Timeline of HTTPS adoption

From Timelines
Revision as of 19:35, 19 November 2017 by Vipul (talk | contribs)
Jump to: navigation, search

This timeline describes the gradual increase in websites and clients using HTTPS.

Full timeline

Year Month and date (if available) Entity type Entity name Stage Details
1994 Browser Netspace Navigator Protocol support Netscape Communications creates HTTPS for its Netscape Navigator web browser, originally for use with the Secure Sockets Layer (SSL) protocol.
2000 May Standard RFC 2818 RFC 2818 of the Internet Engineering Task Force describes the standard for HTTPS, using HTTP over Transport Layer Security (TLS). This is considered a superior, more secure form of HTTPS than HTTP over SSL.
2008 July 24 Webmail Google (Gmail) Opt-in HTTPS-only Google adds a setting in Gmail for users to always use HTTPS. Even before this, users could (since the inception of Gmail) access it securely by explicitly typing https:// in the browser. With the new setting, users who have opted in to it will be redirected from HTTP to HTTPS.[1]
2010 January 12 Webmail Google (Gmail) Default HTTPS-only Google switches all Gmail users to redirect to HTTPS; users can change their setings to not redirect to HTTPS. Previously, the default option for this setting was to not redirect, and users had to explicitly choose the option to redirect HTTP to HTTPS.[2]
2010 June 17 Browser extension HTTPS Everywhere The Electronic Frontier Foundation and The Tor Project, Inc launch HTTPS Everywhere, a Firefox extension, to make Firefox use HTTPS where possible.[3] The extension would evolve over the coming years. As of 2017, it is supported on Firefox, Chrome, and Opera.[4]
2010 June 2 Browser enhancement SSL False Start A Google team comprising Adam Langley, Nagendra Modadugu, and Bodo Moeller propose SSL False Start, a client-side only change to reduce one round-trip from the SSL handshake.[5][6][7] Despite tests showing that it reduces latency by 30%, the effort would be abandoned in April 2012 because of incompatibility with some servers doing early HTTPS termination.[8]
2010 October Browser extension Firesheep Vulnerability exploit Firesheep, a Firefox browser extension that uses a packet analyzer to intercept unencrypted session cookies over Wi-Fi networks, is released. The extension highlights the need for greater security, both in terms of websites moving to HTTPS (end-to-end security) and improving security of Wi-Fi.
2010 October 14 Proxy/load balancer AWS Elastic Load Balancing AWS Elastic Load Balancing announces support for SSL termination. This means that websites hosted on AWS, behind AWS load balancers, can upload their certificates to the load balancer, and have the load balancer take care of the SSL certificate, so that the servers that receive the actual traffic only have to handle HTTP traffic.[9]
2010 November 3 Website GitHub Default HTTPS-only In response to the release of Firesheep, GitHub moves to HTTPS for all users; previously full-session SSL was only available to paying users.[10]
2010 November 9 Webmail Hotmail (Microsoft) Opt-in HTTPS-only Microsoft lets users of its web-based email service, Hotmail, set HTTPS by default.[11][12]
2011 January Website Facebook Opt-in HTTPS-only Facebook begins allowing logged-in users to opt in to have all their Facebook browsing encrypted by HTTPS.[13]
2011 January Standard OCSP stapling RFC 6066, introducing OCSP stapling, is published.[14] OCSP stapling is an alternative approach to the Online Certificate Status Protocol llows the presenter of a certificate to bear the resource cost involved in providing OCSP responses by appending ("stapling") a time-stamped OCSP response signed by the CA to the initial TLS handshake, eliminating the need for clients to contact the certificate authority. RFC 6961 would cover the case of multiple OCSP stapling.[15]
2011 March 15 Website Twitter Opt-in HTTPS-only Twitter begins allowing logged-in users to opt in to have all their Twitter browsing encrypted by HTTPS.[16]
