Google is updating its status on its encryption efforts, reporting that 77% of traffic to its servers uses encrypted connections -- up from slightly more than half two years ago. But despite these efforts, Google acknowledges improvement is still needed across its breadth of products and services.
"Google has been working hard toward our objective of achieving 100% encryption across our products and services," Google noted in its March 15 transparency report posted to its site. Users who see "https" or a padlock used on any website address, versus "http," will know the website is encrypted.
The Internet behemoth’s Gmail is 100% encrypted, a move it began in 2014.
As Google works on its other products and services to support HTTPS encryption, it has had varied results due to technical barriers in supporting encryption that range from older hardware and software that does not support modern encryption technology to some countries and organizations blocking or degrading HTTPS traffic.
Advertising traffic on Google is 77% encrypted, maps are at 83%, Google News 60%, and Google Finance is 58%, according to its transparency report. Google plans to add information about YouTube’s encryption status to its products chart by the end of the year. It notes that it is not included in its overall encryption traffic figures.
Although Google has not achieved 100% encryption on all of its products, security firms applaud the company’s efforts.
"Google's efforts to improve encryption is a positive step in the right direction. Keeping the ever-increasing online communications concealed from cyber-criminals is an essential step it advancing the safety of consumers and businesses alike," Kurt Baumgartner, principal security researcher at Kaspersky Lab, told InformationWeek in an interview.
Meanwhile, Google is using a carrot-and-stick approach to nudge other websites to use encryption. In 2014, Google changed its ranking system that gave preference to websites that use HTTPS encryption, pushing them higher up on the Google search results page. For websites that rely on traffic to help boost their revenues, a high position on a Google search page is critically important.
Learn to integrate the cloud into legacy systems and new initiatives. Attend the Cloud Connect Track at Interop Las Vegas, May 2-6. Register now!
This Google incentive was put into place after it came to light that the National Security Agency was harvesting personal data transmitted over the Internet without users' knowledge via vulnerabilities in unencrypted websites, an Associated Press report notes.
Google also has its list of the top 100 non-Google sites on the Internet and the state of their usage of HTTPS. The company estimates that these 100 websites account for 25% of all worldwide Web traffic, and says that it is working to aid these sites' move to HTTPS by the end of this year.
The list has three categories that a website can fall into, including: The site works on HTTPS, Modern TLS Configuration, and Default HTTPS. Some of the sites that cover all three include Facebook.com, Instagram.com, Linkedin.com, Netflix.com, PayPal.com, Twitter.com, and Yahoo.com.
Amazon.com only works on HTTPS and modern TLS configuration, while Microsoft’s Bing.com search engine and Apple.com only work on HTTPS. Surprisingly, eBay.com offers none of the three.
"Many companies in the IT space, especially those that deal with personal information, have been working hard to ensure that their communications are secured appropriately, especially if the communications contain any type of sensitive information. HTTPS is the most common for Web traffic. The level of achievement varies from company to company," Anthony Merry, director of product management for data protection at Sophos, said in an interview with InformationWeek.
He noted that compliance regarding encryption plays a role in companies adhering to its use. That can serve as a stick, more so than website rankings. For example, Merry pointed out, "banks and websites that accept credit card payments need to keep Web traffic protected, because you don't want the bad guys stealing your credit card details."
[Editor's note: This article has been updated to add Anthony Merry's interview comments.]