Google Says 97% Of Connections To YouTube Are Now Encrypted

Google said Monday that HTTPS now accounts for 97% of all connections to YouTube. In a blog post, the video portal made the announcement, also underscoring the challenges it faced making the site more secure. TechCrunch reports:Given its massive scale, YouTube obviously presents some extra challenges for Google. But the company argues that its Global Cache content delivery network is able to handle encrypted connections relatively easily, in large parts because hardware acceleration for AES, the algorithm at the core of the HTTPS protocol, is now ubiquitous. Google also argues that using HTTPS connections has improved the user experience on YouTube. "You watch YouTube videos on everything from flip phones to smart TVs," the team writes today. "We A/B tested HTTPS on every device to ensure that users would not be negatively impacted. We found that HTTPS improved quality of experience on most clients: by ensuring content integrity, we virtually eliminated many types of streaming errors."

How is it not 100%?

[The-Ixian]

I thought that all Google properties redirected to HTTPS now....

Re:How is it not 100%?

[TFlan91]

The summary links to a summary of the original post.

In the original post:

> 97% for YouTube is pretty good, but why isn't YouTube at 100%? In short, some devices do not fully support modern HTTPS. Over time, to keep YouTube users
> as safe as possible, we will gradually phase out insecure connections.

I suspect TV's are a big perpetrator

Re:How is it not 100%?

Next thing they (browser makers, app makers, etc.) need to do is use certificate pinning so these stupid man in the middle attacks (often done at companies without the knowledge of their employees so that companies can scoop up everything everyone is doing on the internet and resulting in things like employees credit card numbers and government ID numbers being in semi secure corporate databases) can be prevented. Well, prevented is a strong word - but at least the app / browser would say that the certificate is wrong and stop the transaction. Some apps are moving to certificate pinning; we need more of them to do this.

Re:How is it not 100%?

So is this good news or bad news? It is not clear from the damn summary who am I supposed to be outraged about: microsoft, apple, google, emacs, etc. We are all here to let the accusations fly!

Re:How is it not 100%?

[aaarrrgggh]

Honest question... what does a responsible employer do for enforcing acceptable use policies, and ensuring they do not create "hostile workplace" issues with employees looking at porn... or whatever? What does the responsible employer do to ensure people aren't running rogue Team Viewer sessions for remove access?

For me, I just kind of ignore the threat vectors and issues... but that is just sticking my head in the sand.

Re:How is it not 100%?

[swillden]

what does a responsible employer do for enforcing acceptable use policies, and ensuring they do not create "hostile workplace" issues with employees looking at porn... or whatever?

Address these issues with people, not with technology. Make sure everyone understands what the requirements are, and make sure everyone understands there's an open door for reporting issues that will have zero negative consequences for the reporter. And then institute a careful process for reviewing and investigating complaints... and hammer proven offenders.

Yeah, it's a lot harder and a lot more work than just monitoring network connections, but it also addresses a lot more issues. Frankly, you need good people management policies and processes in place whether you're monitoring network connections or not... and if you have them, you don't need to monitor network connections.

Re:How is it not 100%?

Address these issues with people, not with technology.

Problem with that is that it requires people, many or most of whom are managers, to get off their fat spongy asses and actually do their jobs. And that's not really fair, is it? Especially when they've been getting away with not doing them for so long.

Re:How is it not 100%?

[MooseTick]

"employees credit card numbers and government ID numbers being in semi secure corporate databases"

Most man-in-the-middle coming from corporate america is to see where you are going, not storing POST data. And if they are, they could tell you they are doing it and if you have a problem with that, use web sites that require govt IDs and credit cards at home. I can't think of a time I had to use my SSN (which was never intended to be a secret) or credit card # for work via the Internet. And realistically, if they get hacked then you wouldn't be liable anyway. Have you ever heard of someone being a victim of identity theft and being compelled to pay for what the thieves took? I've had my Debit card # stolen 3 different times. Every time I told the bank I didn't make those charges, they had me sign something to that effect, and I was credited for those charges within a few days. No biggie.

Re:How is it not 100%?

[swillden]

Most man-in-the-middle coming from corporate america is to see where you are going, not storing POST data.

MITM isn't necessary to see where you're going. SSL doesn't obscure the IP you're connecting to, nor the domain name your DNS client looked up to get that IP address.

Irrelevant

[johannesg]

The biggest spy of them all is running the backend...

Re:Irrelevant

Verisign?

Re:Irrelevant

[swillden]

The biggest spy of them all is running the backend...

Even if we grant your premise about Google (which I don't, but am not interested in arguing it), that doesn't make it irrelevant, not at all. We generally think of encryption as a tool to ensure that no one can read data, but in this case it's more important that it prevents anyone from manipulating the data. Data sent to you unencrypted (and unauthenticated) can be modified by any party sitting between you and the server, which means that anyone sitting on that path can inject malware to exploit vulnerabilities in your local system.