2011 July 15 Proxy/load balancer Nginx GlobalSign, DigiCert, Comodo and NGINX Inc. announce a joint effort to add OCSP-stapling support to Nginx.[17]
2011 October 18 Search engine Google Search Default HTTPS-only Google makes HTTPS (using SSL) the default option for its search users who are logged in on google.com (its US site; regionally branded sites are not affected).[18][19][20] In particular, webmasters receiving traffic from Google Search will no longer be able to know the search terms that led to a specific visit.[21][22]
2012 February 13 Website Twitter Default HTTPS-only Twitter makes HTTPS the default for all logged-in users.[23][24][25]
2012 March Search engine Google Search Default HTTPS-only Google makes secure search the default globally for signed-in users. Previously, the change was limited to users on google.com.[26]
2012 July 31 Webmail Outlook (formerly Hotmail) (Microsoft) Default HTTPS-only With the rebranding of Hotmail as Outlook.com, Microsoft moves to default HTTPS-only for all usersof the web-based email service.[12]
2012 October 9 Website Quora Opt-in HTTPS-only On or before this date, question-and-answer website Quora allows logged-in users to opt in to HTTPS-only.[27]
2012 November Website Facebook Default HTTPS-only Facebook rolls out its transition to HTTPS by default for all users, beginning with North America.[28][13] The move is reported to be completed on August 1, 2013.[29]
2012 November 19 Standard RFC 6797 Default HTTPS-only The HTTP Strict Transport Security (HSTS) standard is published, after being approved on October 2.[30] The standard allows a website to set a header specifying a time period over which the client must connect to the website only via HTTPS. This protects against protocol downgrade attacks and cookie hijacking, and also avoids the extra latency involved in redirecting HTTP to HTTPS.
2013 August 21 (actual release), August 1 (announcement) Website Wikipedia Default HTTPS-only Wikimedia Foundation turns on HTTPS for all logged-in users (announcement August 1).[31][32]
2013 September Search engine Google Search Default HTTPS-only Google Search moves all searches, even those by users who are not logged in, to HTTPS. The only exception is ad clicks. The change is believed to be a response to concerns about privacy triggered by relevations about PRISM, a United States federal government surveillance program.[33]
2013 September 26 Website Imgur HTTPS available Image-hosting service Imgur makes HTTPS available sitewide.[34]
2013 October 14 Webmail Yahoo! Default HTTPS-only Yahoo! Mail moves to a default of HTTPS-only.[12]
2013 October 24, 25 Website Internet Archive Default HTTPS-only The Internet Archive announces that its websites archive.org (which includes the Wayback Machine at web.archive.org) and openlibrary.org are defaulted to HTTPS-only, though they will still be available over HTTP.[35][36][37]
2014 January 22 Search engine Yahoo! Default HTTPS-only Yahoo! Search makes HTTPS-only the default. The change is initially rolled out on yahoo.com, but is expected to be rolled out to other regions as well.[38]
2014 July 29 App Instagram Default HTTPS-only In response to reports about a zero-day security vulnerability, Instagram co-founder Mike Krieger reveals that the app is being moved over to HTTPS, with some parts of the app already 100% HTTPS.[39]
2014 August 6 Search ranking Google Search HTTPS boost Google announces search results will give preference to sites using HTTPS. This added ranking signal would be a "lightweight" ranking boost.[40][41]
2014 September 8 Website Reddit Opt-in HTTPS-only Reddit gives logged-in users the option of using the site purely on HTTPS.[42]
2014 November 18 Certificate authority Let's Encrypt Free HTTPS certificates Let's Encrypt, a certificate authority service that can issue HTTPS certificates for three months for free (with some limitations on the types of certificate and the conditions under which certificates can be issued), is publicly announced. The service would issue its first certificate on September 14, 2015, and leave beta on April 12, 2016.
