This article was published on March 16, 2016

Google admits 25% of its traffic isn’t encrypted


Google admits 25% of its traffic isn’t encrypted

Google’s making big efforts to offer secure products, as well as nudging the companies that use its infrastructure, so that you can use the Web without having to worry.

But it’s revealed that it, and some of the world’s biggest websites, are failing to encrypt.

According to its new Transparency Report that analyzes HTTPS usage, Google itself is only around 75 percent compliant today, demonstrating significant “technical barriers that make it more difficult to support encryption” even for one of the world’s most sophisticated Web companies.

While Gmail, Search and Drive, you’ll be relieved to hear, are delivered entirely over secure HTTPS, the company is still battling to offer full encryption across all of the remaining products it’s tracking.

Google Transparency HTTPS
Credit: https://www.google.com/transparencyreport/https/?hl=en

Ads and maps are two that haven’t yet reached 100 percent. The latter could be bad news for people who assume their location data is encrypted when it’s transmitted over the Web.

The company cites both “technical and political challenges” in its fight to secure the Web, including use of older hardware and software that does not support modern encryption, countries or organizations blocking HTTPS and a lack of technical ability to implement. But by far the largest reason for this problem is the growth in mobile usage.

Google Transparency HTTPS
Credit: Google

But that’s not the scariest part.

Google has also analyzed the top 100 non-Google sites – representing 25 percent of all Web traffic – and found the likes of payments sites like eBay, the BBC, plus more than 60 others leaving users vulnerable by not using HTTPS as standard.

The list of offenders also includes Alibaba, CNN, Craigslist, the New York Times, Yelp and, perhaps less surprisingly, many porn sites, none of which are using the secure protocols that Google says: “makes it difficult for Internet Service Providers, governments and others to watch what you’re doing online.”

As the Security Metrics blog explains:

If you are just browsing the web, looking at cat memes and dreaming about that $200 cable knit sweater, HTTP is fine. However, if you’re logging into your bank or entering credit card information in a payment page, it’s imperative that URL is HTTPS. Otherwise, your sensitive data is at risk.

Google has offered to help make these sites compliant by the end of 2016, as well as offering resources for webmasters and backing campaigns like ‘Encrypt the Web’ from the Electronic Frontiers Foundation.

Securing the web, together [Google via The Register]

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with