Google yesterday posted an entry on its YouTube Engineering and Developers Blog, detailing the increased encryption achieved by the company for its video streaming site. Over the past few months, Google has slowly bolstered the encryption for YouTube, and now 97 percent of the service's traffic is encrypted using HTTPS.
The encryption-enforcing protocol provides "critical security and data integrity" for any website that uses it, and all of its visitors. YouTube said that three reasons it took the company so long to reach this high level of encryption was because of the heavy traffic the site receives daily, the breadth of devices that HTTPS needs to work on due to YouTube's ubiquity, and "mixed content" that leads to lots of potentially non-secure requests.
We're also proud to be using HTTP Secure Transport Security (HSTS) on youtube.com to cut down on HTTP to HTTPS redirects. This improves both security and latency for end users. Our HSTS lifetime is one year, and we hope to preload this soon in web browsers.
In the real world, we know that any non-secure HTTP traffic could be vulnerable to attackers. All websites and apps should be protected with HTTPS.
YouTube also pointed out that its website isn't at a full 100 percent encryption rate yet because "some devices do not fully support modern HTTPS." It's doing its best to support the widest number of smartphones, tablets, and browsers with the new security protocol, but admitted that down the line, to ensure the safety of all its users, it plans to "gradually phase out insecure connections."