Ben is the lead engineer of Google Registry, which runs all top-level domains (TLDs) that Google owns, including .app and .google.View the profile
Adrienne Porter Felt is an engineering manager on the Google Chrome team. She leads the Chrome metrics and personalization teams, which includes the Chrome usable security team. Previously, Dr. Felt was a Senior Staff Software Engineer on the Chrome security team, where she was known for her work on HTTPS adoption and warnings. Recent awards include the SOUPS Impact Award, the O'Reilly Defender Award, and inclusion in the MIT Tech Review Innovators Under 35.View the profile
About the talk
.app, the web's first secure-only open top-level domain (TLD) for mobile apps and developers, is launching on May 8. This in-depth technical talk covers use cases for .app domain names, HTTP Strict Transport Security (HSTS), best practices for secure website development, and the unique security benefits of .app domains thanks to TLD-wide HSTS.
Good afternoon, everyone. Thanks for joining us out here. Today. We're going to be introducing thought-out domain names and how to secure them. I'm been knocking Wayne. I Am the lead engineer of a Google Registry and the co product manager of the. App launched and we're going to be explaining little bit later what the Google Registry is exactly. Adrienne Porter felt engineering manager and a longtime engineer on the Google Chrome team About a year ago. I think with an ICF
they're going to be watching this sealed top level domain memorable. short meaningful do to your brain We also like them in terms of usability of us are people can actually remember and I do the real Brands when they're trying to actually get to that website versus other content that might be fishing or spoofing about coming up with meaningful and memorable to know where the fact that people for a long time has been pushing on a CPS adoption as a safer. Htps is important because it
keeps our users content private and secure encryption between client and server internet service provider or someone else is on the same wireless network isn't able to either eavesdrop on information walls on Transit or modify it. I'm pushing an HTTP adoption has been a Stafford across the security Community for the last several years. Back in early 2015 which is when I started working on this only about a quarter to a third edition Chrome HDPE was so dominant and HC fast was the exception
75% in Chrome are now HTTP last little truck. Looking back at 2014 premiere date. if they supported hcps Let's encrypt switch is an awesome service that you should check out. If you haven't already they provide free HD certificate as well as certificate late 2015 for certificates cheap some people so couldn't afford it. Also my 2015. We also released the transparency report showing that at the time only got a quarter of the top hundred size supported HDs by default 3.
Also near and dear to my heart starting in 2017 started as not secure the or a credit card form. Started labeling more pages as not secure if CB Page Field on it. 68 July will be labeled as not secure in your lbar weather cast today. We are launching the world's first entirely secure all https open top level domain and I know that's a little bit on packs or going to explain that sell first. What's the top level domain looks like it that Sell a top-level domain is the last part of the domain name. It's what's right of the final.
Top-level domains are run by Registries like Google registry. That's my team for instance. And that's in contrast to a domain name registrar which is where you would go to buy domain. So I register I will sell the main summer variety of different top-level domains for as the Registries run their own tlds and that fealty is only one by that registry. So you don't do much for a kind of the big database behind the scenes running the demesne. So let's go through some examples of top-level domains really obvious ones. Com. Net. Org. These are the original generic tlds and the important thing about
them is they are open. So anyone can register them without restrictions and I'm sure many people here have some of those Next stop we have other sponsor TL to use these have restrictions on the registration or they've also been out these ones at least have been out for very long time. Edu. Gov and. Mill and friends since I if you want to. Mail them and you have to be associated with the US government, so that's the restriction. And then a third category would be the country code top-level domain. So some examples of beat. UK. D e n. IO and you know, it's a country code top-level
domain because it has two characters. So if you didn't know. IO is not a generic TLD for coding even though if that's how it is, it's really for the British Indian Ocean territory and whether or not you can register domain name on this depends on the country some are completely open and some of restrictions for you have to be a citizen of that country to register. And then finally we get to the most recent ones new generic see all these so here we have. How. Mina and. Google and these started being launched in 2012 and the I can first expansion round a top-level
domains and there might be another one coming soon at least three examples happened to me once run by my team the Google Registry and wanted to sing thing to note here is takhmina is actually a Unicode TLD. So if you haven't seen Ladies on the wild yet just know that they're around and these are a big mix of open restricted clothes and like brand TLD is like. Google is Herb and TLD. So we're the only people who register domain names on their mans in addition to all of these existing ones and thousands of others that already exist today as specifically as of 9 a.m. This morning. There is
