The Journey to Universal HTTPS

Recently I was reading the book “The Box: How the Shipping Container Made the World Smaller and the World Economy Bigger”.  I was struck by how many pieces and components had to fit together to achieve this big change, and wanted to reflect on a similar change in the security space – the nearly universal adoption of HTTPS for the web.

HTTPS has been around since 1994.  When it first came out we were mired in the crypto-wars in the US, and deploying encrypted protocols was still very tricky.   In the early days you really had to jump through hoops – manually adding modules to your web server (they had to be gotten separately in the Unix world), and some even bigger hoops around getting a certificate which was usually expensive.

HTTPS was confusing and hard to turn on, and at the time performance was somewhat/ hugely problematic.

In 2007 when I was working at PayPal, after some articles about phishing, downgrade attacks on users, etc. we made the decision to move the whole website to HTTPS for all pages – not just the logged-in ones.  This put us fairly on the cutting edge for the time – many large companies including banks had websites that were mostly HTTP, even the login screen – which submitted to an HTTPS endpoint.

For sites trying to convert universally to HTTPS, there were a few major obstacles:

1. There were lots of performance concerns about putting all content behind HTTPS – many believed the costs of HTTPS couldn’t be justified for “public” content.
2. Purchasing enough certificates/licenses for all of your webservers/domains was still a pretty costly endeavor.
3. The conventional wisdom among the SEO crowd was that HTTPS hurt your Google page-rank.

At PayPal we also wanted more of the web to move to HTTPS, and luckily were able to work in concert with Google and several other folks on these topics to address many of people’s general concerns.

1. Adam Langley put out a post – https://www.imperialviolet.org/2010/06/25/overclocking-ssl.html – explaining why SSL/TLS was no longer a major performance issue for most use cases.
2. Matt Cutts, Google Page-Rank guru released some statements/ guidance that HTTPS and the slight negative performance impact would not negatively affect page-rank.
1. Google later took an even stronger position – HTTPS would positively impact page-rank. 
3. Let’s Encrypt was started in 2012 with the explicit goal of making it trivially easy to set up, use, and also renew certificates for HTTPS.  There were free certificate authorities, but none before included the ease of use and implementation guts.

From where we are today – maybe all of this looks inevitable – but it has taken a lot of years of concerted work by many parties aligning incentives and making HTTPS-by-default easy – to get where we are today.