HTTPS FAQs

HTTPS at Google

What is encryption?

Encryption is the modern-day method of protecting electronic information, just as safes and combination locks protected information on paper in the past. Encryption is a technological implementation of cryptography: information is converted to an unintelligible form – encoded – such that it can only be translated into an understandable form – decoded – with a key. For example, in the case of device encryption, the code is broken with a PIN that unscrambles information or with a complex algorithm that's been given clear instructions by a program or device. Encryption effectively relies on maths to code and decode information.

What is HTTPS?

HTTP (Hypertext Transfer Protocol) is the technical means by which our browsers connect to websites. HTTPS is an encrypted HTTP connection, making it more secure. You can tell if your connection to a website is secure if you see HTTPS rather than HTTP in the URL. Most browsers also have an icon that indicates a secure connection; for example, Chrome displays a green lock.

Why should I use HTTPS?

You should protect your website with HTTPS, even if it doesn’t handle sensitive communications. HTTPS protects the integrity of your website and the privacy and security of your users. Also, powerful new web platform features are restricted to sites offering HTTPS.

What is Google's HTTPS goal?

We believe that strong encryption is fundamental to the safety and security of all web users. We’re therefore working to support encryption in all of our products and services. The HTTPS at Google page shows our real-time progress towards that goal.

Why is encryption important?

Our communications travel across a complex network of networks in order to get from point A to point B. Throughout that journey, they are susceptible to interception by unintended recipients who know how to manipulate the networks. Similarly, we’ve come to rely on portable devices that are more than just phones – they contain our photos, records of communications, emails and private data stored within apps that we stay permanently signed in to for convenience. Loss or theft of a device means that we’re vulnerable to someone gaining access to our most private information, putting us at risk of identity theft, financial fraud and personal harm.

Encryption protects us in these scenarios. Encrypted communications travelling across the web may be intercepted, but their contents will be unintelligible. This is known as 'ciphertext', whereas unencrypted messages travel in 'plaintext'. As for device encryption, without the PIN or code necessary to decrypt an encrypted device, a would-be thief cannot gain access to the contents on a phone and can only wipe a device entirely. Losing data is a pain, but it’s better than losing control over your identity.

What are some examples of encryption types?

Encryption in transit protects the flow of information from the end user to a third-party’s servers. For example, when you are on a shopping site and you enter your credit card credentials, a secure connection protects your information from being intercepted by a third party along the way. Only you and the server that you connect to can decrypt the information.

End-to-end encryption means that only the sender and recipients hold the keys to encrypt and decrypt messages. The service provider that controls the system through which the users communicate has no way of accessing the actual content of messages.

Encryption at rest protects information when it is not in transit. For example, the hard disk in your computer may use encryption at rest to make sure that nobody can access your files if your computer is stolen.

What protocols are included in these charts?

These charts represent requests made over HTTP, HTTP/2, HTTPS, SPDY and QUIC.

What protocols are considered encrypted?

Requests made over HTTPS, SPDY and QUIC are considered encrypted because they incorporate TLS by default. HTTP/2 is also included, since Google does not support unencrypted HTTP/2 connections.

Where can I find data about other protocols?

We currently publish data on TLS usage in Gmail's mail protocols. Other protocols that are not listed above are currently outside the scope of this report.

Why isn't Google Search included in the products graph?

Google Search shares serving infrastructure with several other products at Google. If we separated out Google Search into its own category, we would not have confidence in the accuracy of that data due to this sharing of serving infrastructure.

Do you have accurate data from before December 2013?

Unfortunately not – our data sources prior to December 2013 are not accurate enough to measure HTTPS adoption reliably.

How do you measure HTTPS usage data?

Data is provided by Chrome users who choose to share usage statistics. Country categorisation is based on the IP address associated with a user's browser.

Why are these 10 countries chosen for HTTPS usage statistics?

To compare HTTPS usage around the world, we selected 10 countries with sizable populations of Chrome users from different geographical regions.

 

HTTPS on top sites [archived]

What is meant by 'Site works on HTTPS'?

The site is considered to work on HTTPS if the Googlebot successfully reaches https://domain and isn’t redirected through a HTTP location.

What is meant by 'Modern TLS config'?

