Most Top Websites Still Don’t Use a Basic Security Feature

EVERY TIME YOU PayPal someone, or send a Gmail, or log into Facebook, a layer of encryption protects the information that zips across the Internet. These sites all use HTTPS, an added layer of security to the standard HTTP protocol that facilitates web communication. But as a new Google report shows, an alarmingly small number of the web’s most-trafficked sites use this vital security protocol.

The Google audit shows that 79 of the web’s top 100 non-Google sites don’t deploy HTTPS by default, while 67 of those use either outdated encryption technology or offer none at all. The worst offenders include big names, like the New York Times and IMDB. (For what it’s worth, WIRED doesn’t currently offer HTTPS either. But we’re working on it.) That’s a big number, especially considering that these 100 sites combined comprise about 25 percent of all website traffic worldwide. It turns out that we’ve got a very vulnerable web.

“If you’re on HTTP, the entire URL and page content is visible to anyone on the network between you and that site. Every page you went to on that site. Any search terms. What articles you’re reading,” says Tim Willis, HTTPS Evangelist at Google. “If you’re on HTTPS, only the domain of the website is visible and not the page you’re looking at. Anyone on the network can still tell what website you went to, but it’s very difficult to determine what you did on that site.”

“HTTPS is the cornerstone of our online security and privacy, whether we are doing banking or sending family photos,” says Jérôme Segura, a security researcher at Malwarebytes. “Without encryption, our private information can be intercepted, manipulated, and stolen by attackers sitting on the same network.” To read more from BRIAN BARRETT.