HTTPS at Google
What is encryption?
What is HTTPS?
Why should I use HTTPS?
What is Google's HTTPS goal?
Why is encryption important?
Our communications travel across a complex network of networks in order to get from point A to point B. Throughout that journey, they are susceptible to interception by unintended recipients who know how to manipulate the networks. Similarly, we’ve come to rely on portable devices that are more than just phones – they contain our photos, records of communications, emails and private data stored within apps that we stay permanently signed in to for convenience. Loss or theft of a device means that we’re vulnerable to someone gaining access to our most private information, putting us at risk of identity theft, financial fraud and personal harm.
Encryption protects us in these scenarios. Encrypted communications travelling across the web may be intercepted, but their contents will be unintelligible. This is known as 'ciphertext', whereas unencrypted messages travel in 'plaintext'. As for device encryption, without the PIN or code necessary to decrypt an encrypted device, a would-be thief cannot gain access to the contents on a phone and can only wipe a device entirely. Losing data is a pain, but it’s better than losing control over your identity.
What are some examples of encryption types?
Encryption in transit protects the flow of information from the end user to a third-party’s servers. For example, when you are on a shopping site and you enter your credit card credentials, a secure connection protects your information from being intercepted by a third party along the way. Only you and the server that you connect to can decrypt the information.
End-to-end encryption means that only the sender and recipients hold the keys to encrypt and decrypt messages. The service provider that controls the system through which the users communicate has no way of accessing the actual content of messages.
Encryption at rest protects information when it is not in transit. For example, the hard disk in your computer may use encryption at rest to make sure that nobody can access your files if your computer is stolen.
What protocols are included in these charts?
What protocols are considered encrypted?
Where can I find data about other protocols?
Why isn't Google Search included in the products graph?
Do you have accurate data from before December 2013?
How do you measure HTTPS usage data?
Why are these 10 countries chosen for HTTPS usage statistics?
HTTPS on top sites [archived]
What is meant by 'Site works on HTTPS'?
What is meant by 'Modern TLS config'?
As of February 2016, we assess that sites are offering modern HTTPS if they offer TLS v1.2 with a cipher suite that uses an AEAD mode of operation:
What is meant by 'Default HTTPS'?
What are your data sources?
Is this list ordered in terms of popularity?
I'm a webmaster; my site is on this list and I need assistance in moving to HTTPS. Is Google offering to help?
What is a Certificate Authority?
What is a certificate?
Why is certificate transparency important?
The current model requires all users to trust that the hundreds of CA organisations will correctly issue certificates for any given site. However, sometimes there are cases where human error or impersonation can lead to the misissuance of certificates. Certificate Transparency (CT) changes the issuance process by including a requirement that certificates be written to publicly verifiable, tamper-proof, append-only logs in order to be considered valid by the user's web browser. This requirement that certificates be written to public CT logs means that any interested party can examine all certificates issued by an authority. This in turn increases accountability for organisations, fostering a more reliable system. Eventually, browsers will not be permitted to display the secure connection padlock icon when visiting a site with HTTPS unless the site's certificate has been logged in CT logs.
Note that only the organisation responsible for a given domain can determine which of the certificates issued have been authorised. If a certificate has not been authorised, the domain user should follow up with the CA that issued it to determine appropriate steps to be taken.
What is a Certificate Transparency log?
Where do the certificates shown here come from?
Why doesn't my certificate appear here?
Why do some sites have more than one certificate issuer?
Why do some certificates list more than one DNS name?