Google.com was one of the first major online services to adopt HTTPS encryption by default, which it did years ago. The site is now adding the HTTP Strict Transport Security (HSTS) feature, which means users won’t be able to reach the Google.com site unless they do it through the encrypted channel. Google also announced that YouTube.com would also gain HSTS protection.
Normally, people go to a site by typing the domain name into the address bar of their browser. However, they don’t usually include “https://” before writing that domain name, which means the browser will point them to the unencrypted version of the site. Most sites that use HTTPS encryption will automatically redirect you to the encrypted version of the site even if you enter its name without “https://” in front.
The problem is there is still a small window of opportunity for an attacker to take advantage of the redirect. It also allows attackers to strip the SSL protection and downgrade the connection to HTTP.
The HSTS policy can guarantee that a user can only access the website through an encrypted HTTPS channel after a person’s first visit to a site. The visitor’s browser will remember that the site uses HSTS, and it will only allow HTTPS connections for that site until the header expires.
For now, the Google.com HSTS header will have an expiration date of only one day as the company continues to experiment with the change. Every day a visitor will get a new HSTS header that will last another day, and so on. The limited window isn’t ideal because every day there will be a chance for an attacker to downgrade the user’s connection to Google.com from HTTPS to HTTP before the user receives the new header.
Google allows the HSTS headers to expire so soon (for now) because if something goes wrong, its users will be locked out of using Google.com for only a day, rather than a month or more. The company also gave an example of this feature breaking its Santa Tracker just before Christmas last year, although Google was able to fix it by Christmas Eve. Over the next few months, and after much more live testing on Google.com, the company plans to extend the header lifecycle to at least one year.
Google said that it would protect YouTube.com by HSTS as well, which not only increases security, but it also cuts down the latency for its users. The company also added that it would secure YouTube.com over an encrypted HTTPS channel for 97 percent of its users. Google can’t protect the remaining 3 percent of users with modern HTTPS right now, but as they get new devices, it will protect them as well.
