values in:
|access-date=
(help) - ↑ "reddit will soon only be available over HTTPS (self.redditdev)". Reddit. June 16, 2015. Retrieved November 19, 2017.
- ↑ Craver, Nick (May 22, 2017). "HTTPS on Stack Overflow: The End of a Long Road". Retrieved November 19, 2017.
- ↑ Taylor, Anita (May 22, 2017). "How Stack Overflow Flipped the Switch on HTTPS". Stack Overflow. Retrieved November 19, 2017.