Introducing .app domain names and how to secure them (Google I/O ’18)

[Music] good afternoon everyone thanks for joining us out here today we're going to be introducing app domain names and how to secure them I'm Ben McIlwain I am the lead engineer of Google registry and the co product manager of the app launch and we're gonna be explaining a little bit later what the Google registry is exactly hi I'm Adrienne Porter felts I'm an engineering manager and a long time engineer on the Google Chrome team now about a year ago I think yeah a year ago Ben came to my team and I with an idea and now he works in the registry team and they had an idea that they were going to be launching this TLD top-level domain so what we're going to be talking about today and the idea was to use it to make memorable and meaningful domain names now I assume that all of you here like short meaningful domain names because they tie into your brand's and help users get back to them we also like them in terms of usability of the web we think that URLs are easier to use if the domains are something that people can actually remember and ideally differentiate between the real brands when they're trying to actually get to that website versus other content that might be spam phishing or spoofing but that wasn't all it wasn't just about coming up with meaningful and memorable domain names Ben was also aware of the fact that Google for a long time has been pushing on HTTP adoption and he wanted to use this feature launched as a way to tie into that and help make the web safer HTTPS is important because it keeps our users content private and secure HTTPS provides encryption between the clients and the server such that anyone in the middle like the Internet service provider or someone else who's on the same wireless network isn't able to either eavesdrop on the information wallets on transit or modify it and pushing on HTTP adoption has been a big effort at Google and in fact more or less across a security community for the last several years back in early 2015 which is when I started working on this I we saw that only about 1/4 to 1/3 of pages loaded in chrome were at were HTTPS so at that point HTTP was still dominant and HTTPS was the exception well moving forward to today I'm really excited that we're at a point where about 75% of all page loads in chrome are now HTTPS so we've seen a huge shift and now we're focusing on how do we get everything to be all HTTPS how do we get that last little chunk looking back at 2014 Google premiered a HTTPS ranking boost to the idea at the time was that websites would get a bump if they supported HTTPS let's encrypt which is an awesome service that you should check out if you haven't already they provide free HTTPS certificates as well as tooling to make it easy to manage certificates launched in late 2015 and let's encrypt helped a lot of websites get online particularly websites who we're the developers were not able to previously afford certificates even though 10 and 15 dollars sounds cheap some people still couldn't afford it also in late 2015 Google started indexing HTTPS websites by default meaning that if a website was available both over HTTP and HTTPS we would index the HTTPS version we also released a transparency report showing that at the time only about a quarter of the top hundred sites supported HTTPS by default and now it's at 83 all so near and dear to my heart starting in 2017 Chrome started labeling HTTP websites as not secure in the URL bar if they had a password a form field or a credit card form field because those are particularly sensitive data types we ratcheted that up a little bit in mid 2017 we started labeling more pages as not secure if they were any HTTP page read incognito or any HTTP page with any kind of form field on it and we have recently announced that starting in chrome 68 which is in July all HTTP pages will be labeled as not secure in the URL bar all right so been was aware of this and he was really excited about HTTPS himself as was the rest of his team and so they wanted to bring these two things together a product that encourages memorable domain names as well as the security features of HTTPS so Ben tell them what the idea was yeah all right so today we are launching the world's first entirely secure all HTTPS open top-level domain and I know that's a little bit unpacked so we're gonna explain that so first what's the top-level domain let's look at that all right so a top-level domain is the last part of the domain name it's what's right of the final dot top-level domains are run by registries like Google registry that's my team for instance and that's in contrast to a domain name registrar which is where you would go to to buy domains so a registrar will sell domain some a variety of different top-level domains whereas the registries run their own TLDs and that TLD is only run by that registry so you don't interact with the registries too much we're kind of the big database behind the scenes running the domains so let's go through some examples of top-level domains really obvious ones ComNet org these are the original generic TLDs and the important thing about them is they are open so anyone can register them without restrictions and I'm sure many people here have some of those next up we have the sponsored TLDs these have restrictions on registration and they've also been out these ones at least seven out for very long time dot edu gov and dot mil and for instance if you want a dot mil domain you have to be associated with the US government so that's the restriction and then a third category would be the country code top-level domains so some examples would be dot uk' de and IO and you know it's a country code top-level domain because it has two characters so if you didn't know dot IO is not generic TLD for coding even though that's how it's used it's really for the British Indian Ocean Territory and whether or not you can register a domain name on these depends on the country some are completely open and some are restrictions where you have to be a citizen of that country to register and then finally we get to the most recent ones the new generic TLDs so here we have au Mina in da kugel and these started being launched in 2012 in the ICANN first expansion round of top-level domains and there might be another one coming soon and these three examples happen to be ones run by my team the Google registry and one interesting thing to note here is that Mena is actually a unicode TLD so if you haven't seen any of these out in the wild yet just know that they're around and these are a big mix of open restricted closed and like brand TLD it's like Doc Google is a brand TLD so we're the only people who registered domain names on there and in addition to all of these existing ones and thousands of others that already exists today specifically as of 9 a.m.

