Online video viewers now enjoy greater security during their YouTube sessions, in a move that also eliminated many types of errors.
YouTube announced that it now serves 97 percent of its traffic over HTTPS connections. The site has been building to that number over the last two years, YouTube software engineer Sean Watson and product manager Jon Levine announced in a blog post.
“In the real world, we know that any non-secure HTTP traffic could be vulnerable to attackers. All websites and apps should be protected with HTTPS,” the post says.
While YouTube is aiming for 100 percent HTTPS connectivity, it works with some devices that don’t fully support current HTTPS standards. In the interest of user security, YouTube will phase out support for those devices.
Three chief obstacles prevented YouTube from supporting HTTPS sooner. First off, as the leading online video destination YouTube serves a vast amount of traffic. Thanks to widespread hardware acceleration for AES, it was able to encrypt all its videos without adding machines. Second, it needs to support a vast number of devices. YouTube’s engineers performed A/B testing to ensure that HTTPS didn’t lead to poor quality viewing experiences. On the contrary, it found the move nearly eliminated many types of errors. And third, YouTube needs to deal with lots of requests, and was challenged by insecure requests made in secure contexts. These mixed content requests are blocked on the web and on iOS and Android devices.
The post notes that YouTube ads have used HTTPS since 2014, and the site uses HTTP Secure Transport Security (HSTS) to lower the number of HTTP to HTTPS redirects.