.app domains come pre-submitted to the HSTS Preload list
Last year we wrote about Google adding 45 TLDs to the HSTS preload list, a move that effectively made them HTTPS-only. At the time only a handful of the TLDs were active and the move was almost entirely made with an eye towards the future. Well that future is now, Google is launching the .app TLD, which will be 100% encrypted.
From now through May 7, you can register .app domains via Google’s Early Access Program.
For those that need a bit of background, a TLD is a top-level domain, it’s what comes immediately after the domain name in a URL. Some common ones are:
“Prior to 2014, there were approximately 280 Top Level Domains delegated globally, with roughly 248 of them being country code top level domains, such as .co.uk, and 20 generic Top Level Domains, including .com, .net and .org,” said The SSL Store EVP of Strategic Partnerships, Michael Ward, who has considerable experience in the domain name and domain registry industry – most recently working to launch the .eco TLD. “There are now several hundred top level domains available including .app that launched this week.”
So, what makes the .app TLD so unique?
Aside from being well-positioned as an obvious choice for app developers, .app is also one of the 45 TLDs Google added to the HSTS Preload list last year, meaning that it will be HTTPS only. Again, you may want some background. HSTS or HTTP Strict Transport Security is a mechanism that ensures a web browser only makes secure HTTPS connections. This is important, because it eliminates a couple of attack vectors that could allow someone to strip a connection or hijack a session.
HSTS is done with an HTTP header though, which means that there’s still a tiny window where a user is vulnerable upon the very first connection with a site, before downloading the header. The HSTS Preload list solves this, it is a running list of websites with HSTS headers that comes pre-downloaded on popular browsers and forces a secure connection the very first time. We recommend it to all of our customers.
With .app, Google has saved site owners a step and just gone ahead and added them to the preload list at the TLD level.
But, be warned, this is a double-edged sword. You are now obligated to use HTTPS with .app domains—they literally will not work without an SSL certificate. You will instead receive a browser error and your site will be inaccessible. And just one more time, so we’re clear: .app’s inclusion on the HSTS preload list doesn’t mean you won’t still need an SSL certificate. In fact, forced HSTS means now you need an SSL certificate more than ever.
Why did Google add the entire .app TLD to the HSTS list?
As we have covered countless times on this site, Google – and the rest of the browser community – is pushing for a completely encrypted internet. In fact, starting in July with the release of Chrome 68, Google will mark any website still being served over HTTP as “not secure.”
So, it makes sense that Google would want any TLDs under its control to be HTTPS-only. And don’t look for this trend to stop with Google.
“Although Google is taking the lead with enforcing HTTPS with their top level domains including .app, I would not be surprised if this becomes the norm with future extensions delegated during the next ICANN round of new top level domains,” said Ward.
That’s great news for the internet—a phrase you don’t get to say all that often.
More info is on the get.app website.