Google Reports Web Traffic Encryption Progress

Print Version
Share to a friend

Google this week launched a section of its transparency report to track the progress of efforts to encrypt

the Web, by both the company and third-party sites estimated to account for about 25 percent of Web



The report will be updated weekly with information about progress the company has made toward

implementing HTTPS by default across its services.


Gmail, Drive and Search have long been secured with HTTPS, and traffic from products such as ads and

Blogger were added over the past year, Google said. It plans to bring other products under HTTPS

protection over time.


Implementing HTTPS can be difficult.


“There are a lot of details that you have to get right — the right version of TLS certificates, HFS with

Mozilla,” said Peter Eckersley, technology projects director at the Electronic Frontier Foundation.


“We’re trying to change the situation,” he told TechNewsWorld.


Obstacles to implementing HTTPS include older hardware and software, which don’t support modern

encryption technologies; governments and organizations that may block or degrade HTTPS traffic; and

some organizations’ unwillingness or lack of resources to implement HTTPS, Google said.


The Encryption State of Play


As of January, just over 75 percent of requests to Google’s servers used encrypted connections, excluding

YouTube traffic, Google’s statistics show.


Maps was the most encrypted Google product, with 83 percent of Maps traffic being encrypted.

Advertising came next with 75 percent, and News and Finance tied at 59 percent.


Among the top 10 countries with encrypted traffic, Mexico led with 86 percent, Brazil was second with

84 percent, and the United States was ninth with 72 percent of request encrypted.


Mobile traffic accounted for 95.5 percent of unencrypted traffic to Google’s servers.


Dangers Inherent in Mobility


Mobile devices account for one-third of all Web pages served worldwide, according to Statista.


Most of the unencrypted traffic originates from devices that may no longer be updated and may never

support encryption, Google said.


“Only 10 percent of Android phones are encrypted, because Google does not control this,” said David

Jevans, VP of mobile security at Proofpoint. “It’s controlled by the handset maker [and] cannot be fixed

because the phone carriers won’t take on the burden of validating new Android releases on old phones.”


Google is forcing handset manufacturers to turn on encryption by default in the next version of Android,

known as “Marshmallow,” he told TechNewsWorld.


Possible Solutions to the Mobile Problem


Mobile device insecurity “is a transient condition [because] the replacement cycle for mobile devices Is

24 to 36 months,” pointed out Frank Dickson, a research director at Frost & Sullivan. “The issue gets

solved simply with the passage of time.”


Google is responsible for this problem because “they obviously control the Android platform,” he told



“For the really long tail of websites, we need them to ignore the Android 2 series and Windows XP user

bases because there’s this important security feature inside TLS called SNI that they don’t support,” the

EFF’s Eckersley said, referring to the Éclair, Froyo and Gingerbread releases of Android.


SNI makes virtual hosting easier on HTTPS because it adds to the Transport Layer Security handshake

the domain name of the host the requester wants to connect to, he said.


There are workarounds. The EFF’s Let’s Encrypt certificate authority “gives people up to 100 domain

names in one certificate, but not everyone wants to do that because it slows things down,” Eckersley



Making a Virtue Out of Necessity


“Google’s revenues depend on commerce being transacted on the Internet,” Dickson asserted. The

company’s revenues will suffer if the Internet is viewed as unsafe for commerce.


Encryption efforts now better protect people against bulk dragnet surveillance and against hackers on

their WiFi connections, “but that’s still only maybe 40 percent of traffic,” Eckersley noted.


“We’ve made progress with the big sites — Google, Facebook, Wikipedia,” he said, “but there still are

millions more that need to be protected.”