pexels photo 5721136

This morning there is a new top-level domain on the web and that top-level domain is dot app so yeah today we thank you yeah so yeah so introducing that app dot app is the new home on the web for mobile apps web apps progressive web apps desktop apps app developers and pretty much anything else you can imagine that has anything to do with apps so we envision people using it to host landing pages server endpoints marketing pages deep linking URLs that go directly into a specific piece of content and pretty much anything else and we've launched that app as an open TLD which means that you can register it without restrictions so anyone can buy a dot after main name and use it for any purpose but obviously because the string is thought app it would probably make sense to use it for something associated with that app and you should all pay attention to the rest of this talk because everyone here is getting a free down I am and not just everyone in this room but every single attendee of i/o and you also got stickers too oh yeah so yeah check your email that went out a little bit ago it has the full information than full details on how to redeem the free dot after me but please don't do that right now please pay attention to the rest of the presentation we're gonna give you some useful tips on how to use them and most importantly how to secure them alright and then this is our launch site get taught app there's useful information on there really a lot of this stuff we're going to be talking about in website form very importantly it has the list of domain name registrars that are selling that after main names so this is where you would get yours if you want another one or if you're on the live stream and it also has a list of some a bunch of sites that are already live on that after mates so dot app is exciting because it brings two things together dot app provides domains that are both memorable because they're short and there are lots of names available and also they're all HTTP meaning that every website registered under app needs to be all HTTP and we're going to talk about both of these properties first starting off with the fact that dot app domains are memorable so the main reason why I expect developers and marketers and all of you here in the room to get excited is because you can get short memoral to make memorable domains that tie with your brand's since it's a new TLD it's a fresh namespace there are still lots of good names available including short domain names although maybe not for much longer if you wait too long because just since launched this morning there's already been over a hundred thousand registrations including 30,000 in just the first three minutes yeah my team actually snapped one up this morning we need to figure out we're gonna put on it my team was very hectic this morning so if you could you know so previously if you're trying to work in a dot-com world you may have ended up with a long domain name however you can definitely get much shorter ones and we think for many reasons that shorter ones are more appealing both to developers but also to end-users who have to remember how to get back to your website but not only our dot app names memorable they're also unique and this is really important so let's say that you you know you're trying to get to call this call app this is actually a pretty popular call app and particularly in emerging markets and unfortunately the thing about the name call app is that if you search in an app store for that lots and lots of different applications use the word call so there's a lot of ambiguity around which one maybe the user is looking for however domain names are unique there's only one call dot app so domain names are just a more reliable way for people to be able to find your app your web app your mobile app whatever by name alright so let's look at some real live examples of websites that are already serving on that app and as we go through these I'm gonna let's pay particular attention to the domain names that they're using and think about what alternatives might have existed on say their pre-existing TL DS that they could have gotten if they hadn't had the DAP domains and spoiler alert the other alternatives would not have been as good as these are so first stop is cash tap obviously great domain name this is an app buy square and it is for sending and receiving money for what they're doing you can't imagine a better domain name than cashed out next up is the outdoor voices trail shop with Ovi app a nice short two letter domain they are as sporting apparel retailer with an augmented reality shopping feature in their app and then there's Albert's out app it's a financial advice app and you know that that equivalent to is probably registered at least two decades ago who knows but on the new namespace you get a nice short domain name that's exactly the actual name of your app and there's many many more we won't go through these individually but these are all more examples of real live apps that are currently out there and running on App domain and you can find this list on get that up if you're interested but so we've talked about what's special or how the dot app string itself going into the dot up domain is useful but what else is special about that out besides the name so Adrienne mentioned earlier that security was a big win for dot app yeah and security is personally why I am really really excited about it but dot app is all HTTP by default what this means is that is that if you register and use a dot app domain you'll need to build an HTTPS website only from