Google Forcing HTTPS Connections for 45 TLDs with HSTS
All 45 TLDs that Google owns will automatically support HTTP Strict Transport Security.
Google is continuing its push for universal encryption by requiring all 45 Top Level Domains (TLDs) under its control to make secure connections. The TLD is the last part of a URL (.com, .org, etc.)
To secure all 45 of its TLDs, Google will use HSTS or HTTP Strict Transport Security.
Google has been pushing for universal encryption or HTTPS Everywhere since at least 2010 when it moved GMail to HTTPS. In the last year it’s really ramped up the pressure on individual websites to adopt SSL and encrypt. Starting in 2018, Google will place an indicator that says “Not Secure” in the address bar every time someone visits a site that’s still served over HTTP.
There’s a lot to unravel here, including what the advantages are and why this makes Google a more attractive domain registrar as a result. Let’s start at the top.
What is HTTP Strict Transport Security
Without getting too technical, HSTS is a mechanism that forces web browsers to only make connections to your site via HTTPS. There’s something called an HSTS preload list, it’s automatically stored in the browsers and tells them to automatically enforce HTTPS connections. This adds a layer of security because it prevents downgrade attacks.
Here’s the thing though, when a browser receives a website’s HSTS – meaning the site owner has enable HTTP Strict Transport Security – it updates its HSTS list so that an HTTP connection can never be made to the website again. But, on that first encounter, before the browser has received the header, you’re still vulnerable. That’s a tiny window, but a vulnerability none the less.
Google has basically solved this problem for all of its TLDs
What’s the advantage of putting an entire TLD on the HSTS preload list?
The HSTS preload list can contain domain, sub-domains and TLDs. Until 2015 nobody had tried to add a TLD, the Google added the eponymous .google. Now it has added its other 44 TLDs. There are myriad advantages to this.
For starters, by placing all of its TLDs on the list, the browser will automatically enforce HTTPS connections to any domain with that TLD—provided they have installed an SSL certificate. This prevents any risk of an attack when a user is attempting to make a first-time connection because, by default, the domain is already on preload list at the TLD level.
There’s also the fact that getting on the HSTS preload list can take months. By placing its TLDs on the preload list, Google has given site owners one less thing to worry about. It’s also made itself a lot more attractive as a Domain Registrar. Of course, only three of these TLDs are active – .google, .how and .soy – with a fourth, .app, slated to come online soon.
But this will probably set a trend. With SSL fast becoming a requirement, enhancing your SSL offering (by, for instance, guaranteeing a spot on the HSTS preload list) is more important than ever. Expect to see more domain registrars trying to add entire TLDs to the list.
What we Hashed Out (for Skimmers)
Here’s what we covered in today’s discussion:
- Google is enforcing secure connections for all 45 TLDs it owns by adding them to the HSTS preload list
- The HSTS preload list tells browsers to automatically enforce HTTPS connections with the listed sites
- When a TLD is added to the list, all websites with that TLD automatically make secure connections
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownA Call To Let’s Encrypt: Stop Issuing “PayPal” Certificates
in Industry Lowdown