Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Says 97% Of Connections To YouTube Are Now Encrypted (techcrunch.com)

Posted by msmash on from the to-a-more-secure-world dept.

Google said Monday that HTTPS now accounts for 97% of all connections to YouTube. In a blog post, the video portal made the announcement, also underscoring the challenges it faced making the site more secure. TechCrunch reports:Given its massive scale, YouTube obviously presents some extra challenges for Google. But the company argues that its Global Cache content delivery network is able to handle encrypted connections relatively easily, in large parts because hardware acceleration for AES, the algorithm at the core of the HTTPS protocol, is now ubiquitous. Google also argues that using HTTPS connections has improved the user experience on YouTube. "You watch YouTube videos on everything from flip phones to smart TVs," the team writes today. "We A/B tested HTTPS on every device to ensure that users would not be negatively impacted. We found that HTTPS improved quality of experience on most clients: by ensuring content integrity, we virtually eliminated many types of streaming errors."

31 of 46 comments (clear)

  1. How is it not 100%? by The-Ixian · · Score: 1

    I thought that all Google properties redirected to HTTPS now....

    --
    My eyes reflect the stars and a smile lights up my face.
    1. Re:How is it not 100%? by TFlan91 · · Score: 3, Informative

      The summary links to a summary of the original post.

      In the original post:

      > 97% for YouTube is pretty good, but why isn't YouTube at 100%? In short, some devices do not fully support modern HTTPS. Over time, to keep YouTube users
      > as safe as possible, we will gradually phase out insecure connections.

      I suspect TV's are a big perpetrator

    2. Re:How is it not 100%? by Anonymous Coward · · Score: 1

      Next thing they (browser makers, app makers, etc.) need to do is use certificate pinning so these stupid man in the middle attacks (often done at companies without the knowledge of their employees so that companies can scoop up everything everyone is doing on the internet and resulting in things like employees credit card numbers and government ID numbers being in semi secure corporate databases) can be prevented. Well, prevented is a strong word - but at least the app / browser would say that the certificate is wrong and stop the transaction. Some apps are moving to certificate pinning; we need more of them to do this.

    3. Re:How is it not 100%? by swillden · · Score: 3, Insightful

      what does a responsible employer do for enforcing acceptable use policies, and ensuring they do not create "hostile workplace" issues with employees looking at porn... or whatever?

      Address these issues with people, not with technology. Make sure everyone understands what the requirements are, and make sure everyone understands there's an open door for reporting issues that will have zero negative consequences for the reporter. And then institute a careful process for reviewing and investigating complaints... and hammer proven offenders.

      Yeah, it's a lot harder and a lot more work than just monitoring network connections, but it also addresses a lot more issues. Frankly, you need good people management policies and processes in place whether you're monitoring network connections or not... and if you have them, you don't need to monitor network connections.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    4. Re:How is it not 100%? by MooseTick · · Score: 1

      "employees credit card numbers and government ID numbers being in semi secure corporate databases"

      Most man-in-the-middle coming from corporate america is to see where you are going, not storing POST data. And if they are, they could tell you they are doing it and if you have a problem with that, use web sites that require govt IDs and credit cards at home. I can't think of a time I had to use my SSN (which was never intended to be a secret) or credit card # for work via the Internet. And realistically, if they get hacked then you wouldn't be liable anyway. Have you ever heard of someone being a victim of identity theft and being compelled to pay for what the thieves took? I've had my Debit card # stolen 3 different times. Every time I told the bank I didn't make those charges, they had me sign something to that effect, and I was credited for those charges within a few days. No biggie.

      --
      Ninjas don't carry tic tacs
    5. Re:How is it not 100%? by swillden · · Score: 1

      Most man-in-the-middle coming from corporate america is to see where you are going, not storing POST data.

      MITM isn't necessary to see where you're going. SSL doesn't obscure the IP you're connecting to, nor the domain name your DNS client looked up to get that IP address.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  2. Irrelevant by johannesg · · Score: 2

    The biggest spy of them all is running the backend...

    1. Re:Irrelevant by Anonymous Coward · · Score: 2, Funny

      Verisign?

    2. Re:Irrelevant by swillden · · Score: 2

      The biggest spy of them all is running the backend...

      Even if we grant your premise about Google (which I don't, but am not interested in arguing it), that doesn't make it irrelevant, not at all. We generally think of encryption as a tool to ensure that no one can read data, but in this case it's more important that it prevents anyone from manipulating the data. Data sent to you unencrypted (and unauthenticated) can be modified by any party sitting between you and the server, which means that anyone sitting on that path can inject malware to exploit vulnerabilities in your local system.

      TLS encrypts all of the streams, yes, but for most web traffic it's actually far more important that it MACs the streams. And of course that it authenticates the server before doing the key exchange which enables the MACing and verification.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    3. Re:Irrelevant by johannesg · · Score: 1

      Indeed, it would be a tragedy if your funny cat movies were altered in some way.

    4. Re:Irrelevant by swillden · · Score: 1

      Indeed, it would be a tragedy if your funny cat movies were altered in some way.

      It would be a tragedy if your funny cat movies were used to steal all of your data and add your computer to a botnet.

      You should try reading posts before replying to them. Especially when they're short.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  3. ...except for the biggest one. by fishscene · · Score: 1

    "we virtually eliminated many types of streaming errors." - except, you know, the issue of the video stopping playback in the middle of watching because it won't buffer the remaining video. It's the *only* issue of playback I've had for years. Recently, youtube started blaming connection problems, but everyone knows that isn't the issue at all. Anyone else experience errors being fixed? Because I've only had 1 and it isn't fixed.

    1. Re: ...except for the biggest one. by corychristison · · Score: 1

      Can't say I've ever really experienced that problem.

      If you have a slow connection, or poor wireless connection I could see it dropping out. But even then Youtube will switch to lower resolution streams if it notices a poor/slow connection. Perhaps this switch is where your problem is occuring?

    2. Re: ...except for the biggest one. by Anonymous Coward · · Score: 1

      Actually, I've been experiencing the same bug. It started when they added the auto quality setting. To work around it I have to manually set which quality I want on every video. I can pick any quality and YouTube won't get stuck buffering, but if I leave it on Auto I have a 50/50 chance that the video just stops at some point.
      It doesn't happen on mobile, go figure.
      I have tried Firefox and Chrome and had this happen.

    3. Re:...except for the biggest one. by lgw · · Score: 2

      I had 2 kinds of problem now. The forst is what you mention - some videos just won't play past a certain point, regardless of quality settings. When I can stream other videos just fine in HD, but this particular one won't play even at 240p, it's your CDN Google, it's not my connection.

      The other I'm getting more and more frequently is the "static screen", where my client can't even start playing the video. Mostly on IE, but also on FF and Pale Moon (old FF, really), and on machines with Flash and without. I was hoping that was a Flash vs no Flash problem that would sort itself out, but no. Refreshing the tab sometimes helps, but it really seems like a client-side issue. OK Google, it's starting to be obvious that you want non-Chrome browsers to have occasional playback issues.

      --
      Socialism: a lie told by totalitarians and believed by fools.
    4. Re:...except for the biggest one. by swb · · Score: 2

      I've run into this with old, very low-view count videos, including the only one I've ever uploaded to YouTube.

      My assumption was always some kind of cache miss thing, as even Google wouldn't possibly cache a video from 2007 with 12 views close enough for seamless streaming.

    5. Re:...except for the biggest one. by lgw · · Score: 1

      When I can stream other videos just fine in HD, but this particular one won't play even at 240p, it's your CDN Google, it's not my connection.

      (Or it's your ISP, if Hulu or someone else paid them to throttle youtube traffic)

      Yeah, no.

      hat said, Google changed their streaming protocol years ago instead of using HTTP ranges they used some other thing and that other thing would regularly time out and refuse to reconnect if you left the video paused.

      That's just normal YouTube: leave it paused too long, and you'll need to refresh and watch a new commercial, and sometimes lose your place.

      This is "won't play beyond the first 90 seconds (or so) of video no matter what you do". Note that CDNs often cache the first minute-ish of videos at the outer layer, so that they can start playing instantly while they connect to layers further back to get the rest of the video ready to play.

      --
      Socialism: a lie told by totalitarians and believed by fools.
    6. Re:...except for the biggest one. by Stinky+Cheese+Man · · Score: 1

      the "static screen", where my client can't even start playing the video...

