Google rolls out .app domains with built‑in HTTPS

The move is part of the company’s HTTPS-everywhere vision for the internet

The move is part of the company’s HTTPS-everywhere vision for the internet

Google has rolled out .app, a new top-level domain (TLD); it is the first TLD to require HTTPS (encrypted) traffic (unencrypted (HTTP) traffic is disallowed), according to an announcement by the search giant’s CIO Ben Fried.

The company opened up .app domains for registration as part of the Early Access Program on Google Registry on May 1. The domains will be up for grabs for the general public through other registrars from May 8.

“A key benefit of the .app domain is that security is built in—for you and your users. The big difference is that HTTPS is required to connect to all .app websites, helping protect against ad malware and tracking injection by ISPs, in addition to safeguarding against spying on open WiFi networks,” reads the press release.

The domain is geared towards app developers in particular, although, in fact, Domain Name Wire quoted a Google representative as saying in March that the domain is not reserved exclusively for them. Some of the early adopters of .app domains are featured on



“Even if you spend your days working in the world of mobile apps, you can still benefit from a home on the web. With a memorable .app domain name, it’s easy for people to find and learn more about your app. You can use your new domain as a landing page to share trustworthy download links, keep users up to date, and deep link to in-app content,” according to the announcement.

Google, which paid $25 million for .app in 2015, controls a total of 45 TLDs, including .how, .dad, .eat, .soy, or .google. According to the global domain name authority ICANN, the internet has 1,543 TLDs as of May 4.

The move is part of Google’s HTTPS-everywhere vision for the internet. In February, for example, the company announced that Chrome 68, due in July of this year, will mark all HTTP websites as “not secure”.

Finally, a quick note: HTTPS, or Hypertext Transfer Protocol Secure, encrypts web traffic, making sure that submitted data is safe from prying eyes while in transmission. It is, therefore, important to check for the presence of HTTPS in the browser’s address bar whenever we submit sensitive data to a website. However, the protocol’s presence alone does not automatically guarantee safety from a number of other threats. Even a site that has HTTPS can be malicious: phishing sites, for example, have been increasingly embracing HTTPS.

Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center