2,438
edits
Changes
no edit summary
|-
| Ecosystem || Server-side || Advertising || || Various backend ecosystems that power the technology and monetization of the web, such as advertising, need to support HTTPS in order to complete the transition to HTTPS.
|}
=== Time period grouping ===
{| class="wikitable sortable"
! Time period !! Qualitative summary of developments
|-
| 1994–2007 || During this period, many of the standards related to HTTPS (HTTP over SSL, HTTP over TLS, SNI) are published as RFCs by the Internet Engineering Task Force. Certificate authorities (CAs) come into being and the CA/Browser Forum is created. A few sites, generally those related to e-commerce, start using HTTPS.
|-
| 2008–2012 || The move to HTTPS begins, with Google taking the lead, and Twitter and Facebook following. Webmail moves first, then search for logged-in users. The general playbook is: HTTPS available, opt-in HTTPS-only, then default HTTPS-only.
|-
| 2013–2014 || The move to HTTPS continues, with laggers in webmail and search catching up on encryption, and Google beginning encryption even for non-logged-in users. Toward the end of this period, Google begins aggressively pushing for the whole web to go HTTPS, first by stating that HTTPS will be a search ranking signal, then by declaring that Chrome eventually intends to mark all plain HTTP sites as not secure.
|-
| 2015–2017 || This is the period when the move to HTTPS intensifies among a number of ordinary websites. Wikipedia, Wordpress.com (?), Reddit, Imgur, and some major newspapers and magazines like the ''New York Times'', ''TechCrunch'', and ''Wired'' go HTTPS. Chrome begins the process of marking plain HTTP sites as Not Secure. Let's Encrypt makes it easy and free for people to move to HTTPS. Google and others set up systematic tracking of the proportion of HTTPS usage, and the period ends with a significant increase in HTTPS use.
|}
| 2012 || {{dts|November 19}} || Standard || RFC 6797 || Default HTTPS-only || The {{w|HTTP Strict Transport Security}} (HSTS) standard is published, after being approved on October 2.<ref>{{cite web|url = https://tools.ietf.org/html/rfc6797|title = HTTP Strict Transport Security (HSTS)|date = November 19, 2012|accessdate = November 19, 2017}}</ref> The standard allows a website to set a header specifying a time period over which the client must connect to the website only via HTTPS. This protects against {{w|protocol downgrade attack}}s and {{w|cookie hijacking}}, and also avoids the extra latency involved in redirecting HTTP to HTTPS.
|-
| 2013 || {{dts|February}} || || || || The {{w|Certificate Authority Security Council}} is founded by the seven largest [[w:certificate authority|certificate authorities]]: {{w|Comodo}}, {{w|Symantec}}, {{w|Trend Micro}}, {{w|DigiCert}}, {{w|Entrust}}, {{w|Entrust}}, {{w|GlobalSign}}, and {{w|GoDaddy}}.
|-
| 2013 || {{dts|August 21}} (actual release), August 1 (announcement) || Website || Wikipedia || Default HTTPS-only || Wikimedia Foundation turns on HTTPS for all logged-in users (announcement August 1).<ref>{{cite web|url = https://blog.wikimedia.org/2013/08/01/future-https-wikimedia-projects/|title = The future of HTTPS on Wikimedia projects|date = August 1, 2013|accessdate = September 25, 2016|publisher = Wikimedia Foundation|last = Lane|first = Ryan}}</ref><ref>{{cite web|url = https://www.fastcompany.com/3015199/the-code-war/after-nsas-xkeyscore-wikipedia-switches-to-secure-https|title = After NSA's XKeyscore, Wikipedia Switches To Secure HTTPS. The Wikimedia Foundation has announced it's pushing ahead with plans to secure its online systems due to NSA targeting.|last = Eaton|first = Kit|publisher = ''Fast Company''|date = August 2, 2013|accessdate = September 25, 2016}}</ref>
