Google Brings HSTS Protection to Google.com
Google has always gained appreciation for its security practices. Now, making another notable addition to its security practices, Google brings HTTP Strict Transport Security (HSTS) to google.com. This would be a major step in the field of internet security, especially since it comes at a time when HTTPS and HTTPS-encryption are accorded much importance.
Jay Brown, Sr. Technical Program Manager, Security at Google says about this in The Google Security Blog- “For many years, we’ve worked to increase the use of encryption between our users and Google. Today, the vast majority of these connections are encrypted, and our work continues on this effort…To further protect users, we’ve taken another step to strengthen how we use encryption for data in transit by implementing HTTP Strict Transport Security—HSTS for short—on the www.google.com domain.” He also explains as to how HSTS works- “HSTS prevents people from accidentally navigating to HTTP URLs by automatically converting insecure HTTP URLs into secure HTTPS URLs. Users might navigate to these HTTP URLs by manually typing a protocol-less or HTTP URL in the address bar, or by following HTTP links from other websites”.
This would indeed be a major step that Google takes to strengthen its data encryption because HSTS helps ensure protection against eavesdroppers, man-in-the-middle attacks, and also against hijackers who try to spoof a trusted website.
In his blog post, Jay Brown also discusses the implementation process- “Ordinarily, implementing HSTS is a relatively basic process. However, due to Google’s particular complexities, we needed to do some extra prep work that most other domains wouldn’t have needed to do. For example, we had to address mixed content, bad HREFs, redirects to HTTP, and other issues like updating legacy services which could cause problems for users as they try to access our core domain.”
It’s to be remembered that over the last few years, Google had brought HTTPS support to almost all its products. These include HTTPS for search, HTTPS for Gmail and HTTPS for Google Drive. Google had also recently brought HTTPS to all Blogspot domains and it’s even using HTTPS support as a ranking signal in its search results. Promoting HTTPS is just one of the security practices that Google has been adopting.
Bringing HSTS to google.com is also a measure to promote HTTPS and HTTPS-related encryption. HTTPS and HTTPS-related encryption are vital as regards internet security. HTTPS encryption is all about protecting data in transit, which keeps users and their data secure.
Thus implementing HSTS is a very notable move on the part of Google, not just as regards HTTPS and HTTPS-encryption, but as regards security in general.