Google, known for its security practices, has finally brought HTTP Strict Transport Security (HSTS) to google.com to strengthen its data encryption. HSTS helps protect against eavesdroppers, man-in-the-middle attacks, and hijackers who attempt to spoof a trusted website. Chrome, Safari, and Internet Explorer all support HSTS.
“HSTS prevents people from accidentally navigating to HTTP URLs by automatically converting insecure HTTP URLs into secure HTTPS URLs,” said Jay Brown, a senior technical program manager for security at Google, in a blog post. “Users might navigate to these HTTP URLs by manually typing a protocol-less or HTTP URL in the address bar, or by following HTTP links from other websites.”
Typically, implementing HSTS is a fairly simple process, Brown said. But, due to Google’s complex algorithms, the company had to address mixed content, bad HREFs, redirects to HTTP, and other issues like updating legacy services which could cause problems for users as they try to access the core domain.
Brown also noted that the team accidentally broke Google’s Santa Tracker just before Christmas last year during testing.
According to Google, about 80% of requests to its servers today use encrypted connections. The use of HSTS goes a step further by preventing users from mistakenly visiting unsafe URLs.
Certain domains, including Paypal and Twitter, will be automatically configured with HSTS to keep users safe, according to Google’s HSTS Preload List.
Google is now focused on increasing the “max-age,” or the duration that the header is active. The max-age is currently set to one day to help mitigate the risk of any potential problems with the rollout. “By increasing the max-age, however, we reduce the likelihood that an initial request to www.google.com happens over HTTP,” Brown said. “Over the next few months, we will ramp up the max-age of the header to at least one year.”
Increasing encryption
Google is currently working to implement HTTPS across all of its products. In March 2014, the company announced the use of HTTPS-only for Gmail.
Increasing encryption and security around its core products will be key for Google to remain in good standing with enterprise and consumer customers as concerns over cybersecurity ramp up across verticals.
Encryption remains at the forefront of many cybersecurity discussions, especially after last year’s terrorist attack in San Bernardino, CA, and the FBI’s dispute with Apple over access to the shooter’s iPhone.
In March, Google joined Facebook, Microsoft, and others who filed in support of Apple in its refusal of a court order forcing it to unlock the shooter’s iPhone for authorities.
The Federal Bureau of Investigations is holding ongoing talks with technology companies about a range of privacy and encryption issues, according to FBI director James Comey. The agency is also collecting statistics on the effect of encryption on its investigations.
“Encrypting data in transit helps keep our users and their data secure,” Brown said. “We’re excited to be implementing HSTS and will continue to extend it to more domains and Google products in the coming months.”