Google’s campaign to make HTTPS security ubiquitous has been underscored once again by the news that it is to implement HSTS preload on 45 Top-Level Domains (TLDs) it controls as part of its domain registrar business.
There are several strands to this story, beginning with the little-known fact that Google has since 2015 been a registrar for generic Top-Level Domains, such as, .ads
, .here
, .meme
, .ing
, .rsvp
, .fly
, and .app
, to name only a few.
The next is HSTS (HTTP Strict Transport Security), first adopted by Chrome 4 in 2009, which is incorporated into all major browsers.
HSTS is a way for a website to insist that browsers connect to it using the encrypted HTTPS protocol, instead of insecure HTTP. A browser attempting to visit http://nakedsecurity.sophos.com, for example, is forwarded to a URL that uses HTTPS and told to add the site to its list of sites that should always be accessed using HTTPS. From then on the browser will always use HTTPS for that site, no matter what.
The user doesn’t have to do anything, regardless of whether they reached the site through a bookmark, a link, or simply by typing HTTP in the address bar.
The only flaw in this scheme is that browsers can still reach an insecure HTTP URL the first time they connect to a site, opening a small window for attackers to carry out Man-in-The-Middle, cookie hijacking and encryption downgrade attacks such as the well-publicised Poodle SSLv3 attack discovered by Google researchers in 2014.
HSTS preload solves this by pre-loading a list of HSTS domains into the browser itself, closing that window entirely.
Best of all, this preloading can be applied to entire TLDs, not just domains and sub-domains, which means it becomes automatic for everyone registering any domain name ending in that TLD.
As Google states:
Adding an entire TLD to the HSTS preload list is also more efficient, as it secures all domains under that TLD without the overhead of having to include all those domains individually.
Because HSTS preload lists can take months to update in browsers, setting it by TLD has the added advantage of making HSTS instantaneous for new websites that use them.
Google extending HSTS preload to 45 TLDs in the coming months is therefore bigger news than it might sound: millions of new sites registered under each TLD will now have HTTPS enforced (and domain owners will have to configure their websites to work over HTTPS or they won’t work.)
Uptake remains a hurdle: too many sites still don’t bother with HTTPS, something Google has tried counter with recent initiatives such as Chrome marking non-HTTPS sites as “insecure”, a sort of large-scale shaming campaign.
Another barrier is cost, which explains why Google has backed the Let’s Encrypt certificate authority which offers free certificates (even if it turned out that phishing sites were also availing themselves of this).
In the end, the biggest ally in making HTTPS universal could simply be the changing expectations of web users who have started to grasp the importance of web security for their own well-being.