With a market share of 72.5%, Google Chrome is the most used browser in the entire world. Mozilla Firefox follows closely with almost 16.3%. Both browsers currently show non-encrypted websites with an encircled “I” in the address bar. Clicking on this symbol brings up the message: “This connection is not secure.”
Starting in January 2017, however, the Google Chrome browser in Version 56 will, for the first time, warn users at the moment they try to visit a website without an SSL-certificate. Soon, Google Chrome users will also be warned in other places about non-encrypted websites. It is not yet clear exactly how that is supposed to work.
Figure 1: Browser market share worldwide as of Nov. 2016.
How SSL works
If a user attempts to access an SSL-encrypted website, the website’s server first responds with a certificate. This certificate is issued by a Certification Authority (CA). Well-known CAs are, for example, Symantec, Thawte, or GlobalSign. The user can verify the identity of the server and the validity of the encryption with this certificate.
The website is actually encrypted with the help of the Public Key Infrastructure: through the PKI, data is coded upon sending and de-coded upon receipt. If the data is attacked as it is being transferred from the server to the receiver, it will be useless thanks to its encryption.
Figure 2: Graphic display of how SSL works.
A green lock to the left of the URL then shows the user that the site has an SSL certificate and that the data that is being transferred by this site is encrypted and thereby protected from access or manipulation by third parties.
That a website is encrypted with a protocol is shown not only by the padlock, but also by the acronym HTTPS. If there are problems with the website connection or the certificate, this will be shown by a red triangle in the address bar.
Side Note: SSL and TLS
SSL and TLS are two different terms for the same thing. Both designate website encryptions using a hybrid protocol. TLS (Transport Layer Security) is a further development of SSL (Secure Sockets Layer). The term TLS, however, has not become as well established and thus is not as well-known. Because of this fact, many internet providers continue to use the term SSL.
Great Success for the Initiative “HTTPS Everywhere”
Two years after the kick-off of the security initiative “HTTPS Everywhere,” the first successes are becoming visible. In October 2016, it was announced that half of all websites are equipped with SSL encryption. These results come from the telemetric data analyzed by Google and Mozilla Firefox.
- Google’s Transparency Report shows that:
- 49 of the 100 most-visited websites in the world use HTTPS as their standard, including amazon.com, facebook.com and linkedin.com.
- Another 7 website operators also use modern HTTPS, but not yet automatically. This means that the user must enter HTTPS:// in order to access the encrypted site.
- 12 of the top 100 websites are currently working toward complete encryption.
- Apple.com, ebay.com and bing.com currently only protect their log-in sites with an encryption protocol.
- Amazonaws.com uses standard HTTPS but redirects to a landing page.
WordPress, the leading content management system provider in the world with a world-wide market share of 58.8%, is a paragon of consistency: in a recent blog article, founder Matt Mullenweg shared that, starting next year, several changes will be made. According to the article, new features will be introduced that will only be available for websites that support HTTPS. Additionally, any host that does not use standard SSL encryption will no longer be supported or promoted.
Figure 3: Percent of encrypted websites worldwide
Global Players that Are Lagging Behind
News giants cnn.com, forbes.com and dailymail.co.uk offer a negative example: they do not currently use any encryption. The decision not to encrypt their websites is often a deliberate one for news sites, since online profits will sometimes decrease after switching to HTTPS. Ads that are not SSL compliant will automatically be removed from auction by AdSense.
And even those ads that are compatible with the encryption protocol often generate fewer earnings after switching to HTTPS. Ad sales can therefore sink up to 35%. Nevertheless, unsecure connections are a safety risk that cannot be taken with sales activity. But we still have a long way to go before we reach Google Chrome’s self-acclaimed goal of an omnipresent SSL online encryption.
Figure 4: Current notification from Mozilla Firefox and Google Chrome that shows websites are not encrypted
In addition to the giant news sites, mid-market businesses also have a need to improve. Only about 50% of these companies use SSL encryption. They aren’t lagging behind in encryption protocols due to potential sales losses in online marketing, but rather because of a lack of compliancy laws in companies as well as user problems among their employees.
They are aware of the fundamental dangers, however. Approximately three-fourths of the surveyed companies encrypt data in their own storage systems and almost two-thirds use email encryption software. These percentages are thus, to a great extent, not insignificant.
Advantages of SSL Encryption
SSL encryption makes a business website more secure and increases customer trust in the company’s online presence. Other than the customer and the server, no third party can access or manipulate the communication. The encryption symbol is thus a kind of quality seal. Users stay on the site longer and the bounce rate decreases.
This is especially true for e-commerce: the encryption symbol greatly reduces the number of terminated shopping transactions, especially if the seal is integrated on the Homepage. The lower bounce rates support increased search engine visibility and can help generate a better ranking in the SERPs. Google has been including SSL encryption in its ranking factors since 2014. With a market share value of 91.6% among search machines, Google clearly sets the norm.
Figure 5: Search engine market share in Germany.
Websites gain another advantage with increased data quality. If a user changes from an HTTPS site to a non-encrypted site, the referrer is lost. This means that the initial request from the starting URL is erased, and only the visit to the non-encrypted website will be seen as a direct visit by Google Analytics’ web analysis tools.
If, however, a user moves from one encrypted site to another SSL-encrypted site, the referrer remains intact and the data quality increases. It’s clear that using an SSL certificate brings many advantages that cannot be disputed.
Implementing an SSL certificate in 2017 is not just a good idea, it’s an absolute must. In the new year, it will be the standard for Google Chrome, Mozilla Firefox, and WordPress.
Starting in January 2017, Google Chrome will warn before accessing non-encrypted sites and WordPress will no longer support any host not standardly delivering its site in HTTPS. All of these are good reasons to update your website to SSL. Among the strongest pro arguments are: greater user trust in your site, the opportunity to achieve better rankings, and increased data security.