: What events caused mass migration to HTTPS? For several years I see that Google, Facebook, etc start serving (and even redirect to) content via HTTPS. Serving sites that prompts passwords in

@Shanna517

One other thing I didn't see mentioned, on Sep 29, 2014, CloudFlare (a very popular proxying CDN because most sites of moderate size can effectively use them for free with simple DNS changes), announced the offering of free SSL for all sites they proxy.

Essentially, anyone proxying through them could automatically and immediately hit their site with and it just worked; no changes needed on the backends, nothing to pay for or renew.

For me personally and for many other people in the same boat, this is tipped the scale for me. My sites are all basically personal/hobby sites that I would have liked to use SSL for, but couldn't justify the cost and maintenance time. Often the cost was more about having to use a more expensive hosting plan (or start paying instead of using free options) as opposed to the cost of the cert itself.

Vote Up Vote Down

@Sue5673885

There was what became to be called Operation Aurora which (allegedly) was Chinese crackers breaking into USA computers like Google's.

Google went public with Operation Aurora in 2010. Seems they decided to convert the loss into value by showing efforts of securing their products. So instead of losers they show up as leaders. They needed real efforts otherwise they would have been publicly ridiculed by those who understand.

Google is an internet company so it was critcal for them to reinstall trust in their users about the communication. The plan worked and other corps needed to follow or face their users migrate to google.

In 2013 what came to be called Global surveillance disclosures prominently by Snowden happened. People lost trust in corps.

Made a lot of people consider to go indie and use HTTPS which then caused the recent migration. He and who he worked with gave explicit calls to use encryption explaining that survellience needs to be expensive.

strong encryption * critically high volume of users = expensive survellience.

It was 2013. That said, more recently Snowden told that this is probably not enough any more and you should spend money on people who work on legally strengthening your rights for you, too, so the tax money goes away from the survellience industry.

Nevertheless for the avarage Joe webmaster the long-standing issue with HTTPS was that getting a certificate costed money. But you need certs for HTTPS. It was solved in late 2015 when Let's Encrypt beta became available to the general public. It gives you free certs for HTTPS automatically via the ACME protocol. ACME is an Internet draft which means to people that you can sort-of rely on it.

Vote Up Vote Down

@Alves908

The answers thus far talk about various pull and push reasons as to why HTTPS is becoming more and more popular.

However, there are 2 major wake-up calls from around 2010 and 2011 that showed how important HTTPS actually is: Firesheep allowing session hijacking, and the Tunisian government intercepting Facebook logins to steal credentials.

Firesheep was a Firefox plugin from October 2010 created by Eric Butler, which allowed anyone with the plugin installed to intercept other requests on public WiFi channels and use the cookies from those requests to impersonate the users making those requests. It was free, easy to use and above all, it didn't need specialist knowledge. you just click a button to harvest cookies, and then another to start a new session using any of the harvested cookies.

Within days, copycats with more flexibility appeared, and within weeks, many major sites started supporting HTTPS. Then a few months later, a second event occurred that sent another ripple of awareness through the Internet.

In December 2010, the Arab Spring started in Tunisia. The Tunisian Government, like many others of the region, tried to suppress the revolt. One of the ways they tried this was by hindering Social Media, including Facebook. During the revolt, it became clear that the Tunisian ISPs, who were largely controlled by the Tunisian government, were secretly injecting password harvesting code into the Facebook login page. Facebook quickly acted against this once they noticed what was happening, switching the entire country to HTTPS and requiring those affected to confirm their identity.

Vote Up Vote Down

@Smith883

Encrypting transmissions over the internet is more secure against nefarious agents intercepting or scanning this data and inserting themselves in the middle, faking you into thinking they are the real web page. Successful intercepts such as this only encourage more and others to follow.

Now that it is more affordable, and the technology more accessible, it is easier to push for everyone to do more secure things that protects us all. Being more secure reduces costs and expenses of those affected by data breeches.

When the work involved in breaking encryption becomes difficult and expensive, it will keep the level of activity down and restricted only to those willing to invest the time and money involved. Like locks on your house doors, it will keep most people out and free the police up to concentrate on higher level criminal activity.

Vote Up Vote Down

@Heady270

There are a lot of factors that went into it including:


Browser and server technology for security with virtual hosts. You used to need a dedicated IP address per secure site, but that is not the case anymore using SNI.
Lower cost security certificates. There are even free ones available for some single domain cases. Ten years ago I was looking at 0/year for a wildcard domain, but now I can get a certificate that includes wildcards for several domains for /year.
Overhead of HTTPS dropped significantly. It used to require extra server resources, but now the overhead is negligible. It is even often built into load balancers that can talk HTTP to backend servers.
Ad networks such as AdSense started supporting HTTPS. A few years ago, it was not possible to monetize an HTTPS website with most ad networks.
Google announcing HTTPS as a ranking factor.
Big companies like Facebook and Google that moved to HTTPS for everything normalized the practice.
Browsers are starting to warn about HTTP being insecure.


For big companies like Google that could always afford to move to HTTPS I think there were a couple of things that pushed them to implement it:


Leaking of competitive intelligence data over HTTP. I believe that Google moved to HTTPS in large part because so many ISPs and competitors were looking at what users were searching over HTTP. Keeping search engine queries under wraps was a big motivation for Google.
Rise of malware targeting sites like Google and Facebook. HTTPS makes it harder for malware to intercept browser requests and inject ads or redirect users.


There are also some reasons that you are seeing HTTPS more often in cases where both work:


Google is preferring to index the HTTPS version when the HTTP version also works
Many folks have the HTTPS Everywhere browser plugin that automatically has them use HTTPS sites when available. That means that those users also create new links to HTTPS sites
More sites are redirecting to HTTPS because of security and privacy concerns.

Vote Up Vote Down