Google to enforce HTTPS on TLDs it controls
In its sustained quest to bring encryption to all existing Web sites, Google has announced that it will start enforcing HTTPS for the 45 Top-Level Domains it operates.
How will it do that?
You may or may not know that, since 2015, Google has been offering domain name registration services, and it operates domains such as .google, .how, and .dev (among others).
And now, Google will start adding them to the HTTPS Strict Transport Security (HSTS) preload list.
“The HSTS preload list is built in to all major browsers (Chrome, Firefox, Safari, Internet Explorer/Edge, and Opera). It consists of a list of hostnames for which browsers automatically enforce HTTPS-secured connections,” Ben McIlwain, a software engineer for Google Registry, explained.
“For example, gmail.com is on the list, which means that the aforementioned browsers will never make insecure connections to Gmail; if the user types http://gmail.com, the browser first changes it to https://gmail.com before sending the request. This provides greater security because the browser never loads an http-to-https redirect page, which could be intercepted.”
By adding those TDLs to the list, Google protects visitors of sites parked on them against protocol downgrade and cookie hijacking attacks, and minimizes the possibility of Man in the Middle attacks.
What does this mean for site administrators?
The HSTS preload list can contain individual domains, subdomains and TLDs, but adding these TDLs to them means that any domain name ending in one of these TLDs will automatically gain HTTPS protection.
Naturally, site owners will have to get and configure an SSL certificate for their Web site if they want it to work, but with Let’s Encrypt, a certificate authority initiative backed by Google, the process should be painless and SSL certificates can be had for free.
“Since it typically takes months between adding a domain name to the list and browser upgrades reaching a majority of users, using an already-secured TLD provides immediate protection rather than eventual protection,” McIlwain added.
“We hope to make some of these secure TLDs available for registration soon, and would like to see TLD-wide HSTS become the security standard for new TLDs.”