a new top-level domain on the web and app top level. Domain is. Out Sally up today. Are we? The Christmas. Thank you. The new home on the web for mobile apps web apps Progressive web apps desktop apps app developers and pretty much anything else. You can imagine that has anything to do with apps. So we envision people using it to host landing pages server endpoints marketing Pages deep-linking your owls that go directly into a specific piece of content and pretty much anything else and we've launched. App as an open TLD, which means that you can register it without
restrictions. So anyone can buy a domain name and use it for any purpose, but obviously because the string is thought out it would probably make sense to use it for something associated with all that. And you should all pay attention to the rest of this talk because everyone here is getting a free. Answer may name. And not just everyone in this room, but every single attendee of Ayo, and you also got stickers to check your email. After me, but please
don't do that right now. If we pay attention to the rest of the presentation, we're going to give you some useful tips on how to use them and most importantly how to secure them. All right. I know this is our launch site gets out app useful information on there really a lot of this stuff. We're going to be talking about in website for him very importantly and has the list of domain name registrars that are selling that after me name. So this is where you would get yours if you want another one or if you're on the ice cream and also has a list of some bunch of sites that are already live
on. The. App is exciting because it brings two things together. And also they're always she pass me that every website registered under. App needs to be all HTTP. We're going to talk about both of these properties first starting off with the fact that. After means are memorable to the main reason why I expect developers and marketer is in all the rooms to get accepted. Citizen YouTube is a fresh namespace there still lots of good names available including a short domain name or if you
wait too long because just launched this morning. There's already been over a hundred thousand registrations including 30,000 when just the first 3 minutes. My team was very hectic this morning. So if you come to work in a day or more appealing both developers were also to remember how to get back to your website. Call this call at this is actually pretty popular call app particularly in emerging markets that if you search in an app store for the different applications use the word call, so does a lot of ambiguity around which one maybe two users looking for
only one. Call. So, whatever. All right. So let's look at some real life examples of websites that are already serving on that app. And as we go through these to pay particular attention to the domain names after using and think about what alternatives might have existed on say the pre-existing tlt's that they could have gotten if they hadn't had the. Out to Mains and spoiler alert. The other Alternatives would not have been as good as these are so first. Stop is Cash. App. Obviously great domain name. This is an app by square and it is for sending and receiving money for what
they're doing. You can't imagine a better to my name in cash. App. Next stop is the Outdoor voices Trail shop with OV. App. Nice store two letter domain. They are a Sporting apparel retailer with an augmented-reality shopping feature in their app. And then there's Albert. App. It's a financial advice app. And you know that that equipment's on Main on. Com was probably registered at least two decades ago. Who knows but I'm in your name space you get a nice short domain name. That's exactly the actual name of your app. And as many many more we won't
go through these individually but these are all more examples of real live apps that are currently out there and running on that after me names and you can find this list on get that up. If you're interested. What special ops spring itself going into the domain is useful, but what else is special about that out besides in it, so it didn't mention earlier. That security was a big win for. App. Security is personally what I'm really really excited about it all falls
to PS website from the start, Security address to set up website to https, but it turned out a lot has changed since then. Don't just take my word for it is clearly the way forward for the industry. Overall. 3/4 gas line are always gas. I know I'm excited about HD gas for me to your website. The first is authenticity what this example is showing here on the screen is on a wireless hotspot for the Federal Trade Commission. It's all over it sort of insight. Looking at all. This area is covered in advertisements
wireless hotspot provider was injecting advertisements for one of their other businesses on to every service providers wireless hotspot is headed to in order to monetize. There's actually a pretty good amount of a lot of it looks like it's really hard about when and how do advertisements and how it affects user experience. I assume you don't want someone else's ads All Over You Beautiful. If you have this kind of thing can't happen. I know it is access to powerful apis. The last few years are
particularly important for people who are making a progressive web app. For example service workers, which are good Off Vacations is available websites camera are also HDs only. Also, if you have an HTTP website from URL bar in July 20th, which is the Chrome 68 release all star. Mark's not secure right next to the owl bar insecure connection. Also as important connections between your default looking at the traffic backup. When using a technique called in order to ensure that are always all https.
