According to a monthly survey by security researcher Scott Helme, one-third of the largest global websites do not use https encryption.

In his research for November 2021, researcher Scott Helme focuses on techniques that ensure the security of websites. He used a crawler to examine the 1 million websites most-visited websites worldwide.

In general, the researcher is satisfied with the average website security. He finds that the essential security measures are applied. Yet, strikingly, only 72 percent of all 1 million websites surveyed apply https encryption. This means that just over a quarter (27 percent) do not use the protocol. There’s great room for improvement.

A more positive development is the increasing replacement of TLSv1.1, an outdated encryption protocol. New figures clearly show that this protocol is disappearing in favour of its successors, TLS 1.2 and TLS v1.3. The latter version is in use by more than a third of the websites surveyed.


Furthermore, Let’s Encrypt certificates are being used by a quarter of the websites. Its adoption is increasing. The number of Cloudflare certificates grows as well, accounting for about 12.5 percent of the websites.

The use of EV certificates is falling rapidly. According to Helme, it is clear that these certificates will eventually disappear. Google Chrome and Mozilla Firefox discontinuing EV support is a major reason.

More RSA keys than EDCSA keys

Helme also looked at the use of authentication keys. Authentication keys are used for security when negotiating https connections between servers and requesters. To his surprise, the researcher found that websites still use RSA keys for this purpose instead of ECDSA keys. Helme says RSA keys are slower and less secure. This can have a significant impact on the performance of the websites concerned. He expected websites to be aware of the fact, opting for ECDSA in line with a focus on performance and security. Many websites seem to be either unaware or of different opinion.