In the wake of San Bernardino terror attack in the U.S. and the FBI’s continued attempts to compel Apple to add an encryption backdoor to the smartphones it makes, Google has added a new section to its transparency report that outlines how close the company is to making all inbound traffic towards its websites and services encrypted.
Across all of the company’s products (minus YouTube), approximately 77 percent of incoming traffic was secured using either TLS or SSL during the month of Feburary. TLS and SSL are security protocols that help establish an encrypted connection between a browser or app and a web server. Since 2013, the amount of encrypted traffic has steadily increased. Almost three years ago, little more than half of the server requests Google handled — 54 percent, to exact — were secured using end-to-end encryption.
Canada, however, is behind the curve.
According to Google, only 64 percent of the traffic requests it handled in Canada were encrypted as of February, 2016. Out of the top 10 countries by percent of traffic that Google receives, the Great White North had the lowest percentage of encrypted traffic. Leading the pack was Mexico, where about 84 percent of the connections between in-country Google users and the company were secured with end-to-end encryption.
The company says a variety of factors lead to what percentage of Internet traffic is encrypted in a given country, including the types of devices in use in that country and the availability of software that supports modern security standards like TLS.
One major issue is the distribution (or lack thereof) of modern security software to mobile devices. “The vast majority of unencrypted end user traffic originating from a set of surveyed Google services comes from mobile devices,” says Google. “Unfortunately, these devices may no longer be updated and may never support encryption.”
According to the report, some 95.5 percent of the unencrypted traffic that hits Google’s servers originates from mobile devices. Google doesn’t say it in so many words, but it’s clear the company and its hardware and carrier partners have work to do when it comes to getting Android security updates to users. To its credit, we’ve seen Google rework how it handles mobile security updates after the Stagefright bug gained notoriety over this past summer.
When asked to comment on the report, a Google spokesperson said, “encryption is fundamental to online security, and yet many sites — including some from Google — are still not yet served over HTTPS. And, yes, that includes several sites here in Canada. In the interest of making the web safer for everyone, we’re launching this report to inform users about the safety of various popular sites on the web and to encourage site owners to run modern HTTPS by default to maximize safety for their site visitors.”
They added, “the report shows Gmail and Drive are at 100 percent HTTPS. We plan on adding other products to the report in future iterations. Our goal is to serve all of our products over HTTPS. We’re making steady progress towards that goal, but we aren’t there yet.”
If you have a moment, make sure to check out the report’s “HTTPS on Top Sites” section. You may be surprised what popular sites don’t use encryption at all.