      That happens all the time on one of my computers with FF. Double-clicking the || (pause) button usually fixes it for me. YMMV.

    7. Re:...except for the biggest one. by AmiMoJo · · Score: 2

      The static screen is often because YouTube failed to play an ad, due you your ad-blocker. Just hit refresh and it will play most of the time.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    8. Re:...except for the biggest one. by lgw · · Score: 1

      That ... actually makes a lot of sense, thanks.

      --
      Socialism: a lie told by totalitarians and believed by fools.
    9. Re: ...except for the biggest one. by Ash-Fox · · Score: 1

      I only heard this complaint from people that use adblockers, every one that tried YouTube after disabling it told me it worked fine now.

      --
      Change is certain; progress is not obligatory.
  4. HTTPS? by fustakrakich · · Score: 1

    Is that supposed to mean something?

    Cookies have been re-branded as "Certificates"... or secure cookies

    --
    “He’s not deformed, he’s just drunk!”
  5. Re:Finally! by uCallHimDrJ0NES · · Score: 1

    Am I the only one that thinks this is gibberish?

    My typewriter monkey wrote it. I don't know what it means.

    --
    Cloudiot: A person who does not see offsite storage as a way to lose control over access to his or her own data.
  6. Re:Cat Videos by fph+il+quozientatore · · Score: 1

    Oh, honey, you think the NSA can't access it just because it's HTTPS?

    --
    My first program:

    Hell Segmentation fault

  7. Not mine by JoeWalsh · · Score: 1

    I'm blocking all HTTPS traffic. I don't trust it. What are they trying to hide?

    1. Re:Not mine by JustAnotherOldGuy · · Score: 1

      Let me be the first to say, "WHOOOOOOOOOSH!!"

      --
      Just cruising through this digital world at 33 1/3 rpm...
    2. Re:Not mine by NotInHere · · Score: 1

      Yeah they only started to dislike the encryption plans when the companies made it so that even they themselves can't access the communication contents.

  8. Re:Finally! by JustAnotherOldGuy · · Score: 1

    It's word salad with some punctuation.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  9. Re: So no more caching without MITM by Anonymous Coward · · Score: 1

    This whole thing is just PR for the business reason to stream ads without interference. Caching, efficient delivery - they don't care about it. People could flip out their ads for someone else's. Something that keeps google up at night. So everyone drinks down the cool aid of 'security'.

    Even slashdot...

  10. 5 eyes still get 100% :) by AHuxley · · Score: 1

    That end user encryption has to stop at some point for the ads to work. The 5 nations security services, their staff and their other contractors will be waiting for all the decrypted data in real time.
    PRISM (surveillance program) https://en.wikipedia.org/wiki/...

    --
    Domestic spying is now "Benign Information Gathering"
  11. Use youtube-dl for reliability, no ads by KWTm · · Score: 1

    Sometimes I will get various errors. If/when I do, I just use youtube-dl to download the video. (I wonder why my hyperlink doesn't show up in the preceding sentence? Anyway, see "https://rg3.github.io/youtube-dl/" for more info.)

    Advantages:
    - no ads!
    - Allows me to play the video with (S)Mplayer, so I can increase the playback speed by 10% (30% in the case of instructional videos that should havve been replaced by a text article in the first place) or 100% if I'm just fast-forwarding looking for an interesting part.
    - Allows me to keep the video, so next time I don't have to stream it again
    - waits till I start the video when I want, as opposed to multiple videos starting simultaneously when I open new tabs for each video in which I am interested. Also does not autostart the next video (which, to be sure, can be turned off on the web page itself, too).

    Disadvantages:
    - it's a command-line interface
    - I got around this by writing a script to grab the URL from the clipboard, so now I just Right-Click on the YouTube link in Firefox, Copy Link Location, and then run my script in bash (a two-key process with UpArrow-Enter).
    - you have to wait for it to finish downloading, so by definition this is not streaming. Generally not a problem for me: I wrote a script to queue the youtube-dl downloads, so that before one video is done downloading, I can stick other videos in the queue. Generally I might stick a dozen or so videos in the queue, and when the first one is done downloading, I start watching while the rest are downloading.

    --
    404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
    [GPG key in journal]