We Encrypted the Web: Year in Review 2021
In 2010, the EFF has launched its campaign to encrypt the whole web– that is, move all websites from the unsecured HTTP protocol to the more secure HTTPS protocol. More than 10 years later, 2021 has brought us even closer to that goal. With various the measure sources Reporting over 90% of encrypted web traffic, 2021 saw major browsers deploy key features to prioritize HTTPS. Thanks to Rags and that of the EFF Certbot, HTTPS deployment has become ubiquitous on the web.
HTTPS by default in all browsers
For more than 10 years, EFF’s HTTPS Everywhere browser extension has provided a much-needed service for users – encrypting their browser’s communications with websites and ensuring they have HTTPS protection where possible. Since we started offering HTTPS Everywhere, the battle for encrypt the web has taken giant leaps: what was once a difficult technical argument is now a consumer standard offered on most web pages. Today, HTTPS is really pretty much everywhere, thanks to the work of organizations like Let’s Encrypt. We’re proud of EFF’s own Certbot tool, which is Let’s Encrypt’s software add-on that helps web administrators automate HTTPS for free.
The goal of HTTPS Everywhere has always been to become redundant. This would mean that we would have achieved our larger goal: a world where HTTPS is so widely available and accessible that users no longer need an additional browser extension to get it. Now that world is closer than ever, with mainstream browsers offering native support for an HTTPS-only mode.
In 2020, Firefox announced a “HTTPS only” mode feature that all users can enable, signaling that the adoption of HTTPS was high enough to implement such a feature. 2021 was the year the other major browsers followed suit, starting with Chrome. introduce a default HTTPS value for browsing when a user types the name of a URL without specifying unsecured HTTP or secure HTTPS. Then in June, Microsoft’s Edge announced an “automatic HTTPS feature” that users can join. Later in July, Chrome announced their “HTTPS-first mode”, which attempts to automatically upgrade all pages to HTTPS or display a warning if HTTPS is not available. Considering Chrome’s dominance in the browser market, this was a huge leap forward in web security. Safari 15 too implemented an HTTPS-first mode in its browsers. However, it does not block unsecured requests like in Firefox, Chrome, and Edge.
With these features deployed, HTTPS is really everywhere, fulfilling the long-standing goal of encrypting the web.
SSL / TLS Libraries Receive Critical Update
SSL / TLS libraries are widely used in the day-to-day critical components of our security infrastructure, such as transporting web traffic. These tools are mostly built in the C programming language. However, C has a long history of memory security vulnerabilities. Thus, the Internet Security Research Group has led the development to build an alternative to certain libraries like OpenSSL in Rust language. Rust is a modern, memory-safe programming language, and Rust’s built-in TLS library has been named “Rustls”. Rustls has also been integrated for support for popular network command line utilities such as Curl. With Rustls, important tools that use TLS can gain memory security and make networks ever more secure and less vulnerable.
Make Certbot more accessible
Since 2015, the EFF Certbot The tool has helped millions of web servers deploy HTTPS by making the certificate process free and easy. This year, we’ve significantly updated the user experience of Cerbot’s command line output for clarity. We have also translation of parts of the website into Farsi in response to user requests, and now we have the Instruction generator available in this language. We hope to add more languages in the future and make the deployment of TLS on websites even more accessible around the world.
On the horizon
Even though we are seeing positive movement from major browsers, the above default HTTPS wins at the end of insecurity FTP support and even Chrome adopting a Root store program– we also observe the potential dangers to these gains. Encrypting the Internet is to perpetuate victories and fight for tighter controls on all devices and major services.
HTTPS is ubiquitous on the web in 2021, and this victory is the result of more than a decade of work by EFF, our partners and supporters who have believed in the dream of encrypting the web every step of the way.
Thank you for your support in the fight for a safer and more secure Internet.
This article is part of our Year in Review series. Read more articles on the fight for digital rights in 2021.