2015 January 18 Report/Observatory HTTPSWatch State of HTTPS adoption The oldest Internet Archive snapshot of HTTPSWatch appears to be on this date. The snapshot says that it is inspired by Alex Gaynor's blog posts that were published in November and December 2014, so it is likely to be pretty close to the actual start date.[43][44][45]
2015 February Browser Chrome HTTP/2 Chrome begins rolling out support for HTTP/2. Chrome supports HTTP/2 only over HTTPS, even though the standard allows for HTTP/2 outside of HTTPS (through the selective use of encryption).[46]
2015 March 12 Website/App Pinterest Default HTTPS-only Pinterest announces that it has moved over to HTTPS, describing the challenges it faced along the way. With the increased security in place due to HTTPS, Pinterest also introduces a paid bug bounty program for the white hat hacker community to find security flaws.[47]
2015 June 8 Website United States government Default HTTPS-only The White House Office of Management and Budget issues the HTTPS-Only Standard directive requiring that all United States federal government websites provide service only via HTTPS, with a deadline of end of 2016.[48][49][50]
2015 June 12 Website Wikipedia Default HTTPS-only The Wikimedia Foundation publishes a blog post stating that all properties (including Wikipedia) are being switched over to HTTPS; previously, HTTPS was used only for logged-in users. It seems the switch is being made immediately.[51][52][53]
2015 June Search engine Bing Default HTTPS-only Microsoft announces that it will make HTTPS-only the default on Bing, its search engine.[54][55]
2015 June Website Reddit Default HTTPS-only Reddit switches to HTTPS-only, with users being automatically redirected from HTTP to HTTPS.[56][57]
2015 October 14 Browser Chrome Mixed-content With version 46, Chrome kills off its HTTP-HTTPS "mixed-content" address bar warning. Now, HTTPS pages that load some auxiliary resources (such as images, calls to ad networks, etc.) over HTTP will say https in the address bar without the secure lock or green coloring. The change is based on the idea that mixed HTTP-HTTPS is in fact more secure than pure HTTP, and therefore should not appear scarier, and is intended to "encourage site operators to switch to HTTPS sooner rather than later."[58][59]
2016 February Website Wikipedia Referrer policy The Wikimedia Foundation rolls out an update to the HTTPS meta referrer policy, that reveals the Origin rather than the full path of the referring domain. This means that websites that receive traffic from Wikipedia can once again calculate how much traffic they are receiving from Wikipedia, an ability that was lost in the switch to HTTPS. However, unlike the pre-HTTPS situation, full referral paths are not accessible, so websites cannot know what Wikipedia pages are sending traffic to them. For more, see Research:Wikimedia referrer policy.[60]
2016 March 15 Report/Observatory Google Transparency Report State of HTTPS adoption Google announces that it is adding a new section to its Transparency Report to track the progress of HTTPS adoption.[61][62][63]
2016 June 15 Website TechCrunch Default HTTPS-only Technology new website TechCrunch announces that it has gone HTTPS-only.[64]
2016 August 1 Website YouTube State of HTTPS adoption YouTube announces that it serves 97% of traffic over HTTPS.[65]
2016 August Website Netflix Default HTTPS-only Netflix announces that it is adding TLS encryption to all its video streams, and expects to finish the process by year-end.[66][67]
2016 August 25 Report/Observatory Mozilla State of HTTPS adoption Mozilla, the organization that manages the Firefox browser, creates the Mozilla Observatory to track the web and its security. Among other things, this tracks the state of HTTPS adoption.[68][69]
2017 January 10 Website New York Times Default HTTPS-only The New York Times announces that it has made a number of its articles default to HTTPS, including the home page, section and topic pages, and all articles published 2014 or later, and that it plans to make the rest of its site HTTPS as well.[70]
2017 January Browser Chrome Security warning With version 56, Google Chrome begins marking as "Not Secure" (in the address bar) any webpages collecting sensitive data such as passwords or credit-card information without using HTTPS.[71][72]
2017 March 30 Website Pornhub Default HTTPS-only Pornhub, the world's largest pornographic video site, switches to HTTPS-only. Sister service YouPorn is scheduled to go HTTPS-only on April 4.[73][74]
2017 May 22 Website Stack Overflow Default HTTPS-only Stack Overflow announces that it has migrated to HTTPS, after four years of work on the migration. All other Stack Exchange websites are also moved over to HTTPS.[75][76]
2017 September 13 Website Imgur Default HTTPS-only Image-hosting service Imgur defaults to HTTPS-only for all users (both logged-in and others).[77]
2017 October Browser Chrome Security warning Starting with version 62, Chrome begins marking all non-HTTPS webpages as "Not Secure" for users in incognito mode.[72]
2017 Report Research at Google State of HTTPS adoption Research at Google publishes a paper titled Measuring HTTPS adoption on the web.[78][79]

References

  1. Rideout, Ariel (July 24, 2008). "Making security easier". Google. Retrieved November 19, 2017. 
  2. Schillace, Sam (January 12, 2010). "Default https access for Gmail". Google. Retrieved November 19, 2017. 
  3. Eckersley, Peter (June 17, 2010). "Encrypt the Web with the HTTPS Everywhere Firefox Extension". Electronic Frontier Foundation. Retrieved November 19, 2017. 
