Hacker News new | past | comments | ask | show | jobs | submit login

Good news for sure, but note that this isn't a total Internet scan:

> We collect data from the browsers of site visitors to our exclusive on-demand network of analytics and social bookmarking products.

More details about their samples: https://netmarketshare.com/methodology

I would be more inclined to trust sources like https://transparencyreport.google.com/https/overview and Firefox Telemetry which come directly from the browsers. But even these do not count data from mobile apps (most of which have to be encrypted now I think), embedded applications, scripts, and APIs.




It's especially weird that their methodology reports "0% secure" traffic as recently as June 2016.


> from mobile apps (most of which have to be encrypted now I think)

Since the end of 2016 on iOS and since Android v9, apps have to communicate over HTTPS. I guess you can technically visit HTTP sites via a browser, but I'd bet that >90% of the traffic from smartphones is over HTTPS.


> since Android v9, apps have to communicate over HTTPS

That isn't true. It is the default but Android lets you override the defaults and use unencrypted traffic both in WebViews and in networking APIs.


It’s not true in iOS either. It’s possible for an app to whitelist specific domains.


Do iOS or Android have any requirements vis a vis HSTS or HPKP?


banking apps require them anyway (because of pci-dss etc)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: