Google recently increased the security of its domains by adding HTTP Strict Transport Security (HSTS), which automatically redirects visitors using the less secure HTTP connection to the more secure versions.
What is HSTS?
HSTS, which stands for HTTP Strict Transport Security is a simple and widely supported web security policy mechanism that helps protect visitors against attackers. Having a domain with enabled HSTS provides significant security benefits to you and your visitors, especially those visitors using hostile networks.
The introduction of HSTS was intended to secure traffic to not only the Google search engine, but also other Google services that use the Google.com domain, including Google Maps, Google Analytics, and Google Alerts, as well as other Google domains such as the YouTube service.
By redirecting all Google.com links from HTTP to HTTPS, the search engine seeks to protect against the common challenges of insecure web connections that include session hijacking, protocol downgrade attacks, and man-in-the-middle attacks.
Other articles than can be interesting for you:
- How to Buy Super Cheap Domains – Helpful Tips to Consider
- How to Redirect a Web Page from One Domain to another Domain
How HSTS works
Users typically navigate to HTTP URLs by either manually typing the HTTP URL (sometimes without the protocol) in the address bar, or by following HTTP links from other websites. The HSTS mechanism ensures that the browser uses the HTTPS connection if it is available. But if the site does not have the HTTPS version, the user is still directed to the less secure HTTP version.
HSTS instructs the servers to communicate to the browser and request the encrypted version of the website. In other words, HSTS alerts the browser of a more secure website. Without it, the user cannot be notified when a site that should be loaded securely (such as an e-commerce store) is instead loaded through a normal connection (the unencrypted version sent by an attacker).
Increased Support for HSTS Implementation
Google has been advocating for the switch to HTTPS-encrypted communications since 2014 following the launch of its HTTPS Everywhere initiative. Players in the security industry have also been advocating for more websites to implement HSTS to take advantage of the improved security for their clients.
Some Google domains and many other non-Google sites argue that enabling HSTS support is not a simple task because of the issues facings websites that contain redirects to HTTP, mixed content, and HREF5. Nonetheless, users can ensure safety on their side by using browsers that support HSTS, including Chrome, Firefox, Safari, IE 11, and Edge.
Not Provided Count Hits Over 96% Since Google’s HSTS Switch https://t.co/RANlpJjOgW
— Charles Edgar (@CharlesEdgar6) 7 de noviembre de 2016