Google To Enforce HTTPS Connections For 45 TLDs

Google announced that 45 of the top-level domains (TLDs) it recently purchased, including .dev, .app, .eat, and so on, will enforce HTTPS security, guaranteeing that all connections to sites using those TLDs will be over encrypted channels.

What Is HSTS?

HTTP Strict Transport Security (HSTS) is a web security policy that ensures a user will always connect via an encrypted HTTPS channel to a website after the initial connection to that site. If the user then tries to connect to http://gmail.com, for example, the browser will automatically switch to https://gmail.com before sending out the request to Google.

Once the HSTS response header is received by the browser on the first connection, the user can no longer connect to that site using HTTP, which means any downgrade attacks (from HTTPS to HTTP) will also be prevented.

However, because HSTS still normally needs that first connection before it can be enabled in the browser for a given website, a small window of opportunity for an attacker can still exist to launch a man-in-the-middle attack against someone visiting a certain website.

This can be fixed for certain websites, if they are included in the HSTS preload list in the major browsers. Then, the browsers will be able to enforce HTTPS encryption from the very first connection.

HTTPS Enforcement For Entire Domains

Not just domains and subdomains can be included in the HSTS preload lists of a browser, but entire TLDs, too. For instance, if the .com TLD would be included in this list, then nobody would be able to connect to any existing .com website unless they were doing it over HTTPS.

Considering many websites still haven’t even adopted HTTPS yet, let alone mandated the use of HTTPS for their visitors, that’s not possible, at least for the time being. However, this can work for new TLDs, such as .dev and .app, and this is what Google is announcing today.

Google, which has recently purchased 45 TLDs, is now able to enforce HTTPS for those 45 TLDs. As the company has recently become a domain registrar as well, others will soon be able register domains with one of those secure-by-default Google-owned TLDs.

Google also hopes that all owners of other new TLDs will enable HSTS by default, which would ensure that all new websites using such TLDs will always connect via HTTPS.

This thread is closed for comments
6 comments
    Your comment
  • Rookie_MIB
    Well, that's just plain dumb (wanting EVERY website to use HTTPS). While certainly there are websites out there which should require encryption of data, like any site that routinely stores account information of any type*, wanting it for EVERY site is unnecessary.

    My personal website? Not needed. My business website (which exists for basic information only)? Not needed. Why would I want to go through the extra expense to pay for security certificates which I don't need! Yes, I could self-sign, but then almost every browser would throw up flags.

    If the browsers would scale that back and allow for a more relaxed handling of security certs, then I'd consider self-signing and going https. Until then? Nope.
  • derekullo
    https://letsencrypt.org/

    Is quite literally free.

    What are you talking about?
  • Kewlx25
    1373686 said:
    Well, that's just plain dumb (wanting EVERY website to use HTTPS). While certainly there are websites out there which should require encryption of data, like any site that routinely stores account information of any type*, wanting it for EVERY site is unnecessary. My personal website? Not needed. My business website (which exists for basic information only)? Not needed. Why would I want to go through the extra expense to pay for security certificates which I don't need! Yes, I could self-sign, but then almost every browser would throw up flags. If the browsers would scale that back and allow for a more relaxed handling of security certs, then I'd consider self-signing and going https. Until then? Nope.


    The bad guys can leverage the fact that you use HTTP to make browsers use HTTP when it should be using HTTPS. The fact that HTTP exists means downgrade attacks exist. Get rid of HTTP and get rid of downgrade attacks.

    There is no safe way to automatically detect when HTTPS should be used.