• by P.J. Bednarski , Staff Writer @pjbtweet, August 2, 2016

After two years of work, YouTube can finally say that it is encrypting virtually every connection between users’ devices and the server.

Google software engineer Sean Watson and product manager Jon Levine blogged about it yesterday, declaring that 97% of YouTube’s traffic is now encrypted--that is, accessible with the “https:” prefix that adds an important layer of security to users.

Still, 97% isn’t 100%. Levine and Watson suggest it won’t get much better than that, real quick, because “some devices do not fully support modern HTTPS. Over time, to keep YouTube users as safe as possible, we will gradually phase out insecure connections.”

And they add: “In the real world, we know that any non-secure HTTP traffic could be vulnerable to attackers. All websites and apps should be protected with HTTPS — if you’re a developer that hasn’t yet migrated, get started today.”

I suppose anything Google and YouTube do on the tech end is a massive undertaking, and a massive achievement.  Watson and Levine’s blog confirms that. It took two years to get this far, given “lots of traffic!” and “lots of devices!” We watch videos “on everything from flip phones to to smart TVs.”

They continue, “We A/B tested HTTPS on every device to ensure that users would not be negatively impacted. We found that HTTPS improved quality of experience on most clients: by ensuring content integrity, we virtually eliminated many types of streaming errors.” (A/B testing means YouTube tested two versions of the page to compare performance.)

Tubefilter reports that last spring, Google said 75% of its servers used encrypted connections, though that figure specifically didn’t include YouTube. Now Google and YouTube will begin to report how much of its traffic is encrypted as it tries for the last three percent.

The Web site Android Headlines explains,: “Whenever an insecure request is made from any of its clients Google gets an alert and eventually blocks all mixed content… To cut down all the traffic redirects from HTTP to HTTPS, Google is using HTTP Secure Transport Security (HSTS) on YouTube, which improves both security and latency for end users.”

That would be the ultimate solution, but Levine and Watson point out “some devices do not fully support modern HTTPS. Over time, to keep YouTube users as safe as possible, we will gradually phase out insecure connections.”

pj@mediapost.com