Security Experts:

Google Tracks Use of HTTPS on Top 100 Websites

Google announced on Tuesday that its transparency report now includes a section dedicated to monitoring the use of HTTPS on the world’s top 100 websites.

Data protection and privacy have become increasingly important, and many organizations have started moving their websites and services to HTTPS. However, the migration process can prove challenging for large services.

Google has been working on implementing HTTPS by default across its services, but the search giant says it still has a long way to go until all its products are protected. In the meantime, the company launched a new transparency report that tracks the progress of encryption efforts for both its own products and the world’s most visited websites.

Google will be tracking the state of HTTPS on the world’s top 100 third-party websites, which, based on data from Alexa and Google, are believed to account for roughly a quarter of all global website traffic.

The list of websites that already run a modern TLS configuration (i.e. offer TLS v1.2 with a cipher suite that uses an AEAD mode of operation) and have HTTPS by default includes,,,,,,,,,,,,, and

Google’s new tracking service shows that websites such as Amazon work on HTTPS and have a modern TLS configuration, but default HTTPS has yet to be implemented. There is also a long list of popular websites that still don’t work on HTTPS or don’t have a modern TLS configuration, including sites owned by Alibaba, Amazon, Apple, Baidu, Microsoft, eBay, and many news companies.

Google says it’s prepared to work with all these top websites to help them move to HTTPS by the end of 2016.

“Implementing encryption is not easy work. But, as more people spend more of their time on the web, it’s an increasingly essential element of online security. We hope this report will provide a snapshot of our own encryption efforts and will encourage everyone to make HTTPS the default on the web, even faster,” Rutledge Chin Feman and Tim Willis, HTTPS Evangelists at Google, wrote in a blog post.

The new service also includes a certificate transparency feature that allows users and admins to check the name of the certificate issuer for a specified website. The search can also be configured to include expired certificates and certificates issued for subdomains.

Related: Google to Remove Symantec Root Certificate From Products

Related: Google Considers Early Rejection of SHA-1 Certificates

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.