At the close of 2013, we made a wish for the upcoming year: With revelations of the NSA's unlawful and unjust data interception programs snooping on much of the critical infrastructure of the Internet still fresh in our minds, one of our big holiday wishes was for 2014 to be the year of web encryption. And as a part of this effort we built the Encrypt the Web Report: a way to keep track of how well web companies and services are doing to encrypt their traffic.
As we look at the year behind us, we're happy to report that although there is still much work to be done, there has been a major boost to TLS adoption Internet-wide. In addition to wide adoption, the implementations have gotten better—with more sites adopting HTTP Strict Transport Security (HSTS), Perfect Forward Secrecy (PFS), and stronger cipher suites. Good thing, too. As it turns out, 2014 was also a year of major vulnerabilities found in existing web encryption technologies.
To kick off the year, Yahoo announced in January that it had made HTTPS the default when accessing Yahoo Mail. Later in the year it made further strides by encrypting the links between its mail servers, and providing encryption in many of its other web properties. In June, the Reset the Net campaign organized by a broad coalition of participants including EFF urged site owners to add HTTPS, HSTS and PFS to their sites.
Heeding the call, Automattic announced that it would be serving pages only over HTTPS for all wordpress.com subdomains by the end of the year, and Tumblr let us know it would be making encryption the default for its 189 million blogs in the same timeline. Early on in the year, Google started preferring secure over unencrypted sites, as they explained on their blog in August. In September, CloudFlare introduced Universal SSL, an offering that provides HTTPS connections for free to every site that uses CloudFlare. And just last month, EFF, along with four other partners, announced Let's Encrypt, a new Certificate Authority that allows operators to encrypt their sites for free, in an automated and open fashion.
In addition to HTTPS becoming more widespread, the encryption has gotten better. The SSL Server Test provides a detailed diagnostic that millions have used to assess and improve their own TLS deployments. More sysadmins are aware of PFS and HSTS, and have been kept working late applying fixes on the seemingly unending array of vulnerabilities discovered in implementations, Heartbleed and POODLE being only the most high-profile cases, with smaller ones affecting Apple SSL and GnuTLS. And finally, Mozilla and Google have announced plans to sunset support in their browsers for certificates signed with the antiquated SHA-1 hash function, the security guarantees of which are quickly eroding.
We expect and hope to see a further progression in the breadth and scope of TLS deployments in the year to come.
This article is part of our Year In Review series; read other articles about the fight for digital rights in 2014. Like what you're reading? EFF is a member-supported nonprofit, powered by donations from individuals around the world. Join us today and defend free speech, privacy, and innovation.