Earlier this year Google added a new segment to its Transparency Reporting on HTTPS connections to include data for many of its services such as Gmail, Maps, Drive, Finance, News and Adsense and Youtube. Now Google is now implementing HTTP Strict Transport Security (or HSTS) for all of of its secured services in the effort to further secure the use of google and protect its its users. By using HSTS, visitors following HTTP links to Google.com will be automatically redirected to the secure HTTPS version of the Google domain.
Jay Brown, Sr. Technical Program Manager Security has mentioned:
“We’ve taken another step to strengthen how we use encryption for data in transit by implementing HTTP Strict Transport Security — HSTS for short — on the www.google.com domain. HSTS prevents people from accidentally navigating to HTTP URLs by automatically converting insecure HTTP URLs into secure HTTPS URLs. Users might navigate to these HTTP URLs by manually typing a protocol-less or HTTP URL in the address bar, or by following HTTP links from other websites”,
The introduction of HSTS impacts traffic not only to the Google search engine, but it will also secure traffic to other Google services that use the Google.com domain such as Google Alerts, Analytics and Maps.
As Jeremy Gillula, senior staff technologist at the Electronic Frontier Foundation has explained:
“Without HSTS, browsers have no way of knowing that a website should be delivered securely, and so cannot alert you when a website that ought to be loaded securely (e.g. your bank’s website) is instead loaded via a normal connection (i.e. the unencrypted version the attacker sends to you instead),”
HSTS is becoming the most effective online security measure against man-in-the-middle attacks such as protocol downgrade attacks (when a hacker changes the mode of connection from an encrypted to un-encrypted) and cookie hijacking (when a hacker steals a session cookie containing sensitive information over an unsecured connection). HSTS forces web browsers to connect to your website using the secure HTTPS connection. It removes the option to connect via HTTP. Users will not be able to access HSTS site over HTTP.
In his blog post (The Google Security Blog), Jay Brown also discusses the implementation process:
“Ordinarily, implementing HSTS is a relatively basic process. However, due to Google’s particular complexities, we needed to do some extra prep work that most other domains wouldn’t have needed to do. For example, we had to address mixed content, bad HREFs, redirects to HTTP, and other issues like updating legacy services which could cause problems for users as they try to access our core domain.”
Bringing HSTS to google.com is also a measure to promote HTTPS and HTTPS-related encryption. HTTPS and HTTPS-related encryption are vital as regards internet security. HTTPS encryption is all about protecting data in transit, which keeps users and their data secure. Thus implementing HSTS is a very notable move on the part of Google, not just as regards HTTPS and HTTPS-encryption, but as regards security in general.
How does HTTPS protection works?
When a browser looks up a site with HSTS enabled, the HSTS feature tells the browser that it shouldn’t be loading the webpage using HTTP and automatically redirects the request to HTTPS.