How Google's .App Domain Makes Your Site More Secure

A rose by any other name might smell as sweet, but not all website names are the same. Google this week formally launched the .app domain name, which it says will make for memorable and—more importantly—very secure web addresses.

Google purchased the .app top-level domain in 2013, but didn't open up .app domain purchases until Tuesday. Since Google purchased the TLD, the company has been working to do more with .app than simply launch a new domain to compete with .com, org, .horse, and the like. To that end, it made all domains registered with .app HTTPS by default and utilized HSTS for best security practices.

You might have heard of HTTPS. It basically means your computer creates a secure and encrypted connection with the site you're connecting to. But you might not have heard of HSTS, which stands for HTTP strict transport security, and that's okay. This is the plumbing of the internet, but it has some major consequences for the web.

In most cases, sites have both an HTTP and an HTTPS site, in order to ensure that visitors can always connect. In a downgrade attack, a bad guy can force a victim's browser to the HTTP version of the site, and potentially get up to all kinds of mischief. HSTS forces the use of HTTPS because the server that holds your website tells browsers that they must use it.

Also, Google has added the entire .app top-level domain to the HSTS preload list, which is incorporated into every single browser. If you're reading this right now, your phone or computer has a copy of the list embedded in its browser. The preload list tells the browser, regardless of any other information it receives, to start the connection with sites on the list using HTTPS.

"For preloaded sites, even the first connection is HTTPS," Adrienne Porter Felt, the engineering manager for Google Chrome, said at Google I/O this week. Usually, a browser is told to create an HTTPS connection after it reaches out to the server. Not so for any sites on the preload list, which now include any site with a .app domain name.

"This is the first open TLD on the [preload] list," said Ben Mcilwain, the tech lead for Google Registry. An open top-level domain is one like .com or .org, which can be utilized by anyone for any purpose. There are other domains on the preload list, like .bank or .insurance, but those domains are restricted, and only issued to banks and insurance companies, as the name implies.

Adding the .app domain to the preload list makes it easier and faster for site managers to extend the benefits of HSTS to visitors. It also helps keep the preload list short, which is important because the entire list is checked every time the browser goes to a website. HSTS preloading, Mcllwain said, will also make sites faster because site managers will no longer have to redirect from an HTTP site to an HTTPS site.

In giving an example about the importance of HTTPS, Felt relayed a story about how her colleague was browsing a government website over a wireless hotspot. He was surprised to see a bunch of ads on the site, and discovered they were being injected by the hotspot. "There's a good amount of HTTP traffic that is injected or modified," she said. HTTPS prevents this kind of tampering.

HTTPS is even more important in current and future versions of Chrome. Currently, sites that have password fields but are HTTP are labeled not secure in Chrome. As of Chrome 68, launching in July 2018, all HTTP websites will be marked as not being secure.

Marketing and easy memorization is also a goal with the .app name. As Felt explained, the URL for a fictional foobar app would be something like foobarapp.com, but can now simply be foobar.app. The fact that URLs are all unique also means it's easier to find an app in the app store.

CallApp, Felt said, is an enormously popular app but it's difficult to find in Google Play because so many apps use "call" and "app" in their names. There is only one call.app, making it easier to cut through the look-alikes to find the real deal.

But still, the massive rollout of web security best practices to an entire domain name was clearly at the heart of Google's .app effort. "Privacy and security is on everyone's minds these days," said Mcilwain, who stressed that that neither privacy nor security is possible over an insecure connection.

All Google I/O attendees received a free .app domain from Google for attending the conference. If you're looking to get one yourself, you might want to hurry; hundreds of thousands of domains were claimed in the first few hours, Mcilwain said.

This article originally appeared on PCMag.com.