.app: secure by design

The last days of unencrypted HTTP

It’s accepted wisdom that every website should be served over a secure HTTPS (SSL) connection. HTTPS encrypts browser traffic, protecting your customer’s passwords, credit card numbers, and other personal information from eavesdroppers and hackers. In recent years, the price of SSL certificates has plummeted, and the advent of free “Let’s Encrypt” certificates means you no longer need to spend a fortune — or anything at all — to assure your site’s visitors that their data is safe.

All of this will come as no surprise to most Porkbun customers, who by virtue of registering their domains at the Bun find themselves in the vanguard of the push towards a totally-secure web. Porkbun was the first registrar to provide free SSL certificates to every customer on every domain without any renewal fee or upcharge.

Unencrypted HTTP isn’t just unfashionable, it’s about to go the way of the Dodo. As of April 2018, over 70% of all website traffic is now served over HTTPS, up almost 10% from a year ago. Google recently announced that starting in July of 2018, any site not served over HTTPS will be marked with a large grey “not secure” icon in Chrome’s URL bar — not exactly instilling of consumer confidence.

 

How insecure sites will appear in Chrome after July 2018. Source: Chromium Blog

 

.app and HTTPS

With the release of Google Registry’s new .app domain extension, Google has taken their commitment to a secure web a step further by enforcing mandatory HTTPS across all .app domains. That means if you register a .app domain, you can still host a site over unencrypted HTTP — but no modern browser will load it.

How did Google achieve this feat? Well, it just so happens that Google maintains a special list known as the HSTS Preload List. Anyone can submit their site to the list, which tells every modern browser: “insecure HTTP is disabled for this domain.” What makes .app unique is the entire .app zone has already been added to the HSTS Preload List, no exceptions allowed.

Thus, if you try to load a .app site over unencrypted HTTP, your browser will refuse, instead displaying an error message that can’t be bypassed. This protects all .app domains from a wide swath of so-called “man-in-the-middle” attacks wherein an eavesdropper intercepts traffic for nefarious purposes. It also improves site loading time as the browser won’t even try to connect to the unencrypted channel first, skipping directly to HTTPS.

.app and Porkbun

.App’s HTTPS requirement can seem scary, but compliance is easy at Porkbun. If you’re hosting your .app site via our site builder or shared hosting package, HTTPS is automatic; you don’t have to do a thing! Want to host your site elsewhere? You can still use your free Let’s Encrypt certificate with a 3rd-party hosting company. For more info, check out our article How to use your free SSL certificate. Already purchased a traditional certificate? That works, too.

Still have questions about .app, Let’s Encrypt, or HSTS Preload? Email us at support@porkbun.com

Introducing the Porkbun Ambassador Program

Ambassadors are traditionally diplomatic posts given to high-rolling party donors rather than people with actual diplomacy and skill. You know, give a few million dollars, get a fancy car and apartment in an exotic foreign land. At Porkbun we’re both disgusted and enchanted by this behavior. I mean, cronyism is terrible unless you’re offering that car and apartment to me.

In launching a program for our most active customers to refer us to their friends, we wanted to steal a little from column A and a little of column B. We wanted to reward loyal behavior with cash, money, dollars but we also wanted to be working with the smart people that use and appreciate our site and have obvious skills in domaining, building websites, design, and networking!

Introducing the Porkbun Ambassador Program! You can apply here – and yes we do read and research what you provide so don’t just mash your keyboard 😐 In fact, tell them that “Andrew sent me” to receive a quick goodie.

The premise is that we pay against most everything that your referred friend, second-cousin, or gullible acquaintance buys on the site. As you know, we have the lowest prices around so sometimes we can’t share as much. We do give you 100% of the markup on products where we charge zero markup though!

If you’re a domain-type or webmaster or web designer or someone sending lots of referrals, those pennies will add up. Others may not be cashing out to impersonate Rich Uncle Pennybags anytime soon but will still save some real amount on their own renewals.

There is a nice way to scale and make money on the program if you work with designers since .design allows for a $20 payout against free trial names. This is the most interesting part of the program given the popularity of .design at Porkbun and the high payout. Eligibility for this payout is judged separately from the rest of the Ambassador Program so if you intend to use it please mention it in your application and how/why you have good networking abilities with designer types.

So, in summary:

  • YES, we now have an affiliate program
  • YES, we share revenue on nearly every transaction where we make money
  • What the heck?! $20 commission for free .design domains? YES, that is a real thing and YES we are patrolling for fraud but hot damn if you are a design student, a professional designer, or random design fan that hangs with designers and has sway with them, you might just be able to get them to finally stop eating all your snacks and instead help out with the rent. Or at least buy more snacks.

Apply here!