Real Talk About HTTPS

Emily Stark

@estark37

What does HTTP mean?

What does HTTP mean?

What does HTTP mean?

What does HTTP mean?

Being honest about what HTTP means

In this talk...

​

• HTTPS usage today

​

• What Chrome is doing to help you use HTTPS

​

• Omnibox changes coming soon to a Chrome near you

​

Real talk: HTTPS usage in Chrome

​

41 of the top sites support HTTPS.

(+12 since February 2016)

% of pages loaded over HTTPS

https://www.google.com/transparencyreport/https/metrics/

% time spent on HTTPS

https://www.google.com/transparencyreport/https/metrics/

Behind the numbers

Functionality

Functionality

Functionality

[K]ey features of certain products, such as the location-finding feature within the Homepage, Travel News and Weather sites, would stop working if we didn’t enable HTTPS for those services.

• BBC.co.uk Internet Blog (https://goo.gl/etPr8R)

Performance

Performance

When we launched [HTTPS], we saw an average of a 50ms hit for negotiation… it was more than offset when we activated HTTP/2 a month later and saw an overall drop of ~250ms per pageview on supported devices.

​

​

• Weather.com

We need your help!

Each false alarm reduces the credibility of a warning system.

- “Cry wolf: the psychology of false alarms”�Shlomo Breznitz 1984

Help is on the way!

​

Free, easy certificates

Let’s Encrypt is a trademark of the Internet Security Research Group.

Crowdfunding now! https://letsencrypt.org/2016/11/01/launching-our-crowdfunding-campaign.html

Improving internal support for HTTPS

All ads that come from any Google source always support HTTPS, including AdWords, AdSense, or DoubleClick Ad Exchange...

- “Here’s to more HTTPS on the web!”, Google Security Blog (Nov 3, 2016)

Improving internal support for HTTPS

We saw no material impact to AdX revenue with the transition to SSL.

- Jason Tollestrup, Director of Programmatic Advertising for the Washington Post

Improving internal support for HTTPS

“Should I move my site all at once or bit by bit?”

“Will I see a drop in search?”

“What do I do with robots.txt?”

Improving internal support for HTTPS

FAQs:

• https://goo.gl/yGn4N4
• https://goo.gl/d4YPsq

Improving internal support for HTTPS

https://developers.google.com/web/fundamentals/security/encrypt-in-transit/enable-https

Improving internal support for HTTPS

​

We successfully completed our move of CNET.com to HTTPS last month. Since then, there has been no change in our Google rankings or Google organic search traffic.

• John Sherwood, Vice President of Engineering & Technology at CNET

Web platform and browser tools

Chrome DevTools Security Panel

https://developers.google.com/web/tools/chrome-devtools/security

The very near future

​

Coming in Chrome 56 (Jan 2017)

For HTTP pages with passwords or credit card fields

Try it out in Chrome Canary today

1. Download Canary from https://www.google.com/chrome/browser/canary.html
2. Flip #mark-non-secure-as in chrome://flags

It’s not all bad

Chrome 55 (currently in beta)

https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html

Conclusion

• HTTPS usage is increasing, slowly but steadily.

​

• We need your help to keep moving forward!

​

• Chrome is easing users into the idea that insecure HTTP is bad.

Thank you!

Emily Stark

@estark37