When HTTPS encryption was still new, web developers needed to create features that allowed HTTPS and HTTP interoperability because most sites were still unencrypted. HTTPS architects have therefore created mechanisms to upgrade or downgrade browsing sessions between HTTP and HTTPS when needed, so that people are not prevented from using certain sites completely. But as HTTPS has proliferated, it is finally time to bypass or otherwise eliminate these intermediate features. Otherwise, pages still served over HTTP, such as these redirect pages, may still be intercepted or manipulated.
"It's nice to see that Google demonstrates that it's a viable default setting for top-level domains."
Josh Aas, cryptons
So, Google has integrated HTTPS protection directly into the top-level domain handle [the suffixes at the end of a URL such as ".com"]. In 2015, Google added its internal .google top-level domain to the preload list as a driver. In 2017, the company started. using the idea more broadly with his private suffixes ".foo" and ".dev." But in May 2018, Google launched public ".app" registrations, opening automatic encryption preloaded to anyone who wished. In February of this year, he opened .dev to the public too.
Which means that today, when you use ".app", ".dev" or ".page", this page and all other versions of it are added to these classic browsers, including Chrome, Safari , Edge, Firefox, and Opera, check when they are configuring encrypted Web connections. This is called the HTTPS Strict Transport Security preload list, or HSTS, and browsers use it to find out which sites should only automatically load the encrypted HTTPS format, rather than resorting to an unencrypted HTTP protocol under certain circumstances. In short, it is fully automated, which can be difficult to implement.
"Web security is complex, and not all end users, or even all site creators, understand all the complexities," said Ben Fried, Google's director of information. "What I like about using these new top-level domains in this way is that it significantly reduces the burden on every site creator to look for best practices. because each subdomain of this top-level domain is: HTTPS only and the browser will not even try to access it in any other way. "
The turning point came when engineer Ben McIlwain realized that an entire top-level domain could be on the preloading list. "Internally, it took off from there," says Fried. "We realized that these were two things that had developed independently and that were suddenly more powerful when they were combined."
Lily Hay Newman covers information security, digital privacy and hacking for WIRED.
Site developers who know the HSTS preload list can only add URLs through the use of a top-level domain like Google's, but Fried points out that the process is much more time-consuming and requires wait for browsers to get new ones. updated versions of the preload list. By proactively adding top-level domains to the list, browsers will automatically recognize each URL that is created as requiring automatic encrypted connections.
Google claims to have up to now millions of registered sites on its top-level domains, including hundreds of thousands on .app only.
"The web has started without any default data transport. It's a rooted legacy on which we need to move away as quickly as possible, "says Josh Aas, who heads the non-profit HTTPS certification authority Let's Encrypt. "Normally, browsers have initial interaction with a site via simple HTTP to find out if it wants the HTTPS protocol or not." HSTS preloading makes this unsafe interaction unnecessary. It's nice to see Google as a viable default setting for top-level domains. "
As with all Google extensions, becoming a top-level domain registry further strengthens Google's deep and influential position on the Web, for better or for worse. But when it comes to promoting HSTS preloads, it seems to be going in the right direction. Clever suffixes such as .app and .dev do not solve all Internet security problems, but they provide site developers with a simple way to check a crucial part of the list.
Fried said that if users access Google's top-level domains and enjoy the security benefits without even realizing it, that's the whole idea.
More great cable stories