YouTube embedding via HTTPS...

August 26, 2011 – tagged YouTube, IT Security a joke.

The problem with embedding YouTube videos, e.g. using this code

<iframe width="560" height="345" src="" frameborder="0" allowfullscreen></iframe>

is that when used from within an HTTPS-encrypted website, the browser will usually display a warning that the site contains unencrypted content. Most browsers display that content anyway, as otherwise it would make many HTTPS sites unusable.

However, one of the core ideas of SSL connections is not only that the transmitted data is encrypted, but that it is also signed, i.e. no one can undetectedly change the traffic between server and client. In that sense, displaying data coming 1. unencrypted and 2. from a different server than the original one is one of the worst things a browser can do to weaken the security provided by SSL. In particular, once the user is accustomed to that 'the page contains insecure items' warning, he won't care about it any more when it appears, e.g., during online banking.

To attack those issues, one can select "Use HTTPS" when generating the embed code for a YouTube video, which results in the following code:

<iframe width="560" height="345" src="" frameborder="0" allowfullscreen></iframe>

This is the same code, just that it uses https. However, the SSL certificate used by is only valid for * At least in Chromium, this leads to 1. the warning about insecure content on the page still being displayed, and 2. instead of displaying the video, “Fehler 501 (net::ERR_INSECURE_RESPONSE)” is shown. On the YouTube help page, it says: “It is important to note that while embed components are all supported using HTTPS and do not generate the mixed content error, we do not yet support video streams over HTTPS.”

Well done, Google, this is indeed a great way to make the internet more secure...