Google Reports Web Traffic Encryption Progress
Mar 18, 2016 10:29 AM PT
Google this week launched a section of its transparency report to track the progress of efforts to encrypt the Web, by both the company and third-party sites estimated to account for about 25 percent of Web traffic.
The report will be updated weekly with information about progress the company has made toward implementing HTTPS by default across its services.
Gmail, Drive and Search have long been secured with HTTPS, and traffic from products such as ads and Blogger were added over the past year, Google said. It plans to bring other products under HTTPS protection over time.
Implementing HTTPS can be difficult.
"There are a lot of details that you have to get right -- the right version of TLS certificates, HFS with Mozilla," said Peter Eckersley, technology projects director at the Electronic Frontier Foundation.
"We're trying to change the situation," he told TechNewsWorld.
Obstacles to implementing HTTPS include older hardware and software, which don't support modern encryption technologies; governments and organizations that may block or degrade HTTPS traffic; and some organizations' unwillingness or lack of resources to implement HTTPS, Google said.
The Encryption State of Play
As of January, just over 75 percent of requests to Google's servers used encrypted connections, excluding YouTube traffic, Google's statistics show.
Maps was the most encrypted Google product, with 83 percent of Maps traffic being encrypted. Advertising came next with 75 percent, and News and Finance tied at 59 percent.
Among the top 10 countries with encrypted traffic, Mexico led with 86 percent, Brazil was second with 84 percent, and the United States was ninth with 72 percent of request encrypted.
Mobile traffic accounted for 95.5 percent of unencrypted traffic to Google's servers.
Dangers Inherent in Mobility
Mobile devices account for one-third of all Web pages served worldwide, according to Statista.
Most of the unencrypted traffic originates from devices that may no longer be updated and may never support encryption, Google said.
"Only 10 percent of Android phones are encrypted, because Google does not control this," said David Jevans, VP of mobile security at Proofpoint. "It's controlled by the handset maker [and] cannot be fixed because the phone carriers won't take on the burden of validating new Android releases on old phones."
Google is forcing handset manufacturers to turn on encryption by default in the next version of Android, known as "Marshmallow," he told TechNewsWorld.
Possible Solutions to the Mobile Problem
Mobile device insecurity "is a transient condition [because] the replacement cycle for mobile devices Is 24 to 36 months," pointed out Frank Dickson, a research director at Frost & Sullivan. "The issue gets solved simply with the passage of time."
Google is responsible for this problem because "they obviously control the Android platform," he told TechNewsWorld.
"For the really long tail of websites, we need them to ignore the Android 2 series and Windows XP user bases because there's this important security feature inside TLS called SNI that they don't support," the EFF's Eckersley said, referring to the Éclair, Froyo and Gingerbread releases of Android.
SNI makes virtual hosting easier on HTTPS because it adds to the Transport Layer Security handshake the domain name of the host the requester wants to connect to, he said.
There are workarounds. The EFF's Let's Encrypt certificate authority "gives people up to 100 domain names in one certificate, but not everyone wants to do that because it slows things down," Eckersley noted.
Making a Virtue Out of Necessity
"Google's revenues depend on commerce being transacted on the Internet," Dickson asserted. The company's revenues will suffer if the Internet is viewed as unsafe for commerce.
Encryption efforts now better protect people against bulk dragnet surveillance and against hackers on their WiFi connections, "but that's still only maybe 40 percent of traffic," Eckersley noted.
"We've made progress with the big sites -- Google, Facebook, Wikipedia," he said, "but there still are millions more that need to be protected."