
Why does YouTube not support http? - ausjke
youtube is https-only these days, for a video site why do we need https? yes login page etc needs to be ssl-protected, but what&#x27;s the point of free video streaming under https? not to mention you can download those videos easily.
======
seanwilson
The top answer here is good:
[http://security.stackexchange.com/questions/258/what-are-
the...](http://security.stackexchange.com/questions/258/what-are-the-pros-and-
cons-of-site-wide-ssl-https)

"Since most of the other answers here deal with the downsides of site-wide SSL
(mainly performance issues - btw these can easily be mitigated by offloading
the SSL termination, either to an SSL proxy box, or an SSL card), I will point
out some issues with having only the login page over SSL, then switching to
non-SSL:

\- The rest of the site is not secured (though this is obvious, sometimes the
focus is too much on just the user's password).

\- The user's session id must be transmitted in the clear, allowing it to be
intercepted and used, and thus enabling the bad guys to impersonate your
users. (This is mostly what the Firesheep hubbub was about).

\- Because of the previous point, your session cookies cannot be marked with
the secure attribute, which means that they can be retrieved in additional
ways.

\- I have seen sites with login-only-SSL, and of course neglect to include in
that the Forgot-password page, the Change-password page, and even the
Registration page...

\- The switch from SSL to non-SSL is often complicated, can require complex
configuration on your webserver, and in many cases will pop up a scary message
for your users.

\- If it's ONLY the login page, and f.e. there is a link to the login page
from your sites home page - what is to guarantee that someone won't
spoof/modify/intercept your homepage, and have it point to a different login
page?

\- Then there is the case where the login page itself is not SSL, but only the
SUBMIT is - since that's the only time the password is sent, so that should be
safe, right? But in truth that removes from the user the ability to ensure
ahead of time that the password is being sent to the correct site, until its
too late. (E.g. Bank of America, and many others)."

I imagine top YouTube contributors would be pretty annoyed if their account
got hijacked.

~~~
ausjke
isn't youtube's content mostly if not all freely accessible already? the
premium portion can be hosted as ssl-only, what about the rest 99% of the
content that is public already, why do we need care about hijacking in this
case?

~~~
seanwilson
For the extra complication of making a mixed HTTP and HTTPS site, what benefit
are you gaining?

~~~
ausjke
nginx and apache can support http/https in parallel fairly easily, not much
extra complication per se. the benefits are listed in a post below.

I was chatting with a youtube engineer last night and she told me that she
does not recall a wide discussion on disabling http fully, I thus submitted a
request in youtube's forum and see how it goes.

~~~
seanwilson
> nginx and apache can support http/https in parallel fairly easily, not much
> extra complication per se. the benefits are listed in a post below.

There are extra complications besides the server setup. For example, it's
harder to avoid mixed content errors on HTTPS pages, you couldn't just use the
"secure" flag on all cookies and you need to be careful not to send passwords
or session data over HTTP. Many sites have login forms on HTTP pages that then
send you over to the HTTPS site for example but this isn't secure.

Not saying it has no benefits, but mixing HTTP and HTTPS does have
complications.

> I was chatting with a youtube engineer last night and she told me that she
> does not recall a wide discussion on disabling http fully, I thus submitted
> a request in youtube's forum and see how it goes.

Great, I'd be interested to know the reason as well.

------
detaro
Even if they just sent the video stream itself over HTTP and did everything
else via HTTP, now intermediaries could monitor what you are watching and
block content selectively.

The pages themselves are so interlinked with account info & access ... that
they really shouldn't be loaded without HTTPS. And weird mixes of HTTP and
HTTPS are a pain to make work, because browser rightfully block mixed-content
and it's way to easy to make security mistakes. Easier to just slap TLS on
everything and be done with it.

Don't forget that loading a single page over HTTP gives a perfect entry-point
for MITM attacks to redirect to e.g. a faked copy of youtube that steals data.

What downside does HTTPS for everything have for you?

~~~
ausjke
I'm not against https at all, but I do think have http-support in parallel is
useful in some cases, and there is no cost to do that(i.e. support both
http/https as google.com does).

the benefit of having http:

1\. corporate proxy can filter youtube

2\. we can do content-filter for kids browsing

3\. better caching support in proxy

4\. much less demanding on hardware, ssl is very cpu intensive etc

~~~
staunch
Many people _are_ against HTTP. It's out-dated technology that leaves users
vulnerable.

1\. There are more effective methods.

2\. There are more effective methods.

3\. Not useful for long-tail and no one wants modified videos.

4\. The additional overhead is an insignificant cost, even to YouTube.

Your reasons for wanting HTTP are the same reasons YouTube uses HTTPS. They
don't want third-party blocking, tracking, interception, or modification.
YouTube is doing what their _users_ want by protecting them.

In 2016, any company that doesn't use HTTPS everywhere is probably
incompetent.

~~~
ausjke
https is quite computation-intensive and it has its additional cost to
hardware, by offering http in parallel that might mitigate the pressure a bit
when https is unneeded.

when content filtering is mandated(corporate, school, church,etc), they're
going to do it anyway, just need more powerful router/firewall/proxy in the
middle, if http is available it will ease that to a great deal.

for people needs security, just use https by default, for people perfers to
http sometimes, they will have the optional choice, just like what google.com
does now.

~~~
staunch
1\. The additional cost is insignificant thanks to increases in CPU
performance. The cost of 60 fps 4K videos is also high, and YouTube does this
as well. You're confused about how good companies view costs and benefits.

2\. Content filtering can be done in other ways, more effectively. HTTPS does
not prevent this.

3\. Everyone needs security and privacy.

You don't seem interested in learning, so I'm done trying. Keep believing
whatever you want while the entire web moves to HTTPS-only for very obvious
reasons.

------
smt88
As far as HTTPS improves privacy, all sites need it. It's not up to a company
to decide what parts of browsing should or shouldn't be private. There are
families/societies where watching certain YouTube videos could lead to being
jailed or killed. Users shouldn't be bothered by paying attention to the
status bar on every site -- we should just protect them by default.

------
insoluble
In addition to what else has been said so far, some videos are private, and
making those videos interceptable would allow unauthorised access. Moreover,
YouTube is not used only for entertainment. Unlike standard television, where
the content is essentially chosen and pushed to you, YouTube involves pulling
specifically that content on those topics which you want personally. Also
unlike standard television, a greater portion of the content is controversial,
biased, or sensitive. Similar to the idea of plausible deniability, making the
site HTTPS-only allows people not to feel ashamed of viewing with SSL.
Otherwise, we would have the classic problem of those using encryption being
seen as suspicious or shady, which would prevent people from seeking the
information they truly want. In a world where all your thoughts are being
monitored at all times, you have no free thought.

------
ausjke
not to mention video-https is very cpu-intensive, unnecessary in my opinion.

