Google overcoming hurdles to secure YouTube

With security breaches to the left and right of us, we need our internet connections to be nailed down. To make that happen, we're increasing using Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates on all our websites. One company that figured out this was a smart move long ago was Google.

For example, Google recently started marking all websites that don't use HTTPS, SSL/TLS security over a web link, as unsafe. More recently still, Google started forcing visitors to the main Google search site to use a HTTPS connection. In addition, over the last two years, Google has steadily rolled out HTTPS to 97 percent of YouTube's traffic.

This wasn't easy. With a run-of-the-mill website all you must deal with is text and images. With YouTube you've got monstrous amounts of video data streaming to thousands of different kinds of devices.

As two Google engineers explained, what took them so long to secure almost all YouTube traffic were the following challenges:

• "Lots of traffic! Our CDN [Content Delivery Network], the Google Global Cache, serves a massive amount of video, and migrating it all to HTTPS is no small feat. Luckily, hardware acceleration for AES [Advanced Encryption Standard] is widespread, so we were able to encrypt virtually all video serving without adding machines. (Yes, HTTPS is fast now.)

• "Lots of devices! You watch YouTube videos on everything from flip phones to smart TVs. We A/B tested HTTPS on every device to ensure that users would not be negatively impacted. We found that HTTPS improved quality of experience on most clients: by ensuring content integrity, we virtually eliminated many types of streaming errors.

• "Lots of requests! Mixed content -- any insecure request made in a secure context -- poses a challenge for any large website or app. We get an alert when an insecure request is made from any of our clients and will block all mixed content using Content Security Policy on the web, App Transport Security on iOS, and uses CleartextTraffic on Android. Ads on YouTube have used HTTPS since 2014."

So, why isn't Google at 100 percent? Well, it's like this, some devices still don't fully support modern HTTPS. Google's patience is beginning to run thin. "Over time, to keep YouTube users as safe as possible, we will gradually phase out insecure connections."

To help this happen, Google is also implementing HTTP Strict Transport Security -- HSTS for short -- on YouTube. HSTS prevents people from accidentally navigating to unsafe HTTP URLs by automatically converting insecure HTTP URLs into secure HTTPS URLs. This protects you whether you type, copy and paste, or just follow a HTTP link to your video.

That's the good news. The bad news is that since it's so easy now to get a low-level SSL certificate, malware sites are now harnessing SSL to disguise their activities.

Sigh! This is why we can't have nice things.

Still, HTTPS offers far more protection than a site without it. And, since few people bother to check video security, Google adding HTTPS to almost all YouTube connections is still a major step forward in practical internet security.

Related Stories:

• Malware disguised by SSL traffic spikes over the last year
• Symantec SSL certificates now free, reflecting true value
• Amazon makes it easier to encrypt sites and services on AWS with free SSL certificates