Kind of makes you wonder why there's not rudimentary encryption included in HTTP, if everyone is going to have to go to using a CA signed public/private key certificate.
Keep in mind, you can't issue a CA signed certificate immediately. There's always going to be lag time between when a website is resolving to a server and when the CA issues a certificate. 1) It takes time for nameserver changes to take affect and 2) it takes time for the CA to process and issue a certificate.
A lot of this could be solved with self-signed certificates. But no... self-signed certificates were vilified several years ago.
If you buy a domain name and hosting right now, this minute, it will still take several minutes for a CA certificate to be issued for the domain name. And for the most part, cPanel's AutoSSL won't issue a certificate until the night following the domain name being set up.
A self-signed certificate can be set up immediately, because it's not signed by any 3rd party. Sure it risks MITM attacks, but it provides instant encryption.
So why were self-signed certificates vilified so many years ago?
Why not a small browser message: "This site is using a self-signed certificate" and "This site is using a CA signed certificate" and "This site is using an EV certificate (see pretty green address bar and everything)" This would essentially make non HTTPS traffic obsolete.
I think HTTP should be removed if it doesn't give any benefits for users any more.
I also want to know how many percentage of websites are using HTTP and How many for HTTPS. Does anyone share this info?
I think That must be very long time, for many years to decades. All the websites in the world can not upgrade https as easy like clapping hands. Until http is useless - no benefit as @Maxoq mentioned - they will not use it anymore. I definitely agree with his opinion.
The HTTPS Everywhere extension was perhaps created for this reason, at least partially. It forces HTTP websites to use HTTPS, but I find that it breaks sites. I believe in encryption as much as possible, although there seem to be cautions against it probably because it might be more work than what it pays off.
I think we need to use it for certain types of sites, and I don't mean banking sites. That's another security discussion entirely.
Anywhere personal details are entered and personal communications take place would be a good starting point to have the minimum level of encryption. I'm not just worried about the secure connection, I'm also worried about other ways and points at which the data can be compromised.
I don't want to get off topic too much, so to answer I feel that it's not a matter of should every website be HTTPS as much as it a matter of when that will be the norm.
Website visitors demand secure (HTTPS) connections to the websites they are interacting with. If you move your site completely with HTTPS then Visitor ensure that any information passed between their web browser and your web server can neither be stolen nor intercepted because an encrypted connection has been established using SSL certificate installed on your server.
Standard SSL certificate issued by Certificate Authority (CA) upon successful authentication of a domain name. Even HTTPS is good for site's Search Engine Optimization (SEO). Organization Validation (OV) or Extended Validation (EV) SSL certificates are ideal for sites which are accepting payments or any sensitive information from an online user. EV SSL issued by CA upon successful authentication of organization and validating through legal documents. In short, SSL certificate used to increase more trust in your brand. So it is recommended to migrate a site from HTTP to HTTPS.
There's no arguing that HTTP is becoming obsolete, unattractive, and plain unsafe. However, it's still the foundation of data communication on the Web. I think it's much easier to add an SSL Cert to HTTP and make it HTTPS, than revamping the HTTP protocol completely and introducing a single, secure protocol.
HTTPS works perfectly, and today, there's plenty of ways to secure a website in just a matter of minutes.
The issue I have with the current widespread deployment of DV certificates, is the fact that it's got to be domain validated.
If you register a new domain name, set up a new hosting account, how do you know the exact moment when that domain name is resolving to your server, so it can be domain validated? There is bound to be a period of time between which the domain is resolving to the server, but an automatic validation system has not picked up the domain and issued a certificate.
Then what happens if that validation system is down for any length of time?
What if that CA is hacked or compromised? Rendering all certificates from that CA compromised and they all have to be reissued?
I would really like to see something like DANE take off, whereby you're not tied down to a particular CA or validation system. I don't think DANE would replace all CA signed certificates. But if you're just wanting basic security/encryption, then self-signed DANE fingerprinted would seem to offer that.
Yes, non ssl websites will be marked as not secure with in some time. It is best time to go with ssl.
Now days SSL is free of cost i.e. Letsencrypt and so on. COMODO and others also has cheap plan. So what's wrong to go with it.