the start I have to admit this idea actually first came up on the Chrome security team a few years ago and at the time it seems a little crazy like really could we get a whole bunch of developers to set up websites on HTTPS but it turns out a lot has changed since then and you know we're in the future and the future is awesome and very friendly to HTTPS but don't don't just take my word for it to quote BuzzFeed moving to HTTPS is clearly the way forward for the industry overall and as I mentioned earlier at the beginning we are seeing 3/4 of page lows now over HTTPS I think most new sites as they're coming online are all HTTPS now I'm excited about HTTPS for many reasons but I want to tell you about why you all should be excited about HTTPS it gives a lot of positive benefits to your website the first is authenticity what this example is showing here on the screen is someone I know named Eric mill was browsing on a wireless hotspot he was looking at the website for the Federal Trade Commission now normally the FTC website does not have ads all over it sort of by nature the fact that their government website but when he was looking at it I saw all this area that's covered in yellow was showing advertisements they really took up a large chunk of the viewport and what was happening was that the wireless hotspot provider was injecting advertisements for one of their other businesses onto every HTTP web site that people loaded while using the hotspot service and this isn't a one-off you know this is a thing that Internet service provider is wireless hotspots etc do in order to monetize there's actually a pretty good amount of HTTP traffic that has advertisements modified injected etc now I'm sure that all of you here in the room put a lot of effort into what your website looks like you think really hard about when and how you show advertisements and how it affects your user experience I assume you don't want someone else's ads all over your beautiful website and HTTPS prevents that if you have an HTTP domain this kind of thing can't happen another thing that HTTPS gives you is access to powerful api's new web features ones that have come out over the last few years are available only to https websites this is particularly important for people who are making pwace or progressive web apps for example serviceworkers which are key for building good offline experiences doing things like background syncing sending push notifications is available only to http web sites other api is like geolocation camera and mic are also HTTP only also if you have an HTTP website you'll get a better look in the chrome URL bar in July 2018 which is the chrome 68 release all HTTP websites will start being marked not secured right next to the the domain name in the URL bar so you know we're trying to tell users what you get with HTTP which is an unencrypted insecure connection and if any of you here are running websites that are not HTTPS yet please move them to HTTPS before July also as an added bonus Android security is important to Android P requires TLS for connections between your app and back-end by default to prevent anyone from messing with or looking at the traffic going between people's Android phones and your backends so you'll need to have an HTTP endpoint setup anyway we're using a technique called HSTs pre-loading in order to ensure that dot app sites are always all HTTPS HFCS is kind of a mouthful HSTs stands for HTTP strict Transport Security earlier I know ok I know that has another acronym in it earlier he tried to get me to say out the full thing and it takes like 5 minutes ok trust me so what HSTs does is it's a way for your server to tell the browser that your web content should be always over HTTP so you would send a header that's named strict Transport Security and once the browser sees that header it'll know to only connect that domain over HTTP from then on until the max-age runs out with without seeing an updated max age so you'll get even if the user doesn't specify the scheme when they type in the URL bar or even if the user types in HTTP or clicks on HTTP link they'll still end up on the HTTPS version of your website now HFCS also prevents something called a downgrade attack on your website what this means is that if you have both an HTTP version and an HTTPS version it's possible to force users back to the HTTP version if you don't have something like HSCs to make sure that they're always on the HTTPS version so let me explain with an example fairly recently in mark the citizen lab claims that middleboxes on Turk telecoms network we're redirecting Turkish and Syrian users to spyware when they were trying to download legitimate Windows executables the idea here was that these download sites supported HTTPS but were in HTTP only they weren't using HSTs which meant that the ISP was able to force those connections down to HDB and then modify them in transit so using HSTs will prevent that from happening plus you can go one step further with something called pre loading so pre loading is basically there's a long list of domains that want to be always HTTPS even on that very first connection before the browser has had a chance to see a header if you're on this list then the browser knows that the connection it should always be over HTTPS even without having seen that header all right so in addition to pre loading individual domain names in the HSTs payload list it's also pops possible to preload entire top-level domains so that's exactly what we did and that's how we implemented this security features of dot app so this screenshot right here is just a