Google to Enforce HSTS on TLDs it Operates

Author: Michael Mimoso
minute read

Google, through Google Domains, operates many TLDs, and this week said it would begin enforcing HSTS on those TLDs. HSTS forces secure client connections over HTTPS.

Google said this week it would enforce HSTS on 45 Top Level Domains it operates.

HSTS, or HTTP Strict Transport Security, forces HTTPS on client connections to webservers and is a key part of the strategy to encrypt the web.

Google is the registry for many new TLDs and said that it will start rolling out HSTS on more of them starting with .foo and .dev.

“The use of TLD-level HSTS allows such namespaces to be secure by default,” Google’s Ben McIlwain wrote on the Google Security Blog. Registrants receive guaranteed protection for themselves and their users simply by choosing a secure TLD for their website and configuring an SSL certificate, without having to add individual domains or subdomains to the HSTS preload list.”

Google already acts as a registry under Google Domains for many TLDs, including .google, .eat, .how, .meme, .soy and others.

HSTS is a fundamental security mechanism for communication that not only enforces HTTPS on all connections even if a user types in the HTTP address, but it also prevents cookie hijacking and downgrade attacks.

Attacks such as Logjam and Poodle enable advanced attackers to downgrade SSL connections to weaker states that are within reach of resourced adversaries. Logjam, for example, could downgrade connections to where they were using export-grade security such as 512 bits rather than 2048-bit encryption or better. Logjam put significant percentages of VPN and SSH servers at risk. An attacker could exploit this situation to read supposedly secure traffic on that connection.

Poodle is an older attack targeting SSLv3 implementations that allowed attackers to recover plaintext communication on the network. It was developed by researchers at Google and took advantage of a situation where when secure connections fail that servers would fall back to older protocols such as SSLv3. Attackers could leverage Poodle to trigger such a failure and then force a connection over SSLv3, which is simpler to attack.

In August 2016, Google added HSTS to the google.com domain, keeping visitors to the domain safe even if they were following HTTP links. The introduction of HSTS last year improved the security of traffic not only to the Google search engine, but also to other Google services that use the Google.com domain such as Google Alerts, Analytics and Maps.

Suggested articles

Cybersecurity for your growing business
Cybersecurity for your growing business

Topics

Show all

Authors

Threatpost

InfoSec Insider

Infosec Insider Post

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Content

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.