Google’s push to make the web more secure by flagging sites using insecure HTTP connections appears to be working. The company announced today that 64 percent of Chrome traffic on Android is now protected, up 42 percent from a year ago. In addition, over 75 percent of Chrome traffic on both ChromeOS and Mac is now protected, up from 60 percent on Mac and 67 percent on ChromeOS a year ago. Windows traffic is up to 66 percent from 51 percent.
Google also notes that 71 of the top 100 websites now use HTTPS by default, up from 37 percent a year ago.
In the U.S., HTTPS usage in Chrome is up from 59 percent to 73 percent.
(Note: a better, more interactive version of this chart is available within Google’s Transparency report, here.)
Combined, these metrics paint a picture of fairly rapid progress in the switchover to HTTPS. This is something that Google has been heavily pushing by flagging and pressuring sites that hadn’t yet adopted HTTPS.
As you may recall, Google announced just over a year ago it would begin flagging all websites using insecure HTTP connections to transmit private information like passwords or credit information as “not secure” in the Chrome browser. It later expanded those protections to include when users entered any type of data on an HTTP page, including in Chrome’s Incognito mode.
“HTTPS is easier and cheaper than ever before, and it enables both the best performance the web offers and powerful new features that are too sensitive for HTTP,” wrote Emily Schechter, of Chrome’s Security Team, at the time of the announcement.
Google says that HTTPS adoption is increasing around the world, too, including most recently on large Japanese sites like Rakuten, Cookpad, Ameblo, and Yahoo Japan. This shift has contributed to HTTPS in Japan surging from 31 percent to 55 percent over the last year, as measured on Chrome on Windows.
Other countries have seen bigger boosts as well, like Brazil’s climb from 50 percent to 55 percent.
Of course, Google isn’t the only company to credit with the shift away from HTTP. It’s been a combined effort from several major technologies, including Apple and Facebook. For example, Apple last year said it would require app developers to force HTTPS connections for iOS apps and Facebook’s Instant Articles are served over HTTPS. (Facebook had also made HTTPS the default for all users back in 2013.)
Google also noted today it’s pushing for HTTPS adoption through other means, too, including its recently announced managed SSL for Google App Engine, for example. It also started
securing entire top-level Google domains like .foo and .dev by default with HSTS (HTTPS Strict Transport Security.)