YouTube is the second most popular website around the world, and it’s also a big part of Google, too. Google is taking their user’s security so seriously, that earlier this year Google launched a new section of their Transparency report that highlighted the use of HTTPS encryption. The report showed how much traffic is encrypted for Google products across the web which includes Google Search, Advertising, Google Drive, Finance, Gmail, Maps, and News. Earlier YouTube and Calender weren’t part of the report and Google added both to its report today, claiming that traffic for both the products is currently more than 90% encrypted via HTTPS. Currently, 97% of all the traffic to YouTube is secured via HTTPS connection and 93% of traffic to Google Calendar.
Securing all the connections over YouTube wasn’t the easy for Google too, as millions of users use YouTube daily. Due to lots of traffic, the variety of devices and a large number of requests it wasn’t an easy task for Google. But due to its CDN and hardware acceleration for AES, Google was able to encrypt all the connections virtually without needing to add any physical machines. YouTube is accessible via almost every device from flip phones to latest smart TVs. The team stated that “We A/B tested HTTPS on every device to ensure that users would not be negatively impacted. We found that HTTPS improved the quality of experience for most clients: by ensuring content integrity, we virtually eliminated many types of streaming errors.”
Whenever an insecure request is made from any of its clients Google gets an alert and eventually blocks all mixed content using Content Security Policy on the web, App Transport Security on iOS, and using CleartextTraffic on Android. To cut down all the traffic redirects from HTTP to HTTPS, Google is using HTTP Secure Transport Security (HSTS) on YouTube, which improves both security and latency for end users. The HSTS lifetime is one year, and Google will preload this soon in web browsers. The team also clarified a common question in a blog post writing, “why isn’t YouTube have 100% secure connection? Because some devices do not fully support modern HTTPS. Over time, to keep YouTube users as safe as possible, we will gradually phase out insecure connections.”