After two years of work, YouTube can finally say that it is encrypting virtually every connection between users’ devices and the server.
Google software engineer
Sean Watson and product manager Jon Levine blogged about it yesterday, declaring that 97% of YouTube’s traffic is now encrypted--that is, accessible with the “https:” prefix that
adds an important layer of security to users.
Still, 97% isn’t 100%. Levine and Watson suggest it won’t get much better than that, real quick, because “some devices
do not fully support modern HTTPS. Over time, to keep YouTube users as safe as possible, we will gradually phase out insecure connections.”
And they add: “In the real
world, we know that any non-secure HTTP traffic could be vulnerable to attackers. All websites and apps should be protected with HTTPS — if you’re a developer that hasn’t yet
migrated, get started today.”
I suppose anything Google and YouTube do on the tech end is a massive undertaking, and a massive achievement. Watson and Levine’s blog
confirms that. It took two years to get this far, given “lots of traffic!” and “lots of devices!” We watch videos “on everything from flip phones to to smart
TVs.”
They continue, “We A/B tested HTTPS on every device to ensure that users would not be negatively impacted. We found that HTTPS improved quality of experience on
most clients: by ensuring content integrity, we virtually eliminated many types of streaming errors.” (A/B testing means YouTube tested two versions of the page to compare performance.)
Tubefilter reports that last spring, Google said 75% of its servers used encrypted
connections, though that figure specifically didn’t include YouTube. Now Google and YouTube will begin to report how much of its traffic is encrypted as it tries for the last three percent.
The Web site Android Headlines explains,: “Whenever an insecure
request is made from any of its clients Google gets an alert and eventually blocks all mixed content… To cut down all the traffic redirects from HTTP to HTTPS, Google is using HTTP Secure
Transport Security (HSTS) on YouTube, which improves both security and latency for end users.”
That would be the ultimate solution, but Levine and Watson point out “some devices do
not fully support modern HTTPS. Over time, to keep YouTube users as safe as possible, we will gradually phase out insecure connections.”
pj@mediapost.com