Google is securing 75% of our non-YouTube internet traffic, it said in its latest Transparency Report.
The data is from a new section of its report, which it put out on Tuesday.
The purpose of the new section is to track the progress of encryption efforts, both at Google and on some of the web’s most trafficked sites.
Hence, Google’s giving us a peek at not only the growth of encrypted web traffic, but also at the laggard sites that aren’t employing it.
That includes some of the web’s most trafficked locations: major news sites, for example, where intruders tinkering with content or spying on us could have major repercussions.
From a statement Google put out at the same time as the report:
Our aim with this project is to hold ourselves accountable and encourage others to encrypt so we can make the web even safer for everyone.
A chart in the new encryption progress part of the report shows that the percentage of requests to Google’s servers that used encrypted connections has gradually climbed over the past two years.
In 2014, only 50% of requests handled by Google were encrypted.
The improved percentage, 75%, excludes YouTube traffic, but it does cover sensitive Google products such as Gmail, Drive, Search and, increasingly, Blogger and advertising traffic over HTTPS.
The growth in encrypted web traffic has unfolded in the wake of Edward Snowden’s leaks, which made it clear how pervasive surveillance is and how vital it is to encrypt communications.
Google’s obviously made progress, but that still leaves 25% of traffic “in the clear,” as cryptographers put it.
That encryption is commonly referred to as HTTPS. When a site’s using it, a browser’s address bar will show a padlock.
Without the S added to “HTTP” and the padlock, traffic is traveling without the encryption standard, Transport Layer Security (TLS). It’s important to note that HTTPS isn’t only about confidentiality – which is how most people think of encryption – but also about authenticity and integrity, which in many cases are even more important.
This means that, without HTTPS, eavesdroppers can not only access the data flowing over the internet, seeing everything we do on a site, but can also intercept it and manipulate it.
When traffic is unencrypted, it opens up our online activities to anyone using the same Wi-Fi at the local coffee shop, who can steal our passwords or banking information. It also enables our online activity to be tracked and sold to advertisers by Internet Service Providers (ISPs).
It allows both governments and cybercriminals to keep an eye on what sites we’re visiting and what we’re reading, as well to alter what we see and where we go, whether that’s to censor content or to divert our banking transactions to the wrong recipients.
Sites that are dropping the ball on HTTPS
Google is now tracking the HTTPS state of the Top 100 non-Google sites on the internet: a list that, it estimates, accounts for about 25% of all website traffic worldwide.
Research the sites on the list before you click, Google warns: there are major porn sites on there, such as xhamster and youporn.
Electronic Frontier Foundation (EFF) global policy analyst Eva Galperin called out many of the sites, including news and porn sites, and the US National Institutes of Health.
News & porn sites are notably short on HTTPS implementation. Good thing the news stories you read & the porn you watch isn’t sensitive info.
— Eva (@evacide) March 15, 2016
Encryption ain’t easy
Google isn’t throwing stones. Implementing HTTPS is no walk in the park, it acknowledged. That’s something it knows from experience.
The company listed some common obstacles:
- Older hardware and/or software that doesn’t support modern encryption technologies
- Governments and organizations that may block or otherwise degrade HTTPS traffic
- Organizations that may not have the desire or technical resources to implement HTTPS
Google’s put together a resource for webmasters to use as they work through encrypting data in transit.
As well, it points to industry-wide efforts, like EFF’s Encrypt the Web report, that aim to get more of the web under the protection of encryption.
Google “HTTPS Evangelists” Rutledge Chin Feman and Tim Willis had this to say in the company’s statement:
Implementing encryption is not easy work. But, as more people spend more of their time on the web, it’s an increasingly essential element of online security.
The transparency report now also includes a Certificate Transparency log viewer, designed to let users and site administrators easily check to see who’s issued a site’s certificate.
Those certificates are necessary to prove that a site’s legitimate. Unfortunately, in recent years, the HTTPS certificate system has proved to be vulnerable to compromise and manipulation, Google says.
The viewer should provide an easy way to look up a domain’s certificate to see if it’s expired or mis-issued.
Image of Google courtesy of GongTo / Shutterstock.com
Ron Cook
Recently I stayed at two Hilton Hotel properties (Hampton Inn) and one Marriott property (Fairmont) during a trip to North Carolina. Both chains, and all three properties, had web portals secured with HTTPS. I can’t speak to other chains, but I was delighted to see this – especially after reading Paul Ducklin’s article regarding non-secure hotel web portals. My Macbook (OS X 10.11.x) and a Nexus 10 tablet (Android 4.4.3) connected flawlessly. My Samsung Galaxy Note 2, due to the tender ministrations of Samsung and T-Mobile, was still running Android 4.4.2 and would not connect. (It’s now running 4.4.4 via Cyanogenmod.)