Long way to go before the web is HTTPS protected

A number of popular websites do not offer HTTPS by default, according to Google testing, despite the growing move to serve web content safely via Secure Sockets Layer/Transport Layer Security (SSL/TLS).

In the latest addition to its transparency report - which aims to give users an idea of the level of government requests for their data - Google said only one-fifth of the top 100 sites it tracks tick all boxes when it comes to serving up traffic via HTTPS.

Sites that fully work on HTTPS and offer the security by default include Netflix, Facebook, Reddit, Paypal, Twitter and Wordpress, Google said.

Most popular sites, however, do not serve content via HTTPS by default - and in some cases not at all - or do not utilise a modern TLS version 1.2 configuration that uses a block cipher suite with authenticated encryption.

These include Alibaba.com, AmazonAWS.com, Apple.com, BBC, CNET, Microsoft and Ebay websites, to name a few.

The top 100 sites listed by Google account for around 25 percent of the world's total web traffic.

Google traffic itself isn't fully HTTPS yet, with 75 percent of requests to Google's servers currently using encrypted connections, up from just over 50 percent two years ago.

The relatively low amount of HTTPS support is despite revelations by former US NSA contractor Edward Snowden about mass government surveillance of web users' browsing habits, and high-profile encryption support campaigns such as the Electronic Frontier Foundation's HTTPS Everywhere. 

HTTPS evangelists Rutledge Chin Feman and Tim Willis at Google noted there were several obstacles for site operators wanting to implement SSL/TLS.

These include old hardware, governments and other organisations that block or degrade HTTPS traffic, and lack of initiative or technical resources to secure sites.

Google said it was working with operators of sites that don't yet serve HTTPS protected content to help them move to the secured protocol by the end of the year.

Moving the web to HTTPS comes with architectural issues that could cause breakage.

Sir Tim Berners-Lee, whose seminal work on the hypertext transport protocol laid the foundation to the world wide web, pointed out in February that the use of the HTTPS URL "is arguably a greater threat to the integrity for the web than anything else in its history", as it breaks past HTTP plain text links.

Berners-Lee suggested the HTTP protocol should be upgraded to use TLS, without a different HTTPS URL, to avoid breaking existing web links.