As of February 2016, we assess that sites are offering modern HTTPS if they offer TLS v1.2 with a cipher suite that uses an AEAD mode of operation:

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

What is meant by 'Default HTTPS'?

Default HTTPS means that the site redirects HTTP requests to a HTTPS URL. Note that it is possible for this to be true, while at the same time the site rejects HTTPS requests to the domain (e.g. http://domain redirects to https://subdomain.domain, but https://domain refuses the connection).
It's also important to note that even if a site is marked as having Default HTTPS, it does not guarantee that all traffic on every page of that site will be over HTTPSChrome advises on the HTTPS state on every page that you visit. If you use another browser, you should ensure that you are familiar with the way that your browser displays different HTTPS states.

What are your data sources?

We have used a mix of public data (e.g. Alexa Top sites) and Google data. The data was collected over the course of a few months in early 2016 and forms the basis of this list.

Is this list ordered in terms of popularity?

No. The list contains the top 100 non-Google sites, presented in alphabetical order and divided into three categories of HTTPS adoption.

I'm a webmaster; my site is on this list and I need assistance in moving to HTTPS. Is Google offering to help?

We are offering limited support to sites on this list to help them make the move. Please check your security@domain email address for further information or contact us at security@google.com.

 

Certificate Transparency

What is a Certificate Authority?

A Certificate Authority (CA) is an organisation that issues digital certificates to website operators. Operating systems (e.g. Mac OS X and Windows) and web browsers (e.g. Chrome, Firefox or Safari) ship with a pre-loaded set of trusted root authorities. Modern operating systems typically ship with over 200 trusted CAs, some of which are operated by governments. Each CA is trusted equally by web browsers. In addition, many CAs delegate the ability to issue certificates to intermediate Certificate Authorities.

What is a certificate?

When you visit a website over a secure connection (HTTPS), the website provides a digital certificate to your browser. This certificate identifies the hostname of the site and is signed by the Certificate Authority (CA) that has verified the site owner. The proof of identity represented by a Certificate may be trusted by the user as long as the user trusts the Certificate Authority.

Why is certificate transparency important?

The current model requires all users to trust that the hundreds of CA organisations will correctly issue certificates for any given site. However, sometimes there are cases where human error or impersonation can lead to the misissuance of certificates. Certificate Transparency (CT) changes the issuance process by including a requirement that certificates be written to publicly verifiable, tamper-proof, append-only logs in order to be considered valid by the user's web browser. This requirement that certificates be written to public CT logs means that any interested party can examine all certificates issued by an authority. This in turn increases accountability for organisations, fostering a more reliable system. Eventually, browsers will not be permitted to display the secure connection padlock icon when visiting a site with HTTPS unless the site's certificate has been logged in CT logs.

Note that only the organisation responsible for a given domain can determine which of the certificates issued have been authorised. If a certificate has not been authorised, the domain user should follow up with the CA that issued it to determine appropriate steps to be taken.

What is a Certificate Transparency log?

A Certificate Transparency log is a server that implements RFC 6962, allowing any party to submit certificates that have been issued by a publicly trusted CA. Once a log accepts a certificate, the cryptographic properties of the log guarantees that the entry can never be removed or edited.

Where do the certificates shown here come from?

The certificates on the Transparency Report are retrieved from the set of active certificate transparency logs. Many of the certificates in those logs are submitted by CAs during the issuance process. In addition, we add certificates that Google encounters when indexing the web. Site owners can search this site for domain names that they control in order to ensure that there has been no miss-issuance of certificates referencing their domains.

Why doesn't my certificate appear here?

Certificates appear here when they have been logged in at least one CT log. You can submit your own certificates to a log, but if that doesn’t work, you may need to contact your CA. Technical users can submit certificates to logs themselves, using tools such as the open-source tools provided at https://certificate-transparency.org

Why do some sites have more than one certificate issuer?

Many large organisations use more than one CA to address a diverse set of needs, which may include contractual obligations, implementation considerations and costs.

Why do some certificates list more than one DNS name?

Many organisations choose to issue a single certificate that is used across multiple sites. For example, large sites frequently use multiple subdomains for their properties (e.g. www.google.com, mail.google.com, accounts.google.com) but use a single certificate that names all of those subdomains.