Google launches .app, one of the first TLDs with built-in HTTPS
.app domains come pre-submitted to the HSTS Preload list
Last year we wrote about Google adding 45 TLDs to the HSTS preload list, a move that effectively made them HTTPS-only. At the time only a handful of the TLDs were active and the move was almost entirely made with an eye towards the future. Well that future is now, Google is launching the .app TLD, which will be 100% encrypted.
From now through May 7, you can register .app domains via Google’s Early Access Program.
For those that need a bit of background, a TLD is a top-level domain, it’s what comes immediately after the domain name in a URL. Some common ones are:
- .com
- .edu
- .net
- .gov
- .org
“Prior to 2014, there were approximately 280 Top Level Domains delegated globally, with roughly 248 of them being country code top level domains, such as .co.uk, and 20 generic Top Level Domains, including .com, .net and .org,” said The SSL Store EVP of Strategic Partnerships, Michael Ward, who has considerable experience in the domain name and domain registry industry – most recently working to launch the .eco TLD. “There are now several hundred top level domains available including .app that launched this week.”
So, what makes the .app TLD so unique?
Aside from being well-positioned as an obvious choice for app developers, .app is also one of the 45 TLDs Google added to the HSTS Preload list last year, meaning that it will be HTTPS only. Again, you may want some background. HSTS or HTTP Strict Transport Security is a mechanism that ensures a web browser only makes secure HTTPS connections. This is important, because it eliminates a couple of attack vectors that could allow someone to strip a connection or hijack a session.
HSTS is done with an HTTP header though, which means that there’s still a tiny window where a user is vulnerable upon the very first connection with a site, before downloading the header. The HSTS Preload list solves this, it is a running list of websites with HSTS headers that comes pre-downloaded on popular browsers and forces a secure connection the very first time. We recommend it to all of our customers.
With .app, Google has saved site owners a step and just gone ahead and added them to the preload list at the TLD level.
But, be warned, this is a double-edged sword. You are now obligated to use HTTPS with .app domains—they literally will not work without an SSL certificate. You will instead receive a browser error and your site will be inaccessible. And just one more time, so we’re clear: .app’s inclusion on the HSTS preload list doesn’t mean you won’t still need an SSL certificate. In fact, forced HSTS means now you need an SSL certificate more than ever.
Why did Google add the entire .app TLD to the HSTS list?
As we have covered countless times on this site, Google – and the rest of the browser community – is pushing for a completely encrypted internet. In fact, starting in July with the release of Chrome 68, Google will mark any website still being served over HTTP as “not secure.”
So, it makes sense that Google would want any TLDs under its control to be HTTPS-only. And don’t look for this trend to stop with Google.
“Although Google is taking the lead with enforcing HTTPS with their top level domains including .app, I would not be surprised if this becomes the norm with future extensions delegated during the next ICANN round of new top level domains,” said Ward.
That’s great news for the internet—a phrase you don’t get to say all that often.
More info is on the get.app website.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownA Call To Let’s Encrypt: Stop Issuing “PayPal” Certificates
in Industry Lowdown