With the security of the web of the utmost importance to Google, the search giant has worked hard to ensure that connections to websites are encrypted using HTTPS, which prevents web traffic from being intercepted, altered, or misdirected in transit. They have taken many actions to make the use of HTTPS more widespread, both within Google and on the larger internet.

The next step for Google is to use another tool in their toolbox, the HTTPS Strict Transport Security (HSTS) preload list, in a new and more impactful way. The HSTS preload list is built into all major browsers (Chrome, Firefox, Safari, Internet Explorer/Edge and Opera). It consists of a list of hostnames for which browsers automatically enforce HTTPS-secured connections. The HSTS preload list can contain individual domains or subdomains and even top-level domains (TLDs), which are added through the HSTS website.

In 2015, Google created the first secure TLD when they added .google to the HSTS preload list, and are now rolling out HSTS for a larger number of their gTLDs, starting with .foo and .dev, but not to their previously launched open gTLDs (.how, .soy, and .みんな).

The use of TLD-level HSTS allows such namespaces to be secure by default. Registrants receive guaranteed protection for themselves and their users simply by choosing a secure TLD for their website and configuring an SSL certificate, without having to add individual domains or subdomains to the HSTS preload list. Moreover, since it typically takes months between adding a domain name to the list and browser upgrades reaching a majority of users, using an already-secured TLD provides immediate protection rather than eventual protection. Adding an entire TLD to the HSTS preload list is also more efficient, as it secures all domains under that TLD without the overhead of having to include all those domains individually.

Expect to see some of these secure gTLDs available for registration soon. Google would like to see TLD-wide HSTS become the security standard for new gTLDs.