When taken together with its predecessor, Secure Sockets Layer (SSL), the history of TLS goes back to the early days of the commercial internet, in 1994. That’s when Netscape, one of the original browser companies, developed the transit encryption protocol SSL. That protocol was eventually supplanted by the TLS standard developed in 1999 by the Internet Engineering Task Force, a standards body responsible for the protocols that make the internet possible. Although initially deployed mostly to protect passwords or sensitive financial or consumer data such as credit card details, in the twenty years since its inception we have seen transit encryption—and especially HTTPS—grow into perhaps the most important and broadly used technique for protecting the privacy of internet communications.
That shift began slowly in the mid-2000s as some online services, most notably Gmail, allowed savvy users to turn on HTTPS to protect their entire session rather than just when they were logging in. However, after years of pressure from privacy advocates and growing cybersecurity threats—especially from China—Google would turn HTTPS on by default for all of Gmail in 2010. Following Gmail’s lead, a variety of other Google services—and other email and search providers—began slowly testing and adopting deployment of SSL, whether as an option or by default.
That trickle turned into a flood, however, when documents leaked by NSA contractor Edward Snowden in 2013 revealed the extent to which the NSA had been intercepting the traffic of major internet companies, including tapping their private links between data centers. This prompted companies, concerned both about their security and their reputation with international customers, to begin widely deploying transit encryption across their services and between their data centers. This encryption explosion accelerated in 2014 when Cloudflare, a company that offers content distribution and cyberattack mitigation services to a broad swath of the web, turned on HTTPS for all the sites it served, and in 2016 when WordPress—using the newly launched “Let’s Encrypt” certificate authority aiming to make TLS deployment much cheaper and easier—did the same for all of the blogs it hosts.
Now that almost all major online service providers are offering HTTPS by default, the focus is moving to other online sectors, with specific campaigns and tools pushing online news sites and adult entertainment sites to improve their security. In the meantime, the push to encrypt the Web hit a major tipping point by the end of 2016, when for the first time over half of all Web traffic was protected by HTTPS—up from just 13% in 2014.