  4. "HTTPS Everywhere". Retrieved November 19, 2017. 
  5. "Transport Layer Security (TLS) False Start". Internet Engineering Task Force. June 2, 2010. Retrieved November 19, 2017. 
  6. "SSL FalseStart Performance Results". Chromium blog. May 18, 2011. Retrieved November 19, 2017. 
  7. "Changing HTTPS". Imperial Violet. September 5, 2010. Retrieved November 19, 2017. 
  8. Goodin, Dan (April 12, 2012). "False Start's sad demise: Google abandons noble attempt to make SSL less painful". Retrieved November 19, 2017. 
  9. Barr, Jeff (October 14, 2010). "AWS Elastic Load Balancing: Support for SSL Termination". Amazon Web Services. Retrieved November 19, 2017. 
  10. "GitHub moves to SSL, but remains Firesheepable". Netcraft. November 3, 2010. Retrieved November 20, 2017. 
  11. Mills, Elinor (November 9, 2010). "Microsoft lets Hotmail users set encryption by default. Microsoft adds full-session encryption option to HOtmail and SSL for SkyDrive, Photos, Docs, and Devices pages.". CNet. Retrieved November 20, 2017. 
  12. 12.0 12.1 12.2 Peterson, Andrea; Gellman, Barton; Soltani, Ashkan (October 14, 2013). "Yahoo to make SSL encryption the default for Webmail users. Finally.". Retrieved November 20, 2017. 
  13. 13.0 13.1 Constine, Josh (November 18, 2012). "Facebook Could Slow Down A Tiny Bit As It Starts Switching All Users To Secure HTTPS Connections". TechCrunch. Retrieved November 19, 2017. 
  14. "Transport Layer Security (TLS) Extensions: Extension Definitions". January 1, 2011. Retrieved November 19, 2017. 
  15. "The Transport Layer Security (TLS) Multiple Certificate Status Request Extension". June 1, 2013. Retrieved November 19, 2017. 
  16. "Making Twitter more secure: HTTPS". Twitter. March 15, 2011. Retrieved November 19, 2017. 
  17. "GlobalSign, DigiCert and Comodo Collaborate with NGINX to Improve Online Trust through Enhanced Certificate Revocation Checking, sign a Sponsorship Agreement. New version of the popular NGINX web server to support OCSP-stapling". NGINX, Inc. July 15, 2011. Retrieved November 19, 2017. 
  18. "Making search more secure". Google. October 18, 2011. Retrieved November 19, 2017. 
  19. Boulton, Clint (October 18, 2011). "Google Makes HTTPS Encryption Default for Search". eweek. Retrieved November 19, 2017. 
  20. Sullivan, Danny (October 18, 2011). "Google To Begin Encrypting Searches & Outbound Clicks By Default With SSL Search". Search Engine Land. Retrieved November 19, 2017. 
  21. "Making search more secure: Accessing search query data in Google Analytics". October 18, 2011. Retrieved November 19, 2017. 
  22. Sullivan, Danny (October 22, 2011). "Google Puts A Price On Privacy". Retrieved November 19, 2017. 
  23. "Securing your Twitter experience with HTTPS". Twitter. February 13, 2012. Retrieved November 19, 2017. 
  24. "Should All Web Traffic Be Encrypted?". Coding Horror. February 23, 2012. Retrieved November 19, 2017. 
  25. Brinkmann, Martin (February 14, 2012). "Twitter Makes HTTPS Default For Signed In Users". Retrieved November 19, 2017. 
  26. "Bringing more secure search around the globe". March 5, 2012. Retrieved November 19, 2017. 
  27. Cook, Tom (October 9, 2012). "Does Quora support HTTPS? Tom Cook's answer log". Retrieved November 20, 2017. 
  28. Asthana, Shireesh (November 15, 2012). "Platform Updates: Operation Developer Love". Facebook. Retrieved November 19, 2017. 
  29. "Secure browsing by default". August 1, 2013. Retrieved November 20, 2017. 
