Google Announced To Enforce HTTPS Connections For 45 TLDs
Google announced that 45 of the top-level domains (TLDs) it recently purchased, including .dev, .app, .eat, and so on, will enforce HTTPS security, guaranteeing that all connections to sites using those TLDs will be over encrypted channels.
And today we’re proud to announce that we are beginning to use another tool in our toolbox, the HTTPS Strict Transport Security (HSTS) preload list, in a new and more impactful way.
What Is HSTS?
HTTP Strict Transport Security (HSTS) is a web security policy that ensures a user will always connect via an encrypted HTTPS channel to a website after the initial connection to that site. If the user then tries to connect to http://gmail.com, for example, the browser will automatically switch to https://gmail.com before sending out the request to Google.
Once the HSTS response header is received by the browser on the first connection, the user can no longer connect to that site using HTTP, which means any downgrade attacks (from HTTPS to HTTP) will also be prevented.
However, because HSTS still normally needs that first connection before it can be enabled in the browser for a given website, a small window of opportunity for an attacker can still exist to launch a man-in-the-middle attack against someone visiting a certain website.
This can be fixed for certain websites, if they are included in the HSTS preload list in the major browsers. Then, the browsers will be able to enforce HTTPS encryption from the very first connection.
HTTPS Enforcement For Entire Domains
Not just domains and subdomains can be included in the HSTS preload lists of a browser, but entire TLDs, too. For instance, if the .com TLD would be included in this list, then nobody would be able to connect to any existing .com website unless they were doing it over HTTPS.
Considering many websites still haven’t even adopted HTTPS yet, let alone mandated the use of HTTPS for their visitors, that’s not possible, at least for the time being. However, this can work for new TLDs, such as .dev and .app, and this is what Google is announcing today.
Google, which has recently purchased 45 TLDs, is now able to enforce HTTPS for those 45 TLDs. As the company has recently become a domain registrar as well, others will soon be able register domains with one of those secure-by-default Google-owned TLDs.
Google also hopes that all owners of other new TLDs will enable HSTS by default, which would ensure that all new websites using such TLDs will always connect via HTTPS.