Wow 50%. That's more than I would have thought. The Internet is definitively going https.

I am glad I made the switch last year, it's not only safer for the members of my forum, but it has also improved the speed of my site, thanks to the use of http/2.

90% of page loads not sites. A lot of those are probably a handful of big sites.

>>90% of page loads not sites. A lot of those are probably a handful of big sites.

i agree with graeme_p i wonder how many of those page loads are facebook alone.

it has also improved the speed of my site, thanks to the use of http/2

Too bad many (most?) shard hosting servers don't support HTTP/2. This may end up a long process in itself.

About 36% of the top million sites employ HTTPS [httparchive.org ].

Not sure how representative that Telemetry data is, considering it's an opt-in feature in Firefox.

It seems logical, especially when you see the number of certificates issued, and it'll only continue to increase.
It's a shame, in one respect, that every site is going to end up going https.

It's a shame, in one respect, that every site is going to end up going https.

Why do you feel it's a shame engine?

I think it's a shame too. Regardless of what Google says HTTPS is not appropriate for all sites(unless it's free) because some sites do not pass any personal information or sell anything or accept credit cards etc. Some are just hobby sites and there is nothing to protect with encryption and I suspect many of these will simply go offline instead of pay up another $100 or so(prices change, I just saw that price on a popular hosting service tonight).

Shouldn't google be checking to see which sites do not need it, much like they check to see if sites are up to date on wordpress, and not penalize or shame them for not being HTTPS if they don't need to be? It's not a free service.

I understand their argument of forcing it on all sites, it's the same argument that tells you to let wordpress update your site for you, but it's simply not going to do an ounce of good for many sites so why should they pay cash for it or be shamed out of rankings? The crowd that simply says you need to do it without being able to answer why on those types of sites sites is a bit aggresive about it too.... again, it's not free or even cheap compared to the registration cost.

You can get SSL certificate for free, and most of CMS or Web host now propose a button to press just to switch to SSL. The arrival of Let's Encrypt , which is free and which can be queried automatically greatly helped.

Also, beside sensitive information that a site can collect or not, there is still the risk of a "man in the middle" attack, when an intermediate server, router, or what ever else is compromised, and can inject malicious code into your page during its transmission between your server and the client device. SSL prevents this (if I don't make mistakes).

The content of a website can be sensitive too, even if it's just information. It all travels over the wire in plain-text. What's sensitive to some may not be sensitive to others, so it's impossible for Google (or anyone else) to tell. It's best to encrypt everything. And $100 is a ripoff obviously.

The kind of certificate that hobby/personal/information sites can use is easily under $5US a year. If you don't collect PII or require accounts and passwords there's no reason to spend more in case a host doesn't offer the free LetsEncrypt/CP certificates. Cost is not an excuse.

What does bother me is centralised control. Someone why can get to all certificate authorities (the US gov, maybe?) could force a site off the web.

As I just said in another thread, the problem with SSL is that it ties encryption to identity. SSH does just encryption so its free and easy to implement.