screenshot from the actual git repository that's hosting the HSTs preload list and these eight TLDs are on it and what that means is that any web requests through a browser to any domain on any of these top-level domains will have the URL upgraded from HTTP to HTTPS before that network connection is ever made so what's always and only ever HTTP to any domain on those TLDs and we've highlighted here with the red arrow dot app because that's obviously the one of important interest today but you see that there are some others for instance there's a company called F TLD registry and they run Bank in that insurance and those are both on this list as well and you can pretty obviously tell why having enforced security would be important in the banking and the insurance industry so yeah and these are there's more coming soon to this list and we would encourage other registry operators to add even more but out of these eight that are currently on there right now dot app is the first open TLD on the list and what that means is it's the first one on the list that grants security benefits to everyone here present because you can all and indeed you all do now have a free app domain name so it's it's the first time that this enhanced security benefit is being made available to everyone and you get it just by registering a domain name and so why is this the first like why hasn't this happened before now you know there's a couple of reasons one is that the requisite browser support for handling top-level pre-loading only came in fairly recently and it's also hasn't been until fairly recently that really easy HTTP configuration and like one quick SSL certificate provisioning became came out and made it really simple to just get that HTTP hosting working and a lot of that of course is thanks to let's encrypt and then also another reason that we're doing this now is because privacy and security is on everyone's minds these days it's in the news constantly and enforced HTTPS is something that can really help mitigate some of these issues because you can't have privacy and security at all if you're doing things over an insecure connection or a snake in that a connection that can force to be insecure it's just not even possible right and there's a huge number of different benefits of pre-loading at the TLD level that I'd like to go over so number one it eliminates the hassle of configuring HSTs headers on your web server or your cloud service providers so you'll never need to go to stack overflow and Google like you know how do I get HSCs headers on apache or nginx or whatever you don't even need to worry about it that's why we showed showing the headers it doesn't matter it's already done on the entire top-level domain so you get that immediately zero configuration just by using a top domain name and there's no need to submit your domain to the HSTs preload list which would otherwise be another step you would have to do to get that security benefit and very importantly by having the entire TLD already on the HSTs preload list and we actually did this last year it eliminates the lag time to add domains to the preload list so if you went out like right this second and bought a dot-com domain name and he wanted to adhere to the best possible web security practices and he submitted that to the HSTs peer list right now it would still take many months for most users to get the advantage of that higher level of security and the reason for that is simply the browser release cycle so we'll go into the code now then it would hit the nightly then like a month and a half it would hit the beta and then a month and a half it would hit the GA and then eventually people would get around to finally upgrading their browser and then they'd get that benefit so you're it's already P loaded so you don't have to wait for that long cycle so you get the security instantly and very importantly pre loading a TLD increases browser efficiency because the preload list is built into every browser installation like it's literally in there it seemed they downloaded executable both on desktop and mobile with air in every installation even so there's over two billion chrome installations out there and there's many billions of installations of other browsers and the HSTs period list isn't every single one of them so keeping the preload list small and efficient is absolutely very important because it's saving a lot of disk space and memory on all these different computers and mobile devices and especially important for the mobile devices is a smaller list is more efficient to check against because there's fewer entries to check when you're making a web request so it's saving CPU cycles too and that's obviously very important on mobile because you use more CPU cycles and you're using up more battery and pre-loading makes your site faster so if you're not pre loading and you want to have security then what you typically do is you will have an HTTP to HTTPS redirect and so what will happen is users will just type in the domain name and by default an HTTP request will be made and then that will return the redirect and now you make another request to the HTTPS site by not having this redirect which you can accomplish by pre loading you're saving an entire round trip to the server and that's absolutely very significant on mobile devices especially on spotty cell connections you can easily say like at least a second on a bad connection by voting the secure version of the site first and immediately rather than hitting that whole redirect and another benefit pre-loading makes URLs shorter without losing safety so