Secure speed tests

TL;DR

Almost all speed tests enforce a secure connection. Most speed tests use TLS 1.3. It is striking that Google Fiber does not use a secure connection.

 

Contents

  1. Introduction
  2. Method of measurement
  3. Speed tests to test
  4. The measurements
  5. Conclusions
 

Introduction

Secure speed tests are speed tests that uses encryption for data transport. The recommend encryption standard for websites are TLS version 1.2 and 1.3.

The URL of a secure speed test starts with HTTPS.

Note that most browsers inform you when a website is not secure.

 

Method of measurement

For this test, we initially check whether the speed test enforces the use of a security protocol. Secondly, we look at the Security tab of the developer tools of the Google Chrome browser to see which security protocol is being used.

The test is invoked after loading the homepage and accepting cookies.

 

Speed tests to test

Because this is a relative simple test, the unique speed tests as collected at ZOMDir will be tested.

 

The measurements

  1. Astound speedtest HTTPS is not enforced. This page is not secure
  2. Bandwidth Place HTTPS is enforced. The protocols used are: TLS v1.3, X25519, AES_128_GCM
  3. Bredbandskollen HTTPS is enforced. The protocols used are: TLS v1.3, X25519, AES_128_GCM
  4. Broadband Speed Checker HTTPS is enforced. The protocols used are: QUIC, X25519, AES_128_GCM
  5. Cloudflare HTTPS is enforced. The protocols used are: TLS v1.3, X25519, AES_128_GCM
  6. Comparitech HTTPS is enforced. The protocols used are: TLS v1.3, P-256, AES_128_GCM
  7. DSLReports HTTPS is not enforced, when the URL starts with http://. The protocols used are: TLS v1.2, ECDHE_RSA with P-256, AES_256_GCM
  8. Fast HTTPS is enforced. The protocols used are: TLS v1.2, ECDHE_RSA with P-256, AES_256_GCM
  9. Fireprobe HTTPS is enforced. The protocols used are: TLS v1.3, X25519, AES_256_GCM
  10. Google Fiber HTTPS is not enforced. This page is not secure
  11. Internet Speed at a Glance HTTPS is enforced. The protocols used are: TLS v1.3, X25519, AES_128_GCM
  12. LibreSpeed HTTPS is enforced. The protocols used are: TLS v1.3, X25519, AES_128_GCM
  13. M-Lab HTTPS is enforced. The protocols used are: TLS v1.3, X25519, AES_128_GCM
  14. Meter.net HTTPS is enforced. The protocols used are: TLS v1.3, X25519, AES_128_GCM
  15. N Perf HTTPS is enforced. The protocols used are: TLS v1.3, X25519, AES_256_GCM
  16. Ookla Speedtest HTTPS is enforced. The protocols used are: TLS v1.3, X25519, AES_128_GCM
  17. Open Speed Test HTTPS is enforced. The protocols used are: TLS v1.3, X25519, AES_256_GCM
  18. SamKnows HTTPS is not enforced, when the URL starts with http://. The protocols used are: TLS v1.2, ECDHE_RSA with P-256, AES_128_GCM
  19. SpeedCheck HTTPS is enforced. The protocols used are: TLS v1.2, ECDHE_RSA with P-256, AES_256_GCM
  20. SpeedOf.me HTTPS is enforced. The protocols used are: TLS v1.2, ECDHE_RSA with P-256, AES_128_GCM
  21. SpeedOf.me API Sample Page HTTPS is enforced. The protocols used are: TLS v1.2, ECDHE_RSA with P-256, AES_128_GCM
  22. SpeedSmart HTTPS is enforced. The protocols used are: TLS v1.3, X25519, AES_128_GCM
  23. Speedtest4.PHP HTTPS is not enforced, when the URL starts with http://. The protocols used are: TLS v1.3, X25519, AES_256_GCM
  24. TestMy.net HTTPS is enforced. The protocols used are: QUIC, X25519, AES_128_GCM
  25. Toast HTTPS is enforced. The protocols used are: TLS v1.3, X25519, AES_128_GCM
  26. Which Broadband Speed Test HTTPS is enforced. The protocols used are: TLS v1.3, X25519, AES_256_GCM
  27. Xfinity xFi Speed Test HTTPS is enforced. The protocols used are: TLS v1.3, X25519, AES_256_GCM

Some examples

Here you find some screenshots of Google Chrome's developer modus:

The indication in the address bar that Google Chrome is not secure Google Fiber is not secure

The security results for fast.com in Google Chrome's developer modus Fast uses TLS v1.2

The security results for speedtest.net in Google Chrome's developer modus Speedtest.net uses TLS v1.3

The security results for testmy.net in Google Chrome's developer modus TestMy.net uses QUIC

 

Conclusions

There are 2 speed tests that are not secure. It is notable that the Google Fiber speed test does not support a security protocol such as TLS. Especially when you know that Google sees the use of HTTPS as a ranking signal.

There are 3 speed tests that not enforce the use of HTTPS when the URL starts with http://.

There are 2 speed tests that are using QUIC. Security is an intrinsic part of the QUIC protocol. This is because the transport security used in QUIC is TLS 1.3.

There are 6 speed tests that are using TLS v1.2.

There are 17 speed tests that are using TLS v1.3.

Most speed tests enforces the use of HTTPS and use a common standard (QUIC, TLS v1.2 and TLS v1.3). DSLReports, SamKnows and Speedtest4.PHP do not enforce the use of HTTPS when the url starts with http://.

Astound and Google Fiber, don't support HTTPS at all.