03.11.2017

Safety first: Google protects top-level domains with HSTS

Google continues to push for more security on the Internet, relying on HSTS.


When visiting Google.com, browsers now automatically access the HTTPS version – thanks to HSTS (HTTP Strict Transport Security). In the Chromium blog the search engine giant now announced plans to provide a larger number of its own top-level domains with the protection mechanism HSTS. After .GOOGLE, .DEV and .FOO are next in line. However, HSTS is not an exclusive privilege for Google domains: even external domains can be added to the browser tool free of charge.

Google's commitment to higher security on the Web

In 2010, Google's security offensive kicked off by switching Google Mail to HTTPS by default. In 2014, further emphasis was placed on SSL encryption: web pages that had a correctly integrated an SSL certificate were rewarded with an advantage the search ranking. Two years later, Google started supporting the Let's encrypt initiative, which provides free SSL certificates. Since January 2017, version 56 of Google's Chrome browser has issued a warning when users are prompted for passwords or credit card information on HTTP pages. In the future, starting with Chrome version 62, Google plans to warn of any unencrypted pages as soon as any kind of data is requested from the user – even when not using the incognito mode. Google's commitment has already made an impact: In 2016, "HTTPS" made it to the second place of all technical ranking factors, making it more important than factors such as page load time or the heading tags (H1 and H2). This was the result of an evaluation by Searchmetrics. In addition, more than 50% of web traffic is already encrypted. And the trend is still growing.

How HSTS works

The HSTS preload list is integrated in all common browsers. In order to be able to use HSTS, the server must deliver a corresponding HSTS header. If the website is subsequently requested, the browser accesses the preload list and carries out a comparison. If there is an appropriate entry for the typed domain, the browser automatically accesses the SSL-encrypted variant through port 443. The need for forwarding is thus eliminated.

The advantages of SSL and HSTS

SSL encryption not only makes a corporate website more secure, it also fundamentally strengthens the trust of customers in the page they are looking for. Due to the fact that data transmitted by the customer are encrypted, the symbols of SSL encryption are seen as a seal of quality. The positive assessment of SSL encryption in turn has a positive effect on the average user session length: the bounce rate drops, SEO visibility increases and the respective page ranks better in search results. A clear win-win situation. An entry in the HSTS Preload list comes with the following benefit in particular: as there is no need for forwarding from HTTP to HTTPS, the web traffic is protected from a man-in-the-middle attack during the redirect. Such redirects can be manipulated by tools such as sslstrip, preventing a transfer to the HTTPS version.

Conclusion:

An entry in the HSTS preload list is definitely recommended. You do not have to be in possession of a Google TLD. Externally hosted domains can also be entered in the browser tool free of charge. The only downside: it may take several months from the entry in the preload list to the browser update.


comments powered by Disqus