.app arrives, Google's alternative to .com for apps with mandatory HTTPS

Ahead of its IO developer conference this month Google has announced the .app top-level domain (TLD), the first TLD that requires encrypted HTTPS connections. 

Google, a major advocate of HTTPS by default, acquired the .app TLD in 2015 as part of ICANN’s generic TLD (gTLD) sell-off in 2012 that expanded TLD’s beyond .com, .org, and .gov. Google paid $25 million for .app and will make domains under it available to the public from May 8.   

Web developers that join Google's Early Access Program can have registered names from at 9:00am PDT today and will be able to do so through to May 7 for an additional fee. Obvious names will likely be taken by the time .app is available to through non-Google domain registrars.  

The .app TLD is the first overarching domain to be implemented with the preload list for sites that support the HTTPS Strict Transport Security (HSTS). It will give developers of Android and iOS apps a space to promote their apps on the web with the added benefit of default security protections, at the same time as moving the dial on Google's ambition for the web to be totally HTTPS.  

Sites, sub domains and TLDs can be added to the preload list — which are hardcoded into Chrome, Safari, Firefox, Internet Explorer 11, Edge, and Opera — and ensure that if a user types in the HTTP address of sites on the list, they’ll automatically be connected to the HTTPS version. 

HTTPS only encrypts web traffic in transit, not once it arrives at a service provider's servers. However, Google says the HSTS-by-default .app TLD will help protect users against malicious ads, ISP tracking, and privacy threats from using unsecured WiFi networks.  

“Because .app will be the first TLD with enforced security made available for general registration, it’s helping move the web to an HTTPS-everywhere future in a big way,” wrote Google’s CIO, Ben Fried. 

While Microsoft has backed HSTS, key sites such as, which it has enabled HTTPS for, fail the the preload list test, according to the HSTS preload site.

The .app TLD supports Google’s push to make HTTPS the default on the web, which it accelerated after former NSA contractor Edward Snowden revealed PRISM and other government surveillance programs. 

Google will reveal more details about its new secure TLD at Google IO on May 8. 

“.app, the web's first secure-only open top-level domain (TLD) for mobile apps and developers, is launching on May 8. This in-depth technical talk covers use cases for .app domain names, HTTP Strict Transport Security (HSTS), best practices for secure website development, and the unique security benefits of .app domains thanks to TLD-wide HSTS,” Google explains in its online brochure.