Observation: Youtube Is Now HTTPS – But The Streams Are Not

When I watched a video on Youtube today I noticed that the page's URL was https://www.youtube.com…. Interesting, I thought, it's encrypted now! If the streams are encrytped too, that would have interesting implications for video caching and compression servers in some mobile networks as they would no longer be able to compress and scale videos.

So I ran a quick Wireshark trace to see if the streams themselves were encrypted, too. However, they were not. An interesting implication of this is that the user might get the impression that the session is secure. But as the videos are sent in the clear, it's actually not secure at all. From the outside, it is no longer possible to see what the user is searching for, but which videos are streamed are still visible and can be cached or modified or simply blocked.

As the unecrypted URL requests are requeted by the Flash player there's also no warning that there are "secure and non-secure elements on the web page", as browsers often display when web pages start mixing secure and non-secure content.

From this point of view, I am not sure that it is a good idea to use https for Youtube. It simply gives a wrong impression of security to the user…

One thought on “Observation: Youtube Is Now HTTPS – But The Streams Are Not”

  1. How about the HTML5 player (youtube.com/html5)?
    Also, would be interesting to see whether HTTP streaming (on mobile devices, e.g. iPhone) eases the encrypted distribution of streaming *content*.

Comments are closed.