HTTPS Everywhere: How to Navigate the New Best Practices for Internet Encryption
April 14, 2021
5 min read
HTTPS Everywhere refers to the standard procedure of using SSL/TLS certificates to encrypt and protect digital data. Previously, you’d only use certificates on selected pages, but now it’s best practice to ensure that absolutely *everything* is encrypted and protected by HTTPS. The result? The number of certificates has exploded and continues to rise sharply.
Trust is the foundation of the entire Internet economy. In line with increasing digitalization, data security has become an increasingly business-critical issue.
To gain and exhibit trust online, you need end-to-end protection of all the pages that users visit. SSL/TLS certificates are a key element since they encrypt all of the data sent between the browser and server.
Browsers are also placing increasingly greater emphasis on the proper encryption of websites. Result: The introduction of HTTPS Everywhere has led to explosive growth in certificate numbers.
This growth has major negative implications: Many organizations struggle to get and maintain an overview of their certificates. Even so, most companies have no actual overview.
Read on and see what HTTPS Everywhere means, why it’s important, and how you can maintain an overview and avoid critical downtime and discontinuation of services.
What is HTTPS Everywhere?
In short, HTTPS Everywhere is a best practice security measure: HTTPS Everywhere ensures that the entire online user experience is secured against threats.
The term refers to the use of HTTPS, which is a secure web protocol enabled by SSL/TLS certificates. HTTPS encrypts the information shared between the website and the user (including cookies).
HTTPS Everywhere refers to the fact that it is now standard procedure to use SSL/TLS certificates to encrypt and protect digital data: Previously, organizations would only add certificates to select pages. Fast forward to 2021, where everything must be encrypted and protected by HTTPS.
The result? The number of certificates that organizations handle has exploded and continues to rise sharply: From 2019 to 2020 alone, the average increase was a whopping 43%.
Numbers from Let’s Encrypt (who issues free SSL/TLS certificates without security validation) show a large increase in the development of how many pages are encrypted online:
The latest industry reports from Netcraft highlight this development: From January 2020 to December 2020, the number of valid certificates increased from 78 million to over 89 million.
HTTPS: Standard browser practice
Restrictive use of SSL/TLS certificates will not only disappoint user expectations in terms of perceived (and actual!) security – it also fails to live up to the expectations from browsers and OS platforms.
The escalation of HTTPS is firmly encouraged by Internet browsers, which reward sites that use HTTPS while actively penalizing HTTP sites.
Chrome was the first major browser to take a stance actively. Since 2014, Chrome has recommended that every website, regardless of industry or company, be protected by SSL/TLS certificates – including websites that do not process any sensitive information.
Since then, others have followed suit, and today, HTTPS is standard practice on both Mozilla Firefox and Apple’s Safari.
In other words, HTTPS is not just about consumer confidence. SSL is included as a factor in the ranking algorithms and has a tangible impact on your SEO ranking.
Browsers have also continuously adapted their design to support their mission – including displaying a padlock (secure site) and a warning triangle (unsafe site).
Keep track of all your certificates
The sheer number of certificates is one thing; however, organizations struggling to keep up is something else entirely:
With their initial overview rapidly challenged by the explosive growth in certificates, more and more organizations struggle to keep track of their active SSL/TLS certificates.
Just a few years ago, many organizations had two or three active certificates. Fast forward to today, and most orgs have ten times as many.
To make matters worse, most organizations have far more active SSL/TLS certificates than assumed – and often from multiple certificate providers.
This means that it can be both time-consuming and difficult to establish an overview of all the certificates you have. In fact, as many as 3 out of 4 IT security professionals admit that their organizations lack a full overview of their certificates.
And that should be the cause of major concern: If you don’t have an overview of your SSL/TLS certificates, you basically don’t have control over your business-critical websites.
Anyone who assumes responsibility for an organization’s digital security needs to know:
- how many certificates the organization has (and how many it is included in)
- where these certificates are used (domains and subdomains)
- what their purpose is
- who issued them
- when they expire
Given the sheer number of certificates, dates, subdomains, issuers, and more, it makes sense to collect everything in one place.
That is why we developed our newest solution, SSL360™. By bringing every domain and certificate related to any given organization together in one dashboard, SSL360™ helps companies get a full overview of their certificates.
SSL360™ finds and tracks all your public SSL/TLS certificates regardless of which CA (Certificate Authority) issued them. DigiCert, Let’s Encrypt, ZeroSSL – everything is brought together here. SSL360™ also alerts you about expiring or rogue certificates. It tracks down certificates that you’re not in control of and lets you simplify your workflow and renew any certificate directly in the dashboard.