Google recently announced HTTPS Strict-Transport Security (HSTS) preload list as a measure to improve web browser security.
With this, Google plans to enforce HTTPS for all sites lying within its own TLDs (top-level domains) like .google, .soy and .how.
Google has always tried to ensure security of the web. It is not the first time that it has introduced a measure to secure sites. Earlier in 2010, it announced HTTPS as default for Gmail and then again, in 2014, made HTTPS a standard to boost a website’s rank in Google search and to encourage HTTPS usage. Recently in 2016, it also become the gold sponsor for Let’s Encrypt SSL certificates.
Now, as the wider next step to boost HTTPS adoption, Google has switched to HTTPS strict transport security for many of its TLDs.
Per the HSTS policy, browsers will automatically use HTTPS encrypted connection to sites that support HTTPS. This means, even if the user hits http://gmail.com on the address bar, the browser will switch to HTTPS.
This policy will protect sites from attacks like POODLE that weaken and aim to strip out encryption.
The HSTS list will support all major browsers (Chrome, Internet Explorer, Safari, and Opera). It will include a list of hostnames for which the selected browsers will automatically enforce encrypted HTTPS connection.
The preload list can contain individual, sub-domains and even TLDs that are added through the HSTS website. Google currently operates 45 TLDs.
The provision to add TLDs as a whole under the HSTS list will ensure that all domains under them are secured by default. So, the registrants simply need to choose a secure TLD for their website and configure an SSL certificate. They do not need to worry about adding individual domains or sub-domains to the preload list of HSTS.
Google plans to make these secure TLDs available for registration soon.