A large number of the internet's major websites still don't use encryption, or haven't implemented it correctly, potentially exposing their users to hackers and spies.
Despite a widespread movement toward more encryption on the web, which is commonly referred to as HTTPS and signalled with a green lock pad on your browser's address bar, only 25 of the world's top 100 websites use it by default, according to a new survey published by Google on Tuesday.
The internet giant published data on other websites, as well as its own services, in an effort to encourage—and perhaps even shame—more site owners and webmasters to adopt better practices to protect users privacy and security.
"As more people spend more of their time on the web, [encryption] is an increasingly essential element of online security," Google employees Rutledge Chin Feman and Tim Willis wrote in a blog post.
Among the sites that still don't use any encryption, or don't implement it with all modern protections and by default, there's major news sites, such as those of the BBC, The New York Times, and CNN, as well most major porn websites, or retailers like eBay or Amazon.
While another kind of encryption, that protecting data on people's phones, is on everyone's minds, web encryption is also important for regular people's lives. Without that extra "S," which signals the use of the encryption standard Transport Layer Security (TLS), everything you do on a site isn't fully private or secure, allowing anyone that has access to data flowing through the internet to not just see it, but also intercept and manipulate it.
"This planet is going to need a secure medium of communication, and that's going to have to be a secure version of the web."
Not using an encrypted connection means a hacker using the same Wi-Fi at your favorite coffee shop could steal your passwords or banking information, and that your internet service provider can better track your online activity and sell your private data to advertisers. But it also means that a repressive government can know exactly what articles or sites you're visiting, and could even censor only certain pages within a website. Government spies could also take advantage of the lack of encryption to infect your computer with malware or spyware, or use your connection as part of a cyberattack on somebody else.
"HTTPS provides confidentiality (traffic is unintelligible to those without [encryption] keys) and integrity (traffic is verified when it arrives at its destination as being the same traffic that was sent)," Joseph Hall, the chief technologist with the Center for Democracy and Technology, told Motherboard in an online chat. "Integrity is increasingly the value the entire Crypto War is missing, ensuring that any middleman between the browser and the destination cannot add, subtract, or modify content in transit."
That's why privacy and security advocates have been pushing for the whole internet to be encrypted, and not just login portals or pages containing users' private data.
"This planet is going to need a secure medium of communication, and that's going to have to be a secure version of the web," Peter Eckersley, chief computer scientist at the Electronic Frontier Foundation, told Motherboard.
Google has been one of the big companies and organization pushing for more encryption, but others, such as Apple, Mozilla, and the EFF, has all been part of the movement.
Moving to HTTPS isn't like just flipping a switch
There have been several challenges that have been slowing down a fully encrypted web. First of all, getting a TLS or SSL security certificate for a website was expensive and involved considerable bureaucracy. But that's not the reality anymore, thanks to recent initiatives such as Let's Encrypt, and CloudFlare's Universal SSL, which make it easy and free to implement encryption on websites. Last week, the Let's Encrypt project announced that in just three months since its public launch, it has already provided HTTPS certificates for 2.5 million web domains.
However, for websites with a complex infrastructure, and content served by third-parties, such as ads, moving to HTTPS isn't like just flipping a switch. That's why websites, especially news ones, can only be encrypted if the ads they are serving are also encrypted.
In the past, Google has called for more encryption across the internet (including emails) and recently hinted that it wanted to shame all websites that didn't use it. But even Google itself hasn't achieved the dream of going full HTTPS.
Across Google services, 75 percent of user requests now travel over an encrypted connections, up from 52 percent at the end of 2013, according to the company's own data, published in a new section of its transparency report. But that's excluding YouTube, which obviously represent a huge amount of traffic to Google servers. Google for now isn't releasing statistics on the video site, only saying they're working on it. (A company spokesperson declined to comment.)
It's unclear what this means exactly, but it's possible that some parts of YouTube still aren't fully encrypted, or that Google is still surveying the video site's infrastructure. Google reportedly implemented some HTTPS encryption on YouTube back in 2014, when a researcher revealed that governments using tools from surveillance companies such as FinFisher and Hacking Team were taking advantage of unencrypted YouTube video streams to infect targets with spyware.
One thing is clear, while it may be slow, the movement toward a more encrypted web seems unstoppable.
"In 2016 every website needs to be HTTPS, whether it's a new website coming online, or an old one," Eckersley said.