14 DAY TRIAL // On Friday, Google security team announced that they finished implementing HSTS support for all the company's products running on the google.com domain.
The move comes after months of testing to make sure the feature covered all the services, including APIs, not just the main Web interfaces.
HSTS stands for HTTP Strict Transport Security and is a Web security protocol supported by all of today's browsers and Web servers.
HSTS protects HTTPS against several SSL attacks
The technology allows webmasters to protect their service and their users against HTTPS downgrades, man-in-the-middle attacks, and cookie hijacking for HTTPS connections.
The protocol prevents users from going back to an HTTP connection when accessing Google over HTTPS, and forcibly redirects them to HTTPS connections when possible.
The technology is widely regarded as the best way to protect HTTPS connections against the most common attacks on SSL but has not been widely adopted.
95% of HTTPS websites still don't use HSTS
A study from Netcraft conducted last March showed that 95% of all servers running HTTPS either fail to set up HSTS or come with configuration errors. As such, Google's team has spent a great amount of time testing.
"Ordinarily, implementing HSTS is a relatively basic process," Google's Jay Brown, Sr. Technical Program Manager, explained on Friday. "However, due to Google's particular complexities, we needed to do some extra prep work that most other domains wouldn't have needed to do. For example, we had to address mixed content, bad HREFs, redirects to HTTP, and other issues like updating legacy services which could cause problems for users as they try to access our core domain."
During HSTS tests, Brown says that the team managed to break Google's famous Santa Tracker last December. The problem was fixed, but this only comes to show the wide spectrum of products the engineers had to ensure were working properly after HSTS deployment.