How Google’s .App Domain Makes Your Site More Secure

How Google's .App Domain Makes Your Site More Secure

How Google\'s .App Domain Makes Your Site More SecureGoogle this week formally launched the .app domain name, which it says will make for memorable and—more importantly—very secure web addresses.


Google purchased the .app top-level domain in 2013, but didn’t open up .app domain purchases until Tuesday. Since Google purchased the TLD, the company has been working to do more with .app than simply launch a new domain to compete with .com, org, .horse, and the like. To that end, it made all domains registered with .app HTTPS by default and utilized HSTS for best security practices.

You might have heard of HTTPS. It basically means your computer creates a secure and encrypted connection with the site you’re connecting to. But you might not have heard of HSTS, which stands for HTTP strict transport security, and that’s okay. This is the plumbing of the internet, but it has some major consequences for the web.

In most cases, sites have both an HTTP and an HTTPS site, in order to ensure that visitors can always connect. In a downgrade attack, a bad guy can force a victim’s browser to the HTTP version of the site, and potentially get up to all kinds of mischief. HSTS forces the use of HTTPS because the server that holds your website tells browsers that they must use it.

Also, Google has added the entire .app top-level domain to the HSTS preload list, which is incorporated into every single browser. If you’re reading this right now, your phone or computer has a copy of the list embedded in its browser. The preload list tells the browser, regardless of any other information it receives, to start the connection with sites on the list using HTTPS.

“For preloaded sites, even the first connection is HTTPS,” Adrienne Porter Felt, the engineering manager for Google Chrome, said at Google I/O this week. Usually, a browser is told to create an HTTPS connection after it reaches out to the server. Not so for any sites on the preload list, which now include any site with a .app domain name.

“This is the first open TLD on the [preload] list,” said Ben Mcilwain, the tech lead for Google Registry. An open top-level domain is one like .com or .org, which can be utilized by anyone for any purpose. There are other domains on the preload list, like .bank or .insurance, but those domains are restricted, and only issued to banks and insurance companies, as the name implies.

Adding the .app domain to the preload list makes it easier and faster for site managers to extend the benefits of HSTS to visitors. It also helps keep the preload list short, which is important because the entire list is checked every time the browser goes to a website. HSTS preloading, Mcllwain said, will also make sites faster because site managers will no longer have to redirect from an HTTP site to an HTTPS site.

Click here to read full article at

Instant IDE the stand-alone web development tool wordpress plugin
Iconic Domain Has a New Owner
Share with :