.app: secure by design

The last days of unencrypted HTTP

It’s accepted wisdom that every website should be served over a secure HTTPS (SSL) connection. HTTPS encrypts browser traffic, protecting your customer’s passwords, credit card numbers, and other personal information from eavesdroppers and hackers. In recent years, the price of SSL certificates has plummeted, and the advent of free “Let’s Encrypt” certificates means you no longer need to spend a fortune — or anything at all — to assure your site’s visitors that their data is safe.

All of this will come as no surprise to most Porkbun customers, who by virtue of registering their domains at the Bun find themselves in the vanguard of the push towards a totally-secure web. Porkbun was the first registrar to provide free SSL certificates to every customer on every domain without any renewal fee or upcharge.

Unencrypted HTTP isn’t just unfashionable, it’s about to go the way of the Dodo. As of April 2018, over 70% of all website traffic is now served over HTTPS, up almost 10% from a year ago. Google recently announced that starting in July of 2018, any site not served over HTTPS will be marked with a large grey “not secure” icon in Chrome’s URL bar — not exactly instilling of consumer confidence.

 

How insecure sites will appear in Chrome after July 2018. Source: Chromium Blog

 

.app and HTTPS

With the release of Google Registry’s new .app domain extension, Google has taken their commitment to a secure web a step further by enforcing mandatory HTTPS across all .app domains. That means if you register a .app domain, you can still host a site over unencrypted HTTP — but no modern browser will load it.

How did Google achieve this feat? Well, it just so happens that Google maintains a special list known as the HSTS Preload List. Anyone can submit their site to the list, which tells every modern browser: “insecure HTTP is disabled for this domain.” What makes .app unique is the entire .app zone has already been added to the HSTS Preload List, no exceptions allowed.

Thus, if you try to load a .app site over unencrypted HTTP, your browser will refuse, instead displaying an error message that can’t be bypassed. This protects all .app domains from a wide swath of so-called “man-in-the-middle” attacks wherein an eavesdropper intercepts traffic for nefarious purposes. It also improves site loading time as the browser won’t even try to connect to the unencrypted channel first, skipping directly to HTTPS.

.app and Porkbun

.App’s HTTPS requirement can seem scary, but compliance is easy at Porkbun. If you’re hosting your .app site via our site builder or shared hosting package, HTTPS is automatic; you don’t have to do a thing! Want to host your site elsewhere? You can still use your free Let’s Encrypt certificate with a 3rd-party hosting company. For more info, check out our article How to use your free SSL certificate. Already purchased a traditional certificate? That works, too.

Still have questions about .app, Let’s Encrypt, or HSTS Preload? Email us at support@porkbun.com

Leave a Reply