On Friday, Google announced they were bringing HTTP Strict Transport Security (HSTS) to www.google.com. With the shiny new Google HSTS will come heightened security.
But the funny thing is we implemented HSTS on our site weeks ago. That’s right, before Google.
Here’s the master list of sites that preload with HSTS. As you can see, we’re on there:
Yup, we were ahead of the game on that one, Google.
What Google HSTS Offers You
In case you didn’t know, HSTS makes safer searching possible. Essentially, it adds a header to your server that makes it impossible for a user to access your site via HTTP. Your site will only be able to be accessed via the far-safer HTTPS.
Before HSTS, people could go to a site by typing in “http://” URLs, or click a link that began with “http://” but was incorrect. The connection could then be hijacked, leading to valuable information being stolen.
Implementing HSTS ends that threat.
With Google moving to HSTS (better late than never), they’re making moves to bring valuable encryption to its userbase.
Google’s Work Isn’t Done
One of the things Google made clear in its blog was that there’s still work to be done before they’re completely migrated over to HSTS. Because their “particular complexities” are so many and varied, they had to put in a lot of prep work. This could explain why it took them so long to get on board.
Additionally, they’ve got some extra work ahead of them. When an HSTS header is implemented, you have to set a “max-age” that tells how long to uphold it. This has a max of 31536000 seconds (1 year). Theoretically, you have to keep refreshing the header—but that’s where the preload list comes into effect.
Google only has it for a day, which “helps mitigate the risk of any potential problems with this roll-out.” They have plans to increase it to a year, and with time we’re sure they’ll get there.
Want to be ahead of the game? Contact us and let us bring security and profitability to you!