Google’s next step in making HTTPS the default on the web uses its stash of top level domains (TLDs) like .google, .app, and .dev.
Google is tying the HTTPS Strict Transport Security (HSTS) web security policy to its TLDs in a move that enables additional security for all domains under its TLDs.
HSTS can counter SSL-stripping attacks, which remove encryption from a secured HTTPS connection. It also ensures that web browsers automatically default to the HTTPS version of a site, even when a user types in the HTTP address.
HSTS is enabled by a “preload list” of hostnames integrated with a browser so that it knows which sites to enforce HTTPS connections. A common HSTS preload list is used in Chrome, Firefox, Safari, Internet Explorer, Edge, and Opera.
During ICANN’s gTLD sell-off in 2012 that opened up new TLDs beyond .com, .org and .net, Google acquired the rights to 45 new TLDs, including .google, and a handful of others that site owners could take in new directions like .eat, .soy, .dad, .app, .ads, .mov, .fly, .esq, and .zip. Google’s .google sites include main blog, The Keyword.
The company enabled HSTS on .google domains in 2015 and now plans to make it’s other TLDs HSTS by default, which it reckons will accelerate the adoption of HSTS. The aim is to make HTTPS a selling point for the TLDs that Google’s registrar, Google Registry, operates. Google is starting it's broader HSTS program with its .foo and .dev TLDs. Neither are active presently, but Google expects they will be soon.
It appears that Google is trying to influence the market through security rather than necessarily profiting by offering more secure TLDs.
Google Registry’s Ben Ben McIlwain says the company “would like to see TLD-wide HSTS become the security standard for new TLDs”, arguing the strategy uses existing tools in a more "impactful way".
This helps Google’s broader goal of increasing the adoption of HTTPS, which includes tweaking its search algorithm to favor sites that have enabled HTTPS, and supporting Let’s Encrypt, a certificate authority that provides free SSL certificates. Google has also been fighting conventional certificate authorities, such as Symantec, that it’s caught issuing dubious certificates.
Assuming website owners see the benefit of HSTS, Google’s HSTS-enabled TLDs will be more appealing. Sites that want to be included on the preload list will find it easier to register a TLD Google has already included on the list.
“Since it typically takes months between adding a domain name to the list and browser upgrades reaching a majority of users, using an already-secured TLD provides immediate protection rather than eventual protection. Adding an entire TLD to the HSTS preload list is also more efficient, as it secures all domains under that TLD without the overhead of having to include all those domains individually,” explained McIlwain.