Google to Enforce HSTS on TLDs it Operates

Google, through Google Domains, operates many TLDs, and this week said it would begin enforcing HSTS on those TLDs. HSTS forces secure client connections over HTTPS.

Google said this week it would enforce HSTS on 45 Top Level Domains it operates.

HSTS, or HTTP Strict Transport Security, forces HTTPS on client connections to webservers and is a key part of the strategy to encrypt the web.

Google is the registry for many new TLDs and said that it will start rolling out HSTS on more of them starting with .foo and .dev.

“The use of TLD-level HSTS allows such namespaces to be secure by default,” Google’s Ben McIlwain wrote on the Google Security Blog. Registrants receive guaranteed protection for themselves and their users simply by choosing a secure TLD for their website and configuring an SSL certificate, without having to add individual domains or subdomains to the HSTS preload list.”

Google already acts as a registry under Google Domains for many TLDs, including .google, .eat, .how, .meme, .soy and others.

HSTS is a fundamental security mechanism for communication that not only enforces HTTPS on all connections even if a user types in the HTTP address, but it also prevents cookie hijacking and downgrade attacks.

Attacks such as Logjam and Poodle enable advanced attackers to downgrade SSL connections to weaker states that are within reach of resourced adversaries. Logjam, for example, could downgrade connections to where they were using export-grade security such as 512 bits rather than 2048-bit encryption or better. Logjam put significant percentages of VPN and SSH servers at risk. An attacker could exploit this situation to read supposedly secure traffic on that connection.

Poodle is an older attack targeting SSLv3 implementations that allowed attackers to recover plaintext communication on the network. It was developed by researchers at Google and took advantage of a situation where when secure connections fail that servers would fall back to older protocols such as SSLv3. Attackers could leverage Poodle to trigger such a failure and then force a connection over SSLv3, which is simpler to attack.

In August 2016, Google added HSTS to the google.com domain, keeping visitors to the domain safe even if they were following HTTP links. The introduction of HSTS last year improved the security of traffic not only to the Google search engine, but also to other Google services that use the Google.com domain such as Google Alerts, Analytics and Maps.

Suggested articles