for marketing you want short urls obviously whether it's print materials or web ads or radio commercials or even just telling your friend the name of a domain name you're not going to say hey I found this cool app it's HTTP colon slash slash wwm of app com no nobody does that so your friend is just going to type in name of app com but the problem with that is now you're not getting the security unless that site is HSTs pre-loaded if it's pre-loaded then the request is of course upgraded to HTTPS without having to include the protocol specifier so this makes both marketing people and security people happy so a really simple example is which looks better which would you rather see on let's say maybe a sticker HTTP colon slash get that app or just get that app obviously get that app is better and because it's on that app with the entire TLD being pre-loaded it's just as secure as the one on the left alright so maybe you guys are already old hat as setting up HTTPS websites but just in case we're going to walk through some tips on how to set up an HTTPS website and some tools that are available for you to use now of course the first thing you need is a certificate certificate you know sometimes people have a perception that certificates are going to be expensive particularly wildcards you can get free certificates from let's encrypt also there are cloud providers like CloudFlare or Google App Engine that will also provision a free certificate for you if you're a customer also very importantly not only does your top level to me the top level frame it need to be HTTPS but also all of the sub resources within that frame it needs to be HTTPS meaning your scripts your images your iframes they all need to be HTTPS as well it's called a mixed content error if you have a mix of HTTP and HTTPS resources on a page and this is a a problematic for your website if you have active resources like a script or an iframe brazos will that are HTTP browsers will just block them on an HTTP connection they won't show up if you have passive content like an image it will show up but it's still not ideal you'll usually get a downgrade on the browser UI depending on what browser you're using to tell people that not all of the sub resources have been loaded correctly so it's really important that you're testing for this looking out for mixed content so that you're able to move all of your sub resources to HTTPS to one school you can use is actually built into Chrome hopefully all of you in the room use Chrome assuming you do you can look in dev tools and open up the security panel this is showing a test website mixed bad and it shows any non secure origins you have four sub resource requests so that you can get them fixed another tool you can make use of is lighthouse lighthouse provides audits in this case one of them is a security audit that looks for mixed content in this example which is again about as mixed up at SSL com it tells you about all of the insecure resources that it found on the page that you can fix them it also highlights the one where you can very easily tell are already available over HTTPS so for those you'll just need to go add an extra s into the resource request and you're golden for others you may need to use a different subdomain sometimes things have a special like secure or a subdomain that they use for the HTTPS traffic or if it's a company that you are paying you may need to specifically specify in your contract that you want to use HTTPS version of their site Hey all right so number three is use HTTPS in your development environment and indeed all environments so don't just wait until production there's many reasons for this if one is the powerful web API is that Adrienne was talking about some of them you can hit in securely over local context but if you want to hit them over your local network and show them to fellow developers or anything then it simply won't work without an ssl certificate and there's also a variety of ooofff or login flows or third-party web api's that require HTTPS and you can't even test or develop against them at all unless you're supporting it so another problem is if you are doing a mix of HTTP and development and then HTTPS later you have two different canonical locations for all resources and you can easily get those confused so you can protocol relative specifiers or like ugly and don't work amazingly well it's just there's a whole class of problems you can cause for yourself that are completely unnecessary by not having that one canonical location for all resources that always starts with HTTPS and third it's maybe sort of tautological but you need to use HTTPS in your dev environment so that you can test HTTP it doesn't make sense to wait until the very last minute right before you want to go to production and change everything and now make it secure because a lot of things are gonna start breaking right then most likely mix them out content errors so if you're gonna be running it securely in production which you obviously should be then you need to be testing it securely from the very beginning so problems don't creep up on you and number four when testing is a real domain or subdomain that you own or equivalently do not use a fake domain or subdomain that you don't own and yes I'm it's just it's the same thing repeated twice but it's very important so I'm emphasizing it and the reason is simple why use a real domain the issue is that if you use a fake domain you are going to have problems not maybe it's almost guaranteed at some point and the specific problem is a name collision and the name collision is where