  30. "HTTP Strict Transport Security (HSTS)". November 19, 2012. Retrieved November 19, 2017. 
  31. Lane, Ryan (August 1, 2013). "The future of HTTPS on Wikimedia projects". Wikimedia Foundation. Retrieved September 25, 2016. 
  32. Eaton, Kit (August 2, 2013). "After NSA's XKeyscore, Wikipedia Switches To Secure HTTPS. The Wikimedia Foundation has announced it's pushing ahead with plans to secure its online systems due to NSA targeting.". Fast Company. Retrieved September 25, 2016. 
  33. Sullivan, Danny (September 23, 2013). "Post-PRISM, Google Confirms Quietly Moving To Make All Searches Secure, Except For Ad Clicks". Retrieved November 20, 2017. 
  34. "100 MILLION UNIQUES, HIGHER UPLOAD LIMITS, AND HTTPS SUPPORT". September 26, 2013. Retrieved November 20, 2017. 
  35. Kahle, Brewster (October 25, 2013). "Reader Privacy at the Internet Archive". Retrieved November 19, 2017. 
  36. Streitfeld, David (October 24, 2013). "Internet Archive Will Shield Visitors". New York Times Bits Blog. Retrieved November 19, 2017. 
  37. Protalinski, Emil (October 25, 2013). "With over 3 million users per day, the Internet Archive switches to HTTPS connections by default". The Next Web. Retrieved November 19, 2017. 
  38. Sullivan, Danny (January 22, 2014). "Yahoo Makes Secure Search The Default". MarketingLand. Retrieved November 20 2017.  Check date values in: |access-date= (help)
  39. "Instagram to use HTTPS following discovery of gaping security hole in iOS app. Security expert warns users should not use the app until a patch is released". The Inquirer. July 29, 2014. Retrieved November 19, 2017. 
  40. "HTTPS as a ranking signal". www.google.com. Retrieved Dec 1, 2014. 
  41. Russell, Jon (August 7, 2014). "Google is now ranking websites with HTTPS higher in its search results". The Next Web. Retrieved November 19, 2017. 
  42. "Hell, It's About Time – reddit now supports full-site HTTPS". Reddit. September 8, 2014. Retrieved November 19, 2017. 
  43. "HTTPSWatch (About section)". Retrieved January 18, 2015. 
  44. Gaynor, Alex (November 12, 2015). "The State of the News and TLS". Retrieved November 20, 2015. 
  45. Gaynor, Alex (December 30, 2014). "The State of the News and TLS: Part II". Retrieved November 20, 2017. 
  46. "Hello HTTP/2, Goodbye SPDY". Chromium. February 9, 2015. Retrieved November 19, 2017. 
  47. Moreno, Paul (March 12, 2015). "Making Pinterest HTTPS". Pinterest Engineering via Medium. Retrieved November 20, 2017. 
  48. Scott, Tony (June 8, 2015). "Policy to Require Secure Connections across Federal Websites and Web Services" (PDF). Retrieved November 20, 2017. 
  49. Scott, Tony (June 8, 2015). "HTTPS-Everywhere for Government". Obama White House Archives. Retrieved November 20, 2017. 
  50. Williams, Martyn (June 8, 2015). "US to require HTTPS for all government websites. All public sites will be required to use the protocol by the end of 2016". Retrieved November 20, 2017. 
  51. Welinder, Yana; Baranetsky, Victoria; Black, Brandon (June 12, 2015). "Securing access to Wikimedia sites with HTTPS". Wikimedia Foundation. Retrieved September 25, 2016. 
  52. Thomas, Karl (June 15, 2015). "Wikipedia switches to HTTPS by default". WeLiveSecurity. Retrieved September 25, 2016. 
  53. Farivar, Cyrus (June 15, 2015). "Wikipedia goes all-HTTPS, starting immediately. "We believe that the time for HTTPS by default is now."". ArsTechnica. Retrieved September 25, 2016. 
  54. "Bing Moving to Encrypt Search Traffic by Default". Bing. June 15, 2015. Retrieved November 20, 2017. 
