Google has implemented HTTP Strict Transport Security (HSTS) on the google.com domain to prevent users from navigating to its site using the insecure HTTP.
HSTS allows website operators to ensure their site is only accessible via a browser when using a secure HTTPS connection, helping block SSL-stripping and man-in-the-middle attacks. All major browsers, including Chrome, Safari, Internet Explorer, and Edge now support HSTS.
"HSTS prevents people from accidentally navigating to HTTP URLs by automatically converting insecure HTTP URLs into secure HTTPS URLs. Users might navigate to these HTTP URLs by manually typing a protocol-less or HTTP URL in the address bar, or by following HTTP links from other websites," explained Jay Brown, a senior technical program manager for security at Google.
According to the HSTS preload list used by Chrome, google.com URLs where the company now forces HTTPS include Gmail, Inbox, the Play Store, Hangouts, and Docs among others.
The HSTS rollout should contribute to Google's goal of encrypting everything across its products and services.
Today, about 80 percent of requests to Google's servers use an encrypted connection. While all Gmail traffic has been encrypted since 2014, a growing proportion of traffic to other services including Google Maps, News, Finance, and advertising is encrypted.
Brown notes that rolling out HSTS support is normally a straightforward affair. However Google had a number of complexities to work through to ensure it didn't disrupt access to its core domain. These issues included mixed content, which HSTS would block, and updating legacy services. During testing Google also "accidentally broke" the Google Santa Tracker before Christmas.
The next phase of Google's HSTS rollout will look to minimize the chance that users make a first request to Google over HTTP. Eventually, any attempt to visit Google using HTTP will be blocked and redirected to HTTPS.
Google said in the next few months it will change the "max-age" header for its domains to at least one year, which means that during that period it will redirect any HTTP request to HTTPS. However, at the moment it's set the max-age to one day to avoid any early glitches.