TLS encrypts all of the streams, yes, but for most web traffic it's actually far more important that it MACs the streams. And of course that it authenticates the server before doing the key exchange which enables the MACing and verification.

Re:Irrelevant

[johannesg]

Indeed, it would be a tragedy if your funny cat movies were altered in some way.

Re:Irrelevant

[swillden]

Indeed, it would be a tragedy if your funny cat movies were altered in some way.

It would be a tragedy if your funny cat movies were used to steal all of your data and add your computer to a botnet.

You should try reading posts before replying to them. Especially when they're short.

...except for the biggest one.

[fishscene]

"we virtually eliminated many types of streaming errors." - except, you know, the issue of the video stopping playback in the middle of watching because it won't buffer the remaining video. It's the *only* issue of playback I've had for years. Recently, youtube started blaming connection problems, but everyone knows that isn't the issue at all. Anyone else experience errors being fixed? Because I've only had 1 and it isn't fixed.

Re: ...except for the biggest one.

[corychristison]

Can't say I've ever really experienced that problem.

If you have a slow connection, or poor wireless connection I could see it dropping out. But even then Youtube will switch to lower resolution streams if it notices a poor/slow connection. Perhaps this switch is where your problem is occuring?

Re: ...except for the biggest one.

Actually, I've been experiencing the same bug. It started when they added the auto quality setting. To work around it I have to manually set which quality I want on every video. I can pick any quality and YouTube won't get stuck buffering, but if I leave it on Auto I have a 50/50 chance that the video just stops at some point.
It doesn't happen on mobile, go figure.
I have tried Firefox and Chrome and had this happen.

Re:...except for the biggest one.

[lgw]

I had 2 kinds of problem now. The forst is what you mention - some videos just won't play past a certain point, regardless of quality settings. When I can stream other videos just fine in HD, but this particular one won't play even at 240p, it's your CDN Google, it's not my connection.

The other I'm getting more and more frequently is the "static screen", where my client can't even start playing the video. Mostly on IE, but also on FF and Pale Moon (old FF, really), and on machines with Flash and without. I was hoping that was a Flash vs no Flash problem that would sort itself out, but no. Refreshing the tab sometimes helps, but it really seems like a client-side issue. OK Google, it's starting to be obvious that you want non-Chrome browsers to have occasional playback issues.

Re:...except for the biggest one.

[swb]

I've run into this with old, very low-view count videos, including the only one I've ever uploaded to YouTube.

My assumption was always some kind of cache miss thing, as even Google wouldn't possibly cache a video from 2007 with 12 views close enough for seamless streaming.

Re:...except for the biggest one.

(Or it's your ISP, if Hulu or someone else paid them to throttle youtube traffic)

That said, Google changed their streaming protocol years ago instead of using HTTP ranges they used some other thing and that other thing would regularly time out and refuse to reconnect if you left the video paused.

Re:...except for the biggest one.

[lgw]

When I can stream other videos just fine in HD, but this particular one won't play even at 240p, it's your CDN Google, it's not my connection.

(Or it's your ISP, if Hulu or someone else paid them to throttle youtube traffic)

Yeah, no.

hat said, Google changed their streaming protocol years ago instead of using HTTP ranges they used some other thing and that other thing would regularly time out and refuse to reconnect if you left the video paused.

That's just normal YouTube: leave it paused too long, and you'll need to refresh and watch a new commercial, and sometimes lose your place.

This is "won't play beyond the first 90 seconds (or so) of video no matter what you do". Note that CDNs often cache the first minute-ish of videos at the outer layer, so that they can start playing instantly while they connect to layers further back to get the rest of the video ready to play.

Re:...except for the biggest one.

[Stinky+Cheese+Man]

the "static screen", where my client can't even start playing the video...

That happens all the time on one of my computers with FF. Double-clicking the || (pause) button usually fixes it for me. YMMV.

Re:...except for the biggest one.

[AmiMoJo]

The static screen is often because YouTube failed to play an ad, due you your ad-blocker. Just hit refresh and it will play most of the time.

Re:...except for the biggest one.

[lgw]

That ... actually makes a lot of sense, thanks.

Re: ...except for the biggest one.

[Ash-Fox]

I only heard this complaint from people that use adblockers, every one that tried YouTube after disabling it told me it worked fine now.

Re:...except for the biggest one.

Seems to me they aren't being direct in the types of problems they are addressing. I could be wrong, but I think those are:

1) Injection of ads by third parties when watching YouTube videos
2) Throttling of bandwidth by ISPs when watching YouTube videos

By encapsulating the connection in https, that should(?) help address these problems. Problems for users and problems for Google's own app/ad experience.

Re:Finally!

Am I the only one that thinks this is gibberish?

97%

Isn't it a bit strange that it's exactly 97%?

Cat Videos

This is a great step forward for privacy. The NSA does not need to know what cat videos I'm watching.

Re:Cat Videos

[fph+il+quozientatore]

Oh, honey, you think the NSA can't access it just because it's HTTPS?

HTTPS?

[fustakrakich]

Is that supposed to mean something?

