Bulletproof TLS Newsletter #23
2016: The year HTTPS became dominant
4 January 2017
Author: Hanno Böck

This issue was distributed to 32,915 email subscribers.

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space.

In this issue:

  1. A look back on 2016: The year HTTPS became dominant
  2. Short news

2016: The year HTTPS became dominant

We’re looking back at an eventful year in the TLS space. The most notable development in 2016 was that we are finally seeing the web adopting HTTPS as the new default.

Countless web pages and organizations have switched their default to the secure transport protocol in the past year: Wordpress.org, The Guardian, Wired, SourceForge, Blogspot and many more. According to Mozilla’s telemetry data TLS-encrypted traffic surpassed 50 percent in October. There’s still a huge chunk of the web that is not encrypted and it’ll probably take many more years until we can disable HTTP.

We’ve also seen some notable new attacks: SLOTH, Sweet32 and DROWN reminded us that old, insecure algorithms still pose a threat. The Nonce Reuse attack points out how fatal implementation flaws can be. And the rediscovered HEIST/TIME attack highlights an unsolved problem with encryption and compression.

Certificate authorities continue to be a concern when it comes to the security of TLS. The case of WoSign and StartCom is a reminder of that. However, thanks to Certificate Transparency - which will be required for all new certificates starting October 2017 - the abuse of certificates can be detected much better these days.

We already have a very good idea what the dominant topic in 2017 will be: TLS 1.3 is around the corner and will provide better security and better performance for encrypted connections.

Short news