For the first time, Google has added an HTTPS report card to its Transparency Report, tracking its progress as it strives toward its stated goal of 100 percent SSL/TSL encryption of data in transit. It also monitors other popular websites’ efforts toward introducing encryption.
As of Feb. 27, 2016, Google was encrypting 77 percent of its users’ queries, according to the report. Exactly two years prior in 2014, only 54 percent of requests to Google’s servers used encrypted connections — a 23 percentage point difference.
Google intends to update its stats on a weekly basis. “Our aim with this project is to hold ourselves accountable and encourage others to encrypt so we can make the web even safer for everyone,” according to a Google security blog announcing the addition to the report.
The Transparency Report also broke down HTTPS by Google product. All Google Drive, Search and Gmail requests are already HTTPS-encrypted; after that, the next most common Google products to utilize encryption are Maps (83 percent of queries), Advertising (77 percent), News (60 percent) and Finance (58 percent). “We continue to work through the technical barriers that make it more difficult to support encryption on some of our products,” the report said.
Google ad networks has seen the greatest increase in encryption over the last two-plus years — a likely response to the quickly growing malvertising threat. Only nine percent of Google ad requests were encrypted in January 2014, at which time the Advertisement category ranked dead last among Google products.
The company also determined that the vast majority of its unencrypted end user traffic — 95.5 percent — comes from mobile devices. “Some older devices cannot support modern encryption, standards or protocols…Unfortunately, these devices may no longer be updated and may never support encryption,” said the report.
“I’m encouraged by Google’s leadership on web encryption,” said Corey Nachreiner, CTO at WatchGuard. “While they admit they have further to go, I think having 77 percent of your default traffic using HTTPS is a great start, and their tracking shows clear growth. This transparency also helps us identify legacy interoperability issues that may delay this effort.”
Beyond Google, the report grades the top non-Google websites on the Internet, comprising about 25 percent of total web traffic. According to the list, major businesses whose sites do not work on the HTTPS protocol include CNN, eBay, and Yelp. Companies whose websites fared best—because they provide HTTPS by default — include Facebook, LinkedIn, Netflix, PayPal and Twitter.
“I think most site operators now understand that encryption is becoming the standard rather than an optional extra,” said Danny O’Brien, international director at the Electronic Frontier Foundation (EFF), which has strongly advocated HTTPS. “I think it always helps to make the business case, to be able to pull down some hard data to show those making the business decision. That’s what this Transparency Report is most useful for — showing that everybody else is doing it, and showing how bad it makes any website look to be in the diminishing number that aren’t using HTTPS.”
O’Brien also asserted that the most significant aspect of Google’s HTTPS report card is that it highlighted the “next big step in securing the Net, the ‘dark matter’ of unencrypted content online, email traffic… Google has a great way of seeing the general state of this email ecosystem through Gmail. Now we can track what’s happened so far, and how we’re improving.”