Strict Transport Security minutes does is your server to tell the browser that you're always over http? Strict Transport Security on until the max age runs out with seat without seeing an updated max age. or Ps version of your website no, it just yes also prevents something called a great attack on your website what this means is that if you have an HD TV version in it It's possible to force users back to the hdp version. If you don't have something like a chess to make sure they're always
a fairly recently in Mark the citizen lab claims that middle boxes on Turk telekom Network. We're redirecting Turkish and Siri and you service a spyware when they were trying to download legitimate executables GPS GPS only they weren't using STS which means directions down to HGTV and then modify them in transit to prevent that from happening. Plus you can go one step further with something called freeloading. So there's a connection for the browser has had a chance to see a header. If you're honest list,
then the browser knows that the connection it should always be All right. So in addition to approve loading individual domain names and their hsts preload West it's also pops possible to fill out entire top-level domains. So that's exactly what we did and that's how we implemented their security features of thawed out. So this screenshot right here. Is it just a screenshot from the actual get repository that's hosting the hsts and these ATL these are on it and what that means is
that any web request through a browser to any domain on any of these top-level domains. I will have the URL upgraded from HTTP to https before that network connection is ever made so it's always and only ever a TD pass to any domain honesty LDS and we've highlighted here with the red arrow eye. Because that's obviously the one of important interest today, but you see that there is some others for instance. There's a company called ft. Lee registry and they run. Bank in. Insurance and those are both on this list as well and you can pretty
obviously tell why it having enforce Security will be important in the banking and the insurance industry. So yeah, and these are there's more coming soon to this list and we would encourage other registry operators to add even more butt out of these 8 that are currently on their right now. App is the first open TLD on the list and what that means is it's the first one on the list that grants Security benefits to everyone here present because you can all and indeed you all do now have a free. After maintenance. So it's the first time that this enhanced security
benefit is being made available to everyone and you get a just by registering a domain name. And so why is this the first like why I seen this happen before now, you know, there's a couple reasons one. Is that the requisite Browser support for handling top-level pre-loading only came in Fairly recently and it's also hasn't been until fairly recently that really easy HTTP so I can figure a shin and like one quick SSL certificate provisioning became came out and made it really simple to just get that https hosting working and a lot of that of course is think so.
That's also another reason I were doing this now is because privacy and security is on everyone's Minds these days. It's in the news constantly and enforced https is something I can really help mitigate some of these issues because you can't have privacy and security at all. If you're doing things over an unsecure connection or snacks in that a connection that can force to be insecure. It's just not even possible. There's a huge number different benefits of pre-loading at the TLA level that I'd like to go over. So number one. It eliminates the hassle of configuring
hsts Hatter's on your web server or your car service provider. So you'll never need to go to stack Overflow and Google like, you know, how do I get hsts headers on a patchy your engine X or whatever you don't even need to worry about it. That's why we showed showing the headers doesn't matter. It's already done on the entire top level domain. So you get that immediately zero configuration just by using it that after mainnet dance. There's no need to submit your demesne to the hsts preload list, which would otherwise be another stop you would have to do to get that security benefit and
very importantly by having the entire TLD already on the hsts preload list, and we actually did this last year it eliminates the lag time to add to Mason the pillar list. So if you went out like right this second and bought Dot-com domain name and he wanted to adhere to the best possible web security practices and he submitted that to the hsts preload list right now. It would still take many months for most users to get the advantage of that higher level of security. And the reason for that is simply the browser release cycle. So we're going to the code now, then it would hit the
nightly then like a month-and-a-half who hit the beta and then a month-and-a-half it would hit that GA and then eventually people get around to finally upgrading your browser and then they get that benefit. I saw your face already. It's so you don't have to wait for that long cycle. So you get the security instantly. And very importantly be letting a TLD increases browser efficiency because the preload list is built into every browser installation. I get to literally in there. It's in the downloaded executable both on desktop and mobile with a and
