Google rolls out HTTP Strict Transport Security for data encryption across its domain

[rahul1117kumar]

Google is strengthening encryption for data by rolling out the HTTP Strict Transport Security (HSTS) across its domain.

So now on Google , non-secure HTTP URLs will automatically get converted to secure HTTPS URLs. In short, HTTP Strict Transport Security (HSTS) prevents people from accidentally navigating to HTTP URLs. Users might navigate to these HTTP URLs by manually typing a protocol-less or HTTP URL in the address bar, or by following HTTP links from other websites, says Google.

The search giant adds that implementing HSTS is a relatively basic process, but for them it required some extra preparation work that most other domains wouldn’t have needed to do.
For example, we had to address mixed content, bad HREFs, redirects to HTTP, and other issues like updating legacy services which could cause problems for users as they try to access our core domain.

Google will be implementing HSTS and will continue to extend it to more domains and other Google products in the coming months.

Google rolls out HTTP Strict Transport Security (HSTS) for data encryption across its domain

 

[Bapun]

The security of the Web is of the utmost importance to Google. One of the most powerful tools in the Web security toolbox is ensuring that connections to websites are encrypted using HTTPS, which prevents Web traffic from being intercepted, altered, or misdirected in transit. We have taken many actions to make the use of HTTPS more widespread, both within Google and on the larger Internet.

We began in 2010 by defaulting to HTTPS for Gmail and starting the transition to encrypted search by default. In 2014, we started encouraging other websites to use HTTPS by giving secure sites a ranking boost in Google Search. In 2016, we became a platinum sponsor of Let’s Encrypt, a service that provides simple and free SSL certificates. Earlier this year we announced that Chrome will start displaying warnings on insecure sites, and we recently introduced fully managed SSL certificates in App Engine. And today we’re proud to announce that we are beginning to use another tool in our toolbox, the HTTPS Strict Transport Security (HSTS) preload list, in a new and more impactful way.

The HSTS preload list is built in to all major browsers (Chrome, Firefox, Safari, Internet Explorer/Edge, and Opera). It consists of a list of hostnames for which browsers automatically enforce HTTPS-secured connections. For example, gmail.com is on the list, which means that the aforementioned browsers will never make insecure connections to Gmail; if the user types Gmail, the browser first changes it to Gmail before sending the request. This provides greater security because the browser never loads an http-to-https redirect page, which could be intercepted.

The HSTS preload list can contain individual domains or subdomains and even top-level domains (TLDs), which are added through the HSTS website. The TLD is the last part of the domain name, e.g., .com, .net, or .org. Google operates 45 TLDs, including .google, .how, and .soy. In 2015 we created the first secure TLD when we added .google to the HSTS preload list, and we are now rolling out HSTS for a larger number of our TLDs, starting with .foo and .dev.

Google Online Security Blog: Broadening HSTS to secure more of the Web