News

    David Goldstein - Google Adds HSTS To Its TLDs For A More Secure Internet

    28.11.2017

    Google has upped security for top level domains, implementing HTTP Strict Transport Security, or HSTS. HSTS prevents people from accidentally navigating to HTTP URLs by automatically converting insecure HTTP URLs into secure HTTPS URLs. In other words, it means an increase in security.

    The planning of the implementation of HSTS has taken time, and even saw Google accidentally breaking their Santa Tracker just before Christmas 2015. Fortunately they fixed it before Santa and his reindeer made their trip!

    Websites that only use HTTP are considered insecure. Google has been encouraging enhanced security for websites, and in 2014 announced they would be adjusting their search engine algorithms so websites using HTTPS would rank higher. The introduction of HSTS is a jump up in security and Google’s use will only encourage others to implement it.

    Initially HSTS was turned on only for google.com and then later gmail.com. It meant that web browsers with the preload list built in, which is all the major web browsers, would never make an insecure connection to those websites.
    Domain name registrants in the TLDs in the HSTS preload list receive guaranteed protection for themselves and their users simply by choosing a secure TLD for their website and configuring an SSL certificate, without having to add individual domains or subdomains to the list. Additionally, Google explains it typically takes months between adding a domain name to the list and browser upgrades reaching a majority of users. But using an already-secured TLD provides immediate protection rather than eventual protection. Adding an entire TLD to the HSTS preload list is also more efficient, as it secures all domains under that TLD without the overhead of having to include all those domains individually.

    To encourage use of HSTS Google has started adding some of its own TLDs to the preload list, making all domain names registered in those TLDs more secure by default. While not available for public registration yet, Google intends to make some of these secure TLDs available for registration soon. Google has been delegated 45 TLDs including .google, .how, and .soy, and to start, Google commenced rolling out HSTS for their .foo and .dev.