New .app Domain Is HTTPS Only

Google says its .app top level domain is the first publicly available domain where HTTPS is mandatory.

The search giant paid $25 million for the rights to control the domain in a 2015 auction. It offered it through an early access program that started last week and had a price premium that reduced every day. It’s now made it generally available to third-part registrars.

The domain itself has some obvious uses, with Google suggesting “showcase a unique and trustworthy destination, as a relevant download link, for deep linking, or for sharing screenshots, release notes, and reviews.” (That’s contrary to some reports that suggested it was designed solely for hosting web-based apps.)

What’s more noteworthy is the security element. All .app domains will automatically be part of Google’s HTTPS Strict Transport Security preload list, something that’s previously worked only on a domain by domain basis with inclusion at the request of site owners.

The list is supplied to all major browser developers. Whenever a user points the browser at a domain on the list, it automatically connects to an HTTPS page, regardless of what the user actually typed in. Google notes that’s more secure than using a redirection, which could be open to interception.