Google Forcing HTTPS Connections for 45 TLDs with HSTS
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Google Forcing HTTPS Connections for 45 TLDs with HSTS

All 45 TLDs that Google owns will automatically support HTTP Strict Transport Security.

Google is continuing its push for universal encryption by requiring all 45 Top Level Domains (TLDs) under its control to make secure connections. The TLD is the last part of a URL (.com, .org, etc.)

To secure all 45 of its TLDs, Google will use HSTS or HTTP Strict Transport Security.

Google has been pushing for universal encryption or HTTPS Everywhere since at least 2010 when it moved GMail to HTTPS. In the last year it’s really ramped up the pressure on individual websites to adopt SSL and encrypt. Starting in 2018, Google will place an indicator that says “Not Secure” in the address bar every time someone visits a site that’s still served over HTTP.

There’s a lot to unravel here, including what the advantages are and why this makes Google a more attractive domain registrar as a result. Let’s start at the top.

What is HTTP Strict Transport Security

Without getting too technical, HSTS is a mechanism that forces web browsers to only make connections to your site via HTTPS. There’s something called an HSTS preload list, it’s automatically stored in the browsers and tells them to automatically enforce HTTPS connections. This adds a layer of security because it prevents downgrade attacks.

Here’s the thing though, when a browser receives a website’s HSTS – meaning the site owner has enable HTTP Strict Transport Security – it updates its HSTS list so that an HTTP connection can never be made to the website again. But, on that first encounter, before the browser has received the header, you’re still vulnerable. That’s a tiny window, but a vulnerability none the less.

Google has basically solved this problem for all of its TLDs

What’s the advantage of putting an entire TLD on the HSTS preload list?

The HSTS preload list can contain domain, sub-domains and TLDs. Until 2015 nobody had tried to add a TLD, the Google added the eponymous .google. Now it has added its other 44 TLDs. There are myriad advantages to this.

For starters, by placing all of its TLDs on the list, the browser will automatically enforce HTTPS connections to any domain with that TLD—provided they have installed an SSL certificate. This prevents any risk of an attack when a user is attempting to make a first-time connection because, by default, the domain is already on preload list at the TLD level.

There’s also the fact that getting on the HSTS preload list can take months. By placing its TLDs on the preload list, Google has given site owners one less thing to worry about. It’s also made itself a lot more attractive as a Domain Registrar. Of course, only three of these TLDs are active – .google, .how and .soy – with a fourth, .app, slated to come online soon.

But this will probably set a trend. With SSL fast becoming a requirement, enhancing your SSL offering (by, for instance, guaranteeing a spot on the HSTS preload list) is more important than ever. Expect to see more domain registrars trying to add entire TLDs to the list.

What we Hashed Out (for Skimmers)

Here’s what we covered in today’s discussion:

  • Google is enforcing secure connections for all 45 TLDs it owns by adding them to the HSTS preload list
  • The HSTS preload list tells browsers to automatically enforce HTTPS connections with the listed sites
  • When a TLD is added to the list, all websites with that TLD automatically make secure connections



Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.