Google Launches .app Top-Level Domain with HSTS as a Default
.app TLD is launched, and hackers won’t like it
For a long time, we have been covering Google’s crusade against HTTP. Now Google has taken another step closer to what we’ve it’s been aspiring to—HTTPS Everywhere. Google has just launched .app, its newest TLD from Google Registry. This TLD has been designed specifically for apps and app developers. .app comes with a distinct advantage, and that advantage is HTTPS by default—HSTS in other words.
We’ll get to HSTS in a minute but before that, let’s shed some light on top-level domains (TLDs). If you have a good idea about them, you can skip this part.
So, what is a top-level domain?
Think of any URL. Let’s say you thought of a domain named www.yourdomainname.com. See the .com at the end? That’s what is called a top-level domain (TLD). In other words, a TLD is what follows after the domain name (“yourdomainname” in this case).
Here are the top five most widely used top-level domains according to W3Techs:
- .com (46.4%)
- .org (5.1%)
- .ru (4.7%)
- .net (4.0%)
- .de (3.6%)
.app is one of the newest additions to around 1540 such TLDs.
You can’t have .app site without https
Yes, you read that right. That’s because Google has added .app to the HSTS Preload list at the TLD level. That means that all the sites using the .app TLD must only be loaded over HTTPS. HSTS (HTTP Strict Transport Security), through HTTP Preload List, forces browsers to establish a connection over HTTPS. If you want to know about HSTS in depth, here’s an excellent resource for you.
Perks of HSTS Preload
The HSTS Preload list is a list of pre-loaded websites that connect through HSTS. As the browsers only attempt to make connection over HTTPS from the very first time, there is no chance for a hacker to do protocol downgrade or cookie hijacking.
You’ll still need an SSL certificate
A common misconception associated with HSTS is that people assume HTTPS will be established without doing anything—some sort of magic. Well, let us demystify it for you: “HSTS doesn’t work without an SSL certificate.” You’ll need to install an SSL cert; otherwise, your site won’t work. Period.