Google 如何在其 .app TLD 上强制使用 HTTPS? [英] How does Google force HTTPS on their .app TLD?

问题描述

在 2018 年 I/O 大会上，Google 宣布了他们的新 .app TLD，并表示它将仅支持 HTTPS.

In I/O 2018 Google announced their new .app TLD and they said that it will be HTTPS only.

我以为 DNS 只是将域名映射到 IP.

I thought that DNS just maps domain names to IP's.

他们如何强制使用 HTTPS?

How are they forcing HTTPS?

推荐答案

(这里有点离题)

它被称为 HSTS 预加载，参见 https://hstspreload.org/

It is called HSTS Preloading, see https://hstspreload.org/

HSTS(HTTP 严格传输安全)是服务器回复客户端的一种方式:请仅通过 HTTPS 与我联系(请参阅 https://www.troyhunt.com/the-6-step-happy-path-to-https/ 示例).它增强了安全性，但仍然没有解决一个问题:在浏览器知道它应该改为使用 HTTPS 之前，与给定服务器的第一次连接可能通过 HTTP 发生.

HSTS (HTTP Strict Transport Security) is a way for servers to reply to clients: please contact me over HTTPS only (see https://www.troyhunt.com/the-6-step-happy-path-to-https/ for examples). It enhances security but still does not solve one case: the first connection to a given server can happen over HTTP before the browser learns it should have done an HTTPS instead.

因此来了 HSTS 的预加载".

Hence come the "preloading" of HSTS.

基本上这是所有主要浏览器代码中的硬编码列表(请参阅 https://caniuse.com/#feat=stricttransportsecurity 了解兼容性，具体取决于浏览器和版本，或在底部查看代码链接[1])，说明哪些域/TLD 启用了 HSTS，这意味着根本不允许它们建立 HTTP 连接.

Basically this is an hardcoded list embarked in all major browsers code (see https://caniuse.com/#feat=stricttransportsecurity for compatibility depending on browser and version, or see at bottom for links to code[1]) that says which domains/TLD are HSTS enabled, which means no HTTP connection allowed to them at all.

注意:

1. 任何人都可以按照一些要求向此列表提交名称，请参阅https://hstspreload.org/#submission-要求
2. Google(从 Chrome 开始，但现在在浏览器中传播)欢迎包含 TLD 而不仅仅是主机名，请参阅文档末尾 https://hstspreload.org/(顶级域名预加载")

1. Anyone can submit names to this list by following some requirements, see https://hstspreload.org/#submission-requirements
2. Google (as it started with Chrome but it is now spread among browsers) welcome inclusion of TLDs and not only hostnames, see end of document at https://hstspreload.org/ ("TLD Preloading")

他们过去已经添加了 .DEV(TLD 本身尚未生效，但 Google 将很快"推出它)，这破坏了许多开发人员的设置，他们(错误地)使用了.DEV 域名来命名他们的本地资源，一旦他们的浏览器更新了较新的 HSTS 预加载列表，他们就拒绝在没有 HTTPS 的情况下连接到他们的本地 .DEV 主机.您可以在这里和其他地方找到(例如:https://ma.ttias.be/chrome-force-dev-domains-https-via-preloaded-hsts/) 许多开发人员对此持反对态度的恐怖故事，也可能人们为此提供了糟糕的解决方案(例如禁用HSTS 预加载，这是一个非常糟糕的主意).

They already did add .DEV in the past (the TLD by itself is not live yet, but Google will launch it "soon") which broke many developers setup where they used (wrongly) a .DEV domain name to name their local resources and as soon as their browsers were updated with the newer HSTS preloading list, they refused to connect to their local .DEV host without HTTPS. You can find here and elsewhere (ex: https://ma.ttias.be/chrome-force-dev-domains-https-via-preloaded-hsts/) many horror stories of developers up in arms against that and also may people offering bad solutions for that (like disabling HSTS preloading which is a very bad idea).

此外，当您购买.APP 域名(.DEV 也是一样的)、Google(作为.APP 的注册>) 与所有注册商签订合同，确保他们将在结帐购买 .APP 域名时显示一条显着消息，内容如下:.APP 是一个安全的 TLD，网站将只能使用 SSL 证书(原文如此)；确保购买 SSL 证书"(SSL 证书直接来自 Google 文档，阅读它们非常令人难过，因为它是一个双重错误的术语，它应该是一个X.509 证书"，或者为了不吓唬任何人，至少是用于 TLS 通信的证书"，现在没有人应该再使用 SSL 了......)

Also when you buy a .APP domain name (and it will be same for .DEV), Google (as registry of .APP) made sure contractually with all registrars that they will, during checkout of a .APP domain name buy, display a prominent message saying something along the line of: ".APP is a secure TLD and websites will only work with an SSL certificate(sic); make sure to buy an SSL certificate" (SSL certificate is straight out of Google documentation and this is very sad to read out of them since it is a doubly wrong term, it should have been an "X.509 certificate" or, in order not to frighten anyone, at least a "certificate used for TLS communications", noone should use SSL anymore nowadays...).

顺便说一下，.APP昨天5月8日以标准价格向公众开放.

By the way, .APP opened for the public at standard prices yesterday, May 8th.

当然，所有这些都只与网页浏览有关.您可以在 .APP 域名之上设置任何其他类型的服务，例如电子邮件，而无需任何强制性 TLS(这当然现在不是一个好主意，但没有什么可以阻止您这样做).对于电子邮件，正在讨论基本 HSTS，但对于 MTA，请参阅 https://datatracker.ietf.org/doc/draft-ietf-uta-mta-sts/

Of course all of that is only related to web browsing. You could set any other kind of service, like email, on top of a .APP domain name, without any mandatory TLS (which of course is not a good idea nowadays but nothing will refrain you from doing that). For email, there is ongoing discussion to have basically HSTS but for MTAs, see https://datatracker.ietf.org/doc/draft-ietf-uta-mta-sts/

[1] 查看一些带有 HSTS 预加载列表的源代码:

[1] see some source codes with the HSTS preloading list:

• https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.json
• https://dxr.mozilla.org/mozilla-central/source/security/manager/ssl/nsSTSPreloadList.inc

或者您可以使用 https://hstspreload.com/ 上的 API 来了解名称是否在列表

or you can use the API at https://hstspreload.com/ to learn if a name is on the list

这篇关于Google 如何在其 .app TLD 上强制使用 HTTPS?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！