With .app, Google plans to build a safer Web

MOUNTAIN VIEW, Calif.—Bored of conventional website suffixes like .net, .org, .edu and .com? There’s now an app for that. But to be clear, it’s not exactly an app. It’s .app.

It’s been in the works since 2012, when the Internet Corporation for Assigned Names and Numbers standards organization decided to create more top-level domains, or TLDs, as the suffixes are known. And since February 2015, when Google bought .app for $25 million (a price that blew past previous TLD-selling records, until August 2016, when website certificate authority Verisign bought .web for $135 million), Google has been figuring out exactly what to do with it.

When it first pitched ICANN on buying .app in 2013, Google envisioned mobile-app developers using it as a secure official location on the open Web. At the time, some of the most popular mobile apps, such as Instagram, didn’t have websites with the same features as their platform-specific app counterparts.

Google engineering manager Adrienne Porter Felt explains the .app top-level domain at Google I/O in Mountain View, Calif., on May 8, 2018. Photo by Seth Rosenblatt/The Parallax

Since then, to appeal to a wider audience, Google has removed its requirement that .app domain owners be developers.

After an early registration period this year, from May 1 to May 7, the company opened .app to all registrants on Tuesday morning at its annual Google I/O developer conference.

The move has proven to be popular with owners of websites (including The Parallax), who snapped up .app domains prior to a presentation Tuesday afternoon. Google hopes that developers will use the their .app sites as permanent Internet locations for maintaining download links to app stores, communicating with users, and highlighting in-app content to the Internet at large.

“Just since launch this morning, there’s already been over 100,000 registrations, including 30,000 in just the first three minutes,” Ben McIlwain, Google’s tech lead on its Registry team, which manages .app, told a crowd of about 200 conference attendees. Google waived the first-year registration fee (about $14, depending on the domain registrar) for all conference attendees.



READ MORE ON BROWSER SECURITY

Web’s most annoying ads no longer welcome in Chrome
Slowly but surely, browsers are becoming more secure
As browsers accelerate, innovation outpaces security
Web browser security through the years (timeline)
6 browser add-ons to protect you on the Web
Change these 5 settings to improve your browser security
Is Brave the ad-scrubbing superhero the Web needs?


While the appeal of .app should be the ability of consumers and brands to easily point people to their sites, Google has built in security features that the legacy TLDs don’t have, said Adrienne Porter Felt, engineering manager at Google. All .app domains have HTTPS turned on by default, which means that all information sent to and from the website is encrypted.

By encrypting all traffic between the website and the browser it appears in, HTTPS prevents the easiest forms of data interception and surveillance. The website certificate and encryption keys HTTPS requires also help “prove” site ownership and authenticity, Felt says, in addition to preventing site spoofing and phishing attacks.

“HTTPS is important because it keeps our users’ content private and secure,” she says. “HTTPS provides encryption between the clients and the server such that anyone in the middle, like the Internet service provider or someone else who’s on the same wireless network, isn’t able to either eavesdrop on the information while it’s in transit or modify it.”

The new top-level domain forces sites to use HTTPS because they are on the HSTS preload list, a Chrome-based list that stops sites on the list from loading unless they are using HTTPS—they can’t “fall back” to standard, insecure HTTP.

The .app domain also gives Google more insight into the how the Internet is being used, says Robert Hansen, chief technology officer of online identity management company Bit Discovery. “If a [.app] domain expires, they control it; they can do whatever they want with it,” he says. “And from a fraud and security perspective, they can accurately monitor whatever’s happening on the [potentially malicious] domain.”

Ben McIlwain, Google’s tech lead on its Registry team, talks top-level domain registration at Google I/O in Mountain View, Calif., on May 8, 2018. Photo by Seth Rosenblatt/The Parallax

However, the maker of Chrome competitor Firefox supports the .app development. “We believe advancements like this are key to a future where the Web is secure by default,” Dave Camp, vice president of engineering at Firefox, said in an email to The Parallax.

While forcing .app site owners to use HTTPS should improve security on the Web somewhat, it’s “not a panacea,” cautions Lee Brotherston, director of security at Canadian online investment management firm ‎Wealthsimple.

“While the list is used by the major browsers, it should be noted that this is a Chrome list, and so we cannot guarantee that this will continue to apply everywhere forever, nor if it will be used by less mainstream browsers,” he wrote to The Parallax in an email.

Brotherston also points out that the .app TLD can’t stop a malicious or hacked site from carrying out attacks against users. “So if the site knowingly places ads, or is hacked to place malicious ads, neither HSTS or HTTPS is going to prevent this.

The .app protections are “a step in the right direction, but I doubt that this is going to remove the problem,” he says.

When Felt started working on improving HTTPS usage in 2015, only a fourth to a third of sites loaded in Chrome used it, she says. “Well, moving forward to today, I’m really excited that we’re at a point where about 75 percent of all page loads in Chrome are now HTTPS.” And .app will be the first top-level domain to turn on HTTPS by default.

Pushing site owners to upgrade to HTTPS has been a major initiative at Google, and starting in July, sites that use only standard HTTP, and not the more secure HTTPS, will be downgraded in Google’s search rankings.

Shamed, as it were.