Google announced that they want the internet more secure and because of that they have added another tool in their toolbox, the HTTPS Strict Transport Security (HSTS) preload list.
The HSTS preload list is built in to all major browsers (Chrome, Firefox, Safari, Internet Explorer/Edge, and Opera). It consists of a list of hostnames for which browsers automatically enforce HTTPS-secured connections.
For example, gmail.com is on the list, which means that the aforementioned browsers will never make insecure connections to Gmail; if the user types http://gmail.com, the browser first changes it to https://gmail.com before sending the request.
This provides greater security because the browser never loads an http-to-https redirect page, which could be intercepted. The HSTS preload list can contain individual domains or subdomains and even top-level domains (TLDs), which are added through the HSTS website. The TLD is the last part of the domain name, e.g., .com, .net, or .org. Google operates 45 TLDs, including .google, .how, and .soy.
In 2015 Google created the first secure TLD when they added .google to the HSTS preload list, and they are now rolling out HSTS for a larger number of our TLDs, starting with .foo and .dev. The use of TLD-level HSTS allows such namespaces to be secure by default. Registrants receive guaranteed protection for themselves and their users simply by choosing a secure TLD for their website and configuring an SSL certificate, without having to add individual domains or subdomains to the HSTS preload list. Moreover, since it typically takes months between adding a domain name to the list and browser upgrades reaching a majority of users, using an already-secured TLD provides immediate protection rather than eventual protection. Adding an entire TLD to the HSTS preload list is also more efficient, as it secures all domains under that TLD without the overhead of having to include all those domains individually. Google hopes to make some of these secure TLDs available for registration soon, and would like to see TLD-wide HSTS become the security standard for new TLDs.
Google has taken many actions to make the use of HTTPS more widespread, both within Google and on the larger Internet.
Google began in 2010 by defaulting to HTTPS for Gmail and starting the transition to encrypted search by default. In 2014, they started encouraging other websites to use HTTPS by giving secure sites a ranking boost in Google Search. In 2016, thhry became a platinum sponsor of Let’s Encrypt, a service that provides simple and free SSL certificates. Earlier this year Google announced that Chrome will start displaying warnings on insecure sites, and thry recently introduced fully managed SSL certificates in App Engine.
One of the most powerful tools in the Web security toolbox is ensuring that connections to websites are encrypted using HTTPS, which prevents Web traffic from being intercepted, altered, or misdirected in transit.