every installation I even so there's over two billion from installations out there and there's many billions of installations of other browsers and the hsts filler list. Is it every single one of them? So keeping a. With small and efficient is actually very important because it's saving a lot of disk space and memory on all these different computers and mobile devices and especially important for the mobile devices is a smaller list is more efficient to check against because there's fewer entries to check when you making a web request. So it's saving CPU Cycles too, and that's
obviously very important on mobile because you use more CPU cycles and you're using up more battery. Ann's pre-loading make sure sight faster. So if you're not pre-loading any want to have security than what you typically do, if you will have an HTTP to https redirect I am so what will happen is use as well just type in the domain name and if I default in HTTP request we made and then that will return the redirect and now you make another request to the HTTP sites. I spy not having this redirect and what you can accomplish by pre-loading your saving an entire round trip to
the server and that's actually very significant on mobile devices, especially on spotty cell connections. Are you can easily say like at least a second on a bad connection by voting the secure version of the site first and immediately rather than heading that whole Reader X And another benefit pre-loading makes you aroused shorter without losing safety. So for marketing you want short URLs, obviously, whether it's printed materials or whereabouts or radio commercials or even just telling your friend the name of the domain name, you're not going to
say. Hey, I found this cool app. It's HTTP colon slash slash. Www. Com. No Nobody Does that say your friend is just going to type in name of that. Com. But the problem with that is now you're not getting the security unless that site is hsts preload it if it's preloaded then the request is of course upgraded to https without having include the protocol specifier. So this makes both marketing people and security people happy. So a really simple example is which one's better. Which would you rather see on let's say maybe a sticker HTTP colon sauce
get that app, or just get that app. Obviously get that app is better and because it's on. App with the entire TLD being preloaded. It's just as secure as the one on the left. Alright see you guys are already old hat at setting up HTTP websites just in case I walk through some tips on how to set up an https website that are available for you to use. Of course. The first thing you need is a certificate certificate wildcards certificates from let's encrypt also, there are
Cloud providers like cloudflare a Google app engine that will also provision a free certificate for you if your customer Also grabs your images your eye frames us as well. It's called a mixed content error. If you have a mix of each resources on a page sources show up. If you have passive content, like an image, it will show up but still feel depending on how people that not all of this up resources have been loaded correctly. So it's really important that you're testing for this looking out for
mixed content. So you're able to move all of yours PS2. 121 you can use Chrome security panel request so that you can get them fixed. I know it's what you can make use of it is Lighthouse Lighthouse provides audits is a security audit that looks for mixed content tell are already available over https. So for those with a subdomain, sometimes have a special execute or ask that you specify in your contract that you want to use HTTP version of their sites. All right. So the number three is use https in your development environment and indeed all environment. So don't just wait until production. There's
many reasons for this. Why one is that powerful web apis agent was talking about us. Some of them you can hit insecurely over local contacts, but if you want to hit them over to your local network and show them to your fellow developers or anything then it simply won't work without an SSL certificate and there's also a variety of login flows or third-party web apis that require a CPS and you can't even tested it up against them at all. Unless you're supporting it. So another problem is if you are doing a mix of HTTP and development and then https later
you have two different canonical locations for all resources and you can easily get those confused you can protocol relative specifiers are like ugly and don't work amazingly. Well, it's just there's a whole class of problems you can Yourself that are completely unnecessary by not having that one can Annika location for all resources that always starts with HTTP and third it is maybe sort of tautological but you need to use a HTTP in your Dev environment so that you can test https. It doesn't make sense to wait until the very last minute right before
you want to go to production and change everything and not make it secure because a lot of things are going to start breaking right then most likely mix milk on Tara's. So if you're going to be running it securely and production, which you obviously should be fine. You need to be testing it security from the very beginning so problems don't creep up on you. Anna number for when testing is a real domain or subdomain that you own or equivalently do not use a fake domain or subdomain that you don't know and yes, I'm mrs. The same thing repeated twice but it's very
