Google to enforce HTTPS on TLDs it controls [source : helpnetsecurity]
by CIRT Team
In its sustained quest to bring encryption to all existing Web sites, Google has announced that it will start enforcing HTTPS for the 45 Top-Level Domains it operates.
How will it do that?
You may or may not know that, since 2015, Google has been offering domain name registration services, and it operates domains such as .google, .how, and .dev (among others).
And now, Google will start adding them to the HTTPS Strict Transport Security (HSTS) preload list.
“The HSTS preload list is built in to all major browsers (Chrome, Firefox, Safari, Internet Explorer/Edge, and Opera). It consists of a list of hostnames for which browsers automatically enforce HTTPS-secured connections,” Ben McIlwain, a software engineer for Google Registry, explained.
“For example, gmail.com is on the list, which means that the aforementioned browsers will never make insecure connections to Gmail; if the user types http://gmail.com, the browser first changes it to https://gmail.com before sending the request. This provides greater security because the browser never loads an http-to-https redirect page, which could be intercepted.”
By adding those TDLs to the list, Google protects visitors of sites parked on them against protocol downgrade and cookie hijacking attacks, and minimizes the possibility of Man in the Middle attacks.
For more, click here.