Cookies have been re-branded as "Certificates"... or secure cookies

Re:Finally!

[uCallHimDrJ0NES]

Am I the only one that thinks this is gibberish?

My typewriter monkey wrote it. I don't know what it means.

Ninety-seven percent!

Given its massive scale, YouDrumpf obviously presents some extra challenges for Goodrumpf. But the company argues that its Drumpf Cache content delivery network is able to handle encrypted connections relatively easily, in large parts because hardware acceleration for ADS, the algorithm at the core of the HDTPS protocol, is now ubiquitous. Goodrumpf also argues that using HDTPS connections has improved the user experience on YouDrumpf. "You watch YouDrumpf videos on everything from flip drumpfs to smart TVs," the team writes today. "We D/D tested HDTPS on every drumpf to ensure that users would not be negatively impacted. We found that HDTPS improved quality of drumpf on most clients: by ensuring drumpf integrity, we virtually eliminated many types of drumpfing errors."

Not mine

[JoeWalsh]

I'm blocking all HTTPS traffic. I don't trust it. What are they trying to hide?

Re:Not mine

[110010001000]

They aren't hiding anything. People talk about https and network security, but they don't seem to realize that the endpoints (Google, Apple, Microsoft, etc) are the ones with the unencrypted access to the data. And they will hand it over to whatever agency requests it, or whoever pays enough for it. No one is bothering breaking https connections to get to your data. They just ask the corporations for it.

Re:Not mine

[JustAnotherOldGuy]

Let me be the first to say, "WHOOOOOOOOOSH!!"

Re:Not mine

[NotInHere]

Yeah they only started to dislike the encryption plans when the companies made it so that even they themselves can't access the communication contents.

Re:Finally!

[JustAnotherOldGuy]

It's word salad with some punctuation.

Re:Finally!

[uCallHimDrJ0NES]

It's word salad with some punctuation.

I agree. Any meanings found in those words are the products of the readers's sick, twisted minds. Let's debate the use of apostrophe s at the end of plural nouns now.

So no more caching without MITM

Bad move from google, since it ends in no more youtube caching with a local suid proxy for locations with more users than bandwidth...

Re: So no more caching without MITM

This whole thing is just PR for the business reason to stream ads without interference. Caching, efficient delivery - they don't care about it. People could flip out their ads for someone else's. Something that keeps google up at night. So everyone drinks down the cool aid of 'security'.

Even slashdot...

5 eyes still get 100% :)

[AHuxley]

That end user encryption has to stop at some point for the ads to work. The 5 nations security services, their staff and their other contractors will be waiting for all the decrypted data in real time.
PRISM (surveillance program) https://en.wikipedia.org/wiki/...

OH YOU IGNORANT SPY MOTHER FUCKING CUNTS

Nothing between you and YouTube is private except login. Anything you watch is public, anything you write is public, anything you upload will not be eavesdropped on anybody but the US spy agencies. And Google is a US spy shop. Eric Schmidt = Pentagon. Not a big secret.

All actual traffic is still monitored by timestamp at the least and by browser signature in all but the wisest cases. Total fingerprint of your screen is harvested by YouTube and Google.

So this is a story about some lying fucking bitches pretending their site is secure when it is a spy shop.

And.. to top it off if you are using Windows 10... your keystrokes are logged AND your history is "someplace nice and cozy" on your machine just in case oh I don't know? Maybe somebody else forgot what you surfed?

Just start smashing spies on sight. If a company is so low-down to backstab the public and lie to everyone, just go ahead and fuck their shit up.

Use youtube-dl for reliability, no ads

[KWTm]

Sometimes I will get various errors. If/when I do, I just use youtube-dl to download the video. (I wonder why my hyperlink doesn't show up in the preceding sentence? Anyway, see "https://rg3.github.io/youtube-dl/" for more info.)

Advantages:
- no ads!
- Allows me to play the video with (S)Mplayer, so I can increase the playback speed by 10% (30% in the case of instructional videos that should havve been replaced by a text article in the first place) or 100% if I'm just fast-forwarding looking for an interesting part.
- Allows me to keep the video, so next time I don't have to stream it again
- waits till I start the video when I want, as opposed to multiple videos starting simultaneously when I open new tabs for each video in which I am interested. Also does not autostart the next video (which, to be sure, can be turned off on the web page itself, too).

Disadvantages:
- it's a command-line interface
- I got around this by writing a script to grab the URL from the clipboard, so now I just Right-Click on the YouTube link in Firefox, Copy Link Location, and then run my script in bash (a two-key process with UpArrow-Enter).
- you have to wait for it to finish downloading, so by definition this is not streaming. Generally not a problem for me: I wrote a script to queue the youtube-dl downloads, so that before one video is done downloading, I can stick other videos in the queue. Generally I might stick a dozen or so videos in the queue, and when the first one is done downloading, I start watching while the rest are downloading.

Re:Finally!

Have you considered claiming your inability to communicate clearly as a disability?