traffic is unexpectedly going somewhere that you didn't want it to go so if I use a fake domain and then I do local DNS it'll work fine in my computer but in any other context like say run docker container I forgot to set up that DNS it's going to a completely different location or if you know give the code base to a friend and they run it it's going to a completely different location so you're not in charge of your own destiny when you're using a fake domain name that could route differently depending on where you're hitting it from and this is also a huge problem if you're interacting with any third party web services and they are trying to make requests to those URLs and of course it's not working for them and huge numbers of developer were developing an they used a fake domain or a domain on a fake TLD only for it to turn out to be real or later become real which is sort of even worse because things break on you later like when you use a fake domain you're not in control of your own destiny and at Google registry we run 46 TLDs and we know how big of a problem this is because we get an unbelievable amount of mis addressed traffic to what are supposedly fake domain names that are actually real and to really drive at home two of the 46 TLDs that we run are dot dev and dot prob if you've been using any domain names like that stop immediately because those are real and we're getting some of that traffic so don't do that I see some guilty faces some some guilty people in the audience here all right so here's a simple example of the right way to do things so use a real domain name Falcon 11 that app is a real domain name and then get a wildcard certificate for all subdomains on Falcon 11 that app you can do that for free with let's encrypt and then depending if you want just local DNS resolution you can use good old fashioned Etsy host file or if you want Network level registry solution you can use something like DNS mask and the reason you would do this is you obviously don't want to route traffic worldwide to your local dev setup when it's not ready like you don't want to leak that information so you only want it to resolve locally but the key thing is it's still a real domain name so you are in charge of where that traffic will go from the world and you know it's never going anywhere unexpectedly so therefore never any name collisions and final tool for doing a secure hosting is just use a service with automatic HTTPS and there's so many of them these days some examples Google App Engine firebase crowd Flair github pages net liffe I and many many more and this is the simplest possible way to get a secure website running for many of these it's as simple as just hitting a single check box and you get automatic security and for some of them it's even simpler than that because the check box is checked by default so it's zero steps to the best security so what you get is you combine a crowd platform provider or hosting service that gives you automated security with a dot app domain which gives you automatic security from the domain levels and when you have those two combined you get the best in class best possible best practices security now some of you may be moving existing websites over to dot app if that's the case a few things to keep in mind the first is that assuming you want to maintain your search ranking help out the Googlebot Google needs to know that you're removing the domain so that you maintain your search ranking through the transition from one domain to another there's a excellent search console Help Center article that walks you through the best practices there's an FAQ that covers what you need to do to prepare for a site move so I strongly encourage you take a look at that if you ever move a website I'm gonna pause because I see a whole bunch of people taking pictures of the slide all right also the Help Center also has a bunch of other tips on practices for making your HTTPS setting setup be ranking friendly I also encourage you to check this out too all right so just one last final reminder the launch site is get that app all the relevant information is there or just look at what's on that sticker on the back of your laptop now hopefully and everyone here in attendance go and get your free domain follow the instructions in the email for anyone who's not here like on the live stream or just people here who want more than one thought app the same and the last note and this is very important is you should go out there and use these domain names don't just register them and park them the security comes from using them the security is getting more and more people on HTTPS on the web and getting more of them on the best possible practices domains that are HSTs pre-loaded and do it on that app because security is easier on that app than it is anywhere else all right so thank you very much here are some social information and some links to check out the last one is an ami Lestat foo that's actually that shirt that you may have been wondering why I'm wearing naam Ulis is the name of our open source domain name registry platform that we used to run all 46 of our top-level domains including dot app so if you ever had any curiosity about how domain name or top-level domains or absolutely run from like their perspective of inside the codebase you can go to Nami Lestat foo it goes right to our github and you can see the entire source code and we're basically running out of time so there won't be any questions but we are gonna be in the web biodome G over there so come talk to us afterwards thanks everyone thank you you [Music]

You May Also Like