  55. Schick, Shane (June 22, 2015). "Microsoft to Make HTTPS a Default Setting for Bing". Retrieved November 20, 2017. 
  56. Lorenzo Franceschi-Bicchierai (June 17, 2015). "Reddit Switches to Encryption By Default. The internet giant will switch to HTTPS by default by the end of the month.". Vice. Retrieved November 19, 2017. 
  57. "reddit will soon only be available over HTTPS (self.redditdev)". Reddit. June 16, 2015. Retrieved November 19, 2017. 
  58. Anthony, Sebastian (October 14, 2015). "Chrome finally kills off the HTTP-HTTPS "mixed content" warning. Slightly alarming and not wholly useful yellow triangle is being retired.". Retrieved November 20, 2017. 
  59. Whittaker, Zack (October 14, 2015). "Chrome 46 loosens up on HTTPS 'mixed content' warnings. The browser -- known for being a bit overkill -- finally drops its yellow-warning attached to pages with both secure and non-secure content.". Retrieved November 19, 2017. 
  60. "Set an explicit "Origin When Cross-Origin" referer policy via the meta referrer tag". August 18, 2015. Retrieved March 10, 2017. 
  61. "Securing the web, together". Google Security Blog. March 15, 2016. Retrieved November 19, 2017. 
  62. Schwartz, Barry (March 16, 2016). "Google Report On HTTPS Adoption Within Google & The Top Web Sites". Search Engine Roundtable. Retrieved November 19, 2017. 
  63. "Google's Transparency Report to Include HTTPS Adoption Rates". Search Engine Journal. March 25, 2016. Retrieved November 19, 2017. 
  64. Wilke, Nicole (June 15, 2016). "TechCrunch has gone HTTPS". Retrieved November 19, 2017. 
  65. "YouTube's road to HTTPS". YouTube. August 1, 2016. Retrieved November 19, 2017. 
  66. "Protecting Netflix Viewing Privacy at Scale". Netflix on Medium. August 8, 2016. Retrieved November 19, 2017. 
  67. "Netflix explains how and why it's switching to HTTPS streaming. Adding encryption increases privacy for viewers -- and for Netflix.". August 9, 2016. Retrieved November 19, 2017. 
  68. King, April (April 25, 2016). "Observatory by Mozilla: Making the Web Safer". Retrieved November 20, 2017. 
  69. Paganini, Pierluigi (August 27, 2016). "Mozilla launched the Observatory tool to test the security of websites". Retrieved November 20, 2017. 
  70. Konigsburg, Eitan; Wan, Vinessa (January 1, 2010). "HTTPS on NYTimes.com". New York Times Open blog. Retrieved November 19, 2017. 
  71. Murray, Brock (January 21, 2017). "Google Is Requiring HTTPS for Secure Data in Chrome". Retrieved November 19, 2017. 
  72. 72.0 72.1 Tung, Liam (April 28, 2017). "Google tightens noose on HTTP: Chrome to stick 'Not secure' on pages with search fields. In October, Google will begin phase two of its plan to label all HTTP pages as non-secure.". ZDNet. Retrieved November 15, 2017. 
  73. Barrett, Brian (March 30, 2017). "THE WORLD'S BIGGEST PORN SITE GOES ALL-IN ON ENCRYPTION". Wired. Retrieved November 9, 2017. 
  74. Garun, Natt (March 30, 2017). "Pornhub now turns on encryption by default". The Verge. Retrieved November 19, 2017. 
  75. Craver, Nick (May 22, 2017). "HTTPS on Stack Overflow: The End of a Long Road". Retrieved November 19, 2017. 
  76. Taylor, Anita (May 22, 2017). "How Stack Overflow Flipped the Switch on HTTPS". Stack Overflow. Retrieved November 19, 2017. 
  77. "Defaulting to https (01-XX-2015) - Request fulfilled as of 09-13-2017!". January 29, 2015. Retrieved November 20, 2017. 
  78. Feit, Adrienne Porter; Barnes, Richard; King, April; Palmer, Chris; Bentzel, Chris; Tabriz, Parisa. "Measuring HTTPS adoption on the web". Retrieved November 20, 2017. 
  79. Feit, Adrienne Porter; Barnes, Richard; King, April; Palmer, Chris; Bentzel, Chris; Tabriz, Parisa. "Measuring HTTPS adoption on the web" (PDF). Retrieved November 20, 2017.