A year ago, I published an article: The era of comprehensive HTTPS is coming. So far, what’s new with HTTPS? This article will explore the changes of HTTPS in 2016 and the possible future development.

Introduction to SSL and HTTPS

HTTPS is an encrypted HTTP protocol. The URL starts with https://, which means that this protocol is used. Compared to HTTP, HTTPS has all of the following features:

  • Transfer data encryption: The communication with the website cannot be obtained by the middleman (eg wireless router owner, operator, listener on the line in between).
  • Data Integrity: Guarantee that the transmitted data has not been tampered with.
    Authentication: Guarantees that the data is provided by the website owner and not by a third party.

Since HTTPS needs to complete authentication, if you need to configure HTTPS, you must obtain a certificate issued by a recognized certificate issuer.

2016

Let’s Encrypt, The First Truly Free Certificate Issuer

To deploy HTTPS, you must have an SSL certificate, and the price range of SSL certificates ranges from several hundred or even tens of thousands of yuan per year. The high certificate price has become a major burden to deploy HTTPS. At the end of 2015, Let’s Encrypt officially started the public beta, and can issue certificates with multiple domain names for free. The original price of such certificates was around 100 to 1,000 yuan. Even in the beta phase, over 1 million certificates were issued in just 3 months! Let’s Encrypt’s certificate uses automatic deployment, and the verification and issuance process are automatically realized through API, which greatly shortens the time required to apply for a certificate; at the same time, various service providers have also provided channels to automatically issue Let’s Encrypt certificates. The popularity of HTTPS has indeed been greatly accelerated by the advent of Let’s Encrypt.

HTTP/2, An Upgraded Version of SPDY

In early 2015, HTTP/2 officially became a standard, followed by major browsers and operating systems: Firefox 36, Chrome 41, iOS 9 & macOS 10.11 (Safari 9), Windows 10 (IE 11 & Edge). Then, CDN providers such as Cloudflare, CloudFront, and UPYUN also supported HTTP/2, and HTTP servers Nginx and Apache also supported it. HTTP/2 appeared to replace HTTP 1.1 and SPDY. HTTP/2 mainly supports multiplexing. The practice of merging CSS and JS files and preparing multiple domain names for many images is unnecessary after using HTTPS/2. Compared with HTTP 1.1, which requires a separate connection for each data, all data of a website in HTTPS/2 requires only one connection.

HTTP 1.1 vs. HTTP/2
HTTP 1.1 vs. HTTP/2

Since browsers limit the number of connections, in HTTP 1.1, only a few files can be downloaded at a time. Multiplexing allows these files to be transferred together, greatly reducing load times.

HTTP 1.1 Transport Timeline
HTTP 1.1 Transport Timeline

HTTP/2 Multiplexing Timeline
HTTP/2 Multiplexing Timeline

However, these browsers only implement HTTP/2 for HTTPS sites. So I thought of improving the loading speed of the website, and I had to use HTTPS. Therefore, the emergence of HTTP/2 also promoted the development of HTTPS.

2017

Google Chrome Zooms in, Showing the Difference Between Websites with and without HTTPS:

Now, Chrome has started showing the word “secure” for websites that use HTTPS (the EV certificate shows the company name in this place):

Chrome shows secure for HTTPS sites
Chrome shows secure for HTTPS sites

In a future version, for websites without HTTPS, it will eventually be displayed like this (for all HTTP websites, the process of displaying different versions in the future is: gray exclamation mark, red alert exclamation mark, red alert exclamation mark + “insecure word” ; those with credit cards or passwords will be displayed first. The picture below is the final third stage):

Chrome shows insecure for HTTP sites
Chrome shows insecure for HTTP sites

You can also adjust this to “Always mark HTTP pages as non-secure” in the Chrome settings page. I recommend this setting for everyone, because HTTP is really insecure! Believe no company wants to let users see their website marked as “unsafe”? Browser advancement plays a vital role.

Update 1

In the latest Chrome 58 version, the following information has been displayed at the non-HTTPS password input (here is the website login window of weibo.com):

Chrome extra warning for HTTP sites
Chrome extra warning for HTTP sites

It has been tested to show this information even if the form is submitted to an HTTPS page as long as the host is HTTP.

Apple Mandates the Use of HTTPS Encryption (ATS)

Apple started implementing ATS in late 2015, however developers still have the option to turn off the feature. After some time in 2017 or later (the specific deadline Apple has not yet clearly given, but it is certain that the review of not opening ATS will gradually become stricter, and more reasons will be required), all newly submitted APPs must enable ATS , which means that the newly submitted APP must all use HTTPS content. This has prompted many domestic manufacturers to do HTTPS support.

cPanel Web Hosting Automatically Get Free SSL Certificate Method

The recommended web hosting provider on this site TlOxygen now supports applying for a free SSL certificate. The whole process is simple and will automatically renew! Implementation method: automatically install the acme.sh software for the virtual host, and then automatically execute the installation process. In addition, the virtual host of TlOxygen supports SSH access, so you can also use acme.sh or any other tool to operate it yourself.