Google adds worldwide HTTPS info to transparency report
Feds want less crypto, Google wants more
Call it another shot in Crypto Wars 2: Google has launched a transparency report specifically to track the progress of the Internet's encryption efforts.
The aim is in support of the general push to have encryption available everywhere.
As the Chocolate Factory's security blog post explains, even within the Google universe HTTPS is far short of 100 per cent of traffic.
Excluding YouTube traffic, but with Gmail, Drive, Search and increasingly Blogger and advertising traffic over HTTPs, only 75 per cent of what's served from Google domains is currently encrypted.
Google will be updating that reporting each week, the company says.
The second plank of the strategy is looking at Certificate Transparency: a public search interface letting users check that a certificate is valid and is being used correctly.
While it's a laudable aim, Google's going to have to do more work on this, because the information presented by the Certificate Transparency Log Viewer is far from Joe-Sixpack-friendly – it's what users would see clicking the lock in their browser.
So while it is useful to know that (for example) The Australian Broadcasting Corporation's certificates are current and expire on March 22 of 2016, the report puts it like this:
C=US, O=DigiCert Inc, OU=com.digicert.www, CN=DigiCert SHA2 High Assurance Server CA
A casual "civilian" observer will likely not be able to make head nor tail of that line. Knowing that Google's working hard on presenting user security information in a more digestible form in other efforts, The Register expects a bit of UX work to happen in its cert-check Website.
Here, Google checks the HTTPS status of sites it reckons account for about 25 per cent of traffic on the Internet (including NSFW sites, so for example don't click on the Redtube link at the office).
The page reports on top sites defaulting to HTTPS, sites with HTTPS available but not as the default config, and sites that fail the HTTPS test. The page also lists whether sites are running modern TLS configurations.
The Google blog post also reminders sysadmins that Mountain View is offering advice to help them roll out HTTPS. ®