We're a featured .app domain on Google's Registry
We're proud to have been listed on Google's 1 year anniversary post about the launch of the .APP top level domain.
A year of .APP
A year ago, on May 8th 2018, Google launched a new top level domain (TLD) called .app.
At that time, Oh Dear! had just launched on the ohdearapp.com domain. It was a no-brainer for us to migrate our domain from ohdearapp.com to ohdear.app. The launch of the .APP TLD was perfectly timed for us!
Within the first couple of weeks, we registered the domain and moved all our services over to the ohdear.app domain.
Improved security with HSTS
HSTS stands for HTTP Strict Transport Security. It's a mechanisme that allows a website to signal that it should only be reached via HTTPS - the encrypted HTTP - instead of the plain text HyperText Transfer Protocol.
When we were at our .com domain, we added the following header to our website and all its pages.
$ curl -I https://ohdearapp.com ... Strict-Transport-Security: max-age=31536000
Whenever a browser would visit our site, it would remember for 31536000 seconds (365 days) that it can only reach our domain via HTTPS.
This prevents man-in-the-middle attacks where a connection would be downgraded from HTTPS to HTTP to snoop on the data being transferred over the wire.
With the .app domain, we no long need this.
TLD-wide implementation of HSTS
More acronyms! ;-)
One of the nice features of having a .APP domain, is that it automatically requires HTTPS. There is no workaround.
Why? Because browsers have a thing called preloaded HSTS lists. Instead of waiting to visit a site for the first time, to read the HSTS header, browsers have lists of domains that want to have that configuration preloaded. Usually, those lists include specific domains.
However, for .APP (and a few others, like .DEV), there's a TLD-wide preload. That means browsers that trust this list (which is Chrome + Firefox and many others) will automatically upgrade an HTTP connection to HTTPS for every domain ending in .APP.
We no longer need this header (although we might as well have just left if there, there's no harm in that) and it makes the entire .APP top level domain safer as it enforces HTTPS.
Since one of our focusses is the extensive monitoring of HTTPS certificates, we applaud any action that encourages the use of HTTPS over HTTP.