Google: Here's why we're putting all our top-level domains on forced HTTPS list

All sites under Google's top-level domains will automatically support HTTP Strict Transport Security.
Written by Liam Tung, Contributing Writer

Google reckons enabling TLD-level HSTS is far more efficient than the current system.

Image: Getty Images/iStockphoto

Google is enforcing HTTPS for all sites under its own top-level domains (TLDs), such as .google, .how, and .soy.

Along with being a search and ad firm, Google is also a TLD registrar and has 45 of the names that a site can use in place of conventional TLDs, such as .org or .com.

Of those 45 TLDs, the ones currently live include .google, .how, and .soy, with .app launching soon. With the exception of .google, Google's domain registrar Google Domains and its partners sell these to anyone wanting to set up a website. Others it has claimed include .ads, .boo, .here, .meme, .ing, .mov, and .rsvp.

As part of its push for wider adoption of HTTPS, Google has now starting to enable HTTP Strict Transport Security (HSTS) for a "large number" of its TLDs.

The HSTS policy ensures that web browsers only use an HTTPS encrypted connection to sites that support HTTPS. All major browsers switch to, for example, https://gmail.com even if the user types in the http address. HSTS aims to prevent downgrade attacks, such as POODLE, which weaken or strip out encryption.

The HTTPS HSTS preload list of hostnames ensures that browsers automatically enforce HTTPS connections to them. The list is used in Chrome, Firefox, Safari, Internet Explorer, Edge, and Opera.

Ben McIlwain, a software engineer for Google Registry, explains that .google became the first TLD to join the HSTS preload list. Google launched the .google TLD in 2014 and now uses it for its The Keyword blog, Google Registry and Google Design.

The first non-.google TLDs joining it will be .foo and .dev, which Google plans to make available for registration soon.

According to McIlwain, enabling TLD-level HSTS is far more efficient than the current system due to a lag between the current preload list and browser updates arriving to users.

"The use of TLD-level HSTS allows such namespaces to be secure by default," writes McIlwain.

Registrants still need to configure an SSL certificate to enable HTTPS on their site. Free certificates can be obtained from Let's Encrypt. But otherwise site owners don't need to individually add their site to the HSTS preload list, which McIlwain says can take months due to the time required for browsers with the latest list to reach most users.

"Using an already-secured TLD provides immediate protection rather than eventual protection. Adding an entire TLD to the HSTS preload list is also more efficient, as it secures all domains under that TLD without the overhead of having to include all those domains individually.

Previous and related coverage

Lenovo fined $3.5m for pre-installed adware that hijacks HTTPS connections

In addition to paying $3.5 million to 32 states in the US, the Chinese hardware manufacturer will also be subject to audited security checks of its software for the next two decades.

How to use Let's Encrypt to secure your websites

Let's Encrypt is easy to use and free -- no wonder it's the most popular Certificate Authority for securing websites. Here's how you can use it.

Read more about HTTPS and web security

Editorial standards