The Google Chrome browser gets updates quite often. This week, however, we have the promotion of Chrome 65 to the stable channel. Such promotions aren’t unusual per se. However, Chrome 65 does have something special for this blog. I’ve waited for some time to announce this, so here it is.
From Chrome 65, all accesses to this blog, ZitSeng.com, is required to use TLS (i.e. SSL). Any attempt to connect insecurely, such as if you manually typed a non-secure URL like
http://zitseng.com/ into the location bar, will automatically be converted to use HTTPS. This is a hardcoded behaviour of Chrome. There’s nothing you have to do, and even a first-ever visit of a freshly installed Chrome (from version 65 onward) will know to use HTTPS.
This automatic upgrade from HTTP to HTTPS is known as HSTS, or HTTP Strict Transport Security. Ordinarily, a browser will have to visit the website once to discover the HSTS policy. However, a hardcoded list can also be preloaded into browsers so they already know right from the start, even before visiting the website for the first time, to use HTTPS only.
To verify this for ZitSeng.com in Chrome, type
chrome://net-internals/#hsts into the URL bar. Then, under the Query HSTS/PKP domain, type
zitseng.com into the query box. You will see the
static_sts_domain field, among others, populated to tell you that Chrome already knows about the HSTS policy for this domain from its preloaded hardcoded list.
Other websites, such as Google’s themselves, which have the HSTS policy statically defined. This ensures that your access to all these websites are always strongly protected with HTTPS.
This statically defined list is also used in Firefox, Safari, Internet Explorer, Edge, and several others.
The steps to get a website preloaded into this statically defined list is simple, but you’d need some patience. Just visit the HTTPS Preload List Submission website and follow the instructions there. Then, you’ll have to wait. You see, this list is collated and put into the browser’s source code, so as you can imagine, it does take time for source code changes to ultimately surface in a released version of the software.
For my website, I made my HSTS Preload submission some time in January 2018. The update entered the Chromium source repository on 19 January 2018. Those changes were slated for Chrome 65’s release, which finally happened on 6 March 2018. The wait in my case is about three months.
Hence, if you are planning to submit your domain, do know that you’ll have to wait for some time. Getting into the list itself is quick, but for that list to get updated into released software will depend on the browser’s release schedule.