important sign in for sizing it and the reason is simple why use a real domain the issue was that if you use a fake domain you were going to have problem. Maybe it's almost guaranteed at some point and the specific problem is a name collision. And the name Collision is where traffic is unexpectedly going somewhere that you didn't want it to go. So if I speak to a man and I do local DNS it'll work fine on my computer, but it any other contacts like they run a new Docker container. I forgot to set up at DNS. It's going to go completely different location or if you had to go give the
code base to a friend and they run it it's going to a completely different location. So you're not in charge of your own destiny when you're using a fake domain name that could wrap differently depending on where you're hitting it from and this is all He's Palm if you're interacting with any third-party web services, and they are trying to make her class to those you or else and of course it's not working for that huge numbers of developers developers worldwide have had problems when you use a fake domain or a domain on the take TLD only for it to turn out to be real or later
become real to start even worse because things break on you later. Like when you use a victim and you're not in control of your own destiny and Google Registry, we're on 46th PL ease and we know how big of a problem this is because we get an unbelievable amount of Miss address traffic to what are supposedly fake domain names that are actually real and to really drive it home to of the 40 60 oldies. We're on our. Dev and. Fraud if you've been using any domain names like that stop immediately because those are real and we're getting some of that traffic. So don't do that some
some guilty people in the audience. Alright, so here's a simple example of the right way to do things. So use a real domain name Falcon 11 that app is a real domain name and then get a wildcard certificate for all subdomains on Falcon 11 that you can do that for free with let's encrypt and then depending if you want just local DNS resolution, you can use good old-fashioned Etsy host file or if you want network-level register resolution. You can use something like DNS mask. And the reason you would do this as you obviously don't want to Route traffic worldwide to your local
Deb set up when it's not ready like you don't want to make that information so you only wanted to resolve locally, but the key thing is it's still a real domain name. So you are in charge of where that traffic will go from the world and you know, it's never going anywhere unexpectedly. So therefore never ending in collisions. And the final tool for doing a secure whole thing is just use a service with automatic HTTP and there's so many of them these days some examples of Google app engine Firebase cloudflare get hubpages netlify
and many many more and this is the simplest possible way to get a secure website running for many of these. It's a simple as just hitting a single checkbox in you get automatic security and for some of them it's even simpler than that because the checkbox is checked by default. So it's zero seps to the best security. I asked what you get is you combine a car from provider hosting service that gives you automated security with a. APT domain which gives you automatic security from the domain levels. And when you have those two combined you get the Best in Class best possible
best practices security. over to help out the Google bot Google search console help center article that walks you through the Air Force if you ever move a website, Also also has a bunch of other senior htps. I also encourage you to check this out to all right. So I just one last final reminder. The launch site is get that app. All the relevant information is there or just look at what's on that sticker on the back of your laptop now, hopefully and I everyone
here in attendance I go and get your free domain. I'll follow the instructions in the email for anyone who's not here or like on the live stream or just people here who want more than one thought out hopefully the same and the last note and this is very important is you should go out there and use these domain names don't just register them and park them the security comes from using the security is getting more and more people on https on the web and getting more of them on the best possible practices domains that are hsts fully loaded and do it on that because security is easier on
that outfit is anywhere else. All right. So thank you very much. Here is some social information and some links to check out. The last one is a novelist out through that sounds like that shirt that you may have been wondering why I'm wearing a novelist is the name of our open source domain name registry platform that we used to run all 46 of a top-level domains including. App. So if you ever had any curiosity about how domain name or top-level domains are actually run from my perspective of inside the code base you can go to na Mila stop screw. It goes right to our
GitHub and you can see the entire source code and we're basically running out of time so they won't be any questions, but we are going to be in the web biodome G over there. So come talk to us afterwards.
Buy this talk
Access to all the recordings of the event
Buy this video
With ConferenceCast.tv, you get access to our library of the world's best conference talks.