23

I know the .dev top-level domain requires all sites to support only encrypted HTTPS connections, disallowing any HTTP connections.

Are there other such TLDs?

Basil Bourque
  • 925

2 Answers2

30

A direct answer to this would eventually become outdated if more top-level domains start enforcing HTTPS using HTTP Strict Transport Security (HSTS, RFC 6797). Technically this is an HSTS policy of a TLD submitted to the preloading list. It started with Google's new TLDs,

The HSTS preload list can contain individual domains or subdomains and even top-level domains (TLDs), which are added through the HSTS website. The TLD is the last part of the domain name, e.g., .com, .net, or .org. Google operates 45 TLDs, including .google, .how, and .soy. In 2015 we created the first secure TLD when we added .google to the HSTS preload list, and we are now rolling out HSTS for a larger number of our TLDs, starting with .foo and .dev.

and there has even been preliminary thoughts on the possibility of protecting the entire .gov in the future:

Zooming out even further: it’s technically possible to preload HSTS for an entire top-level domain (e.g. “.gov”), as Google first did with .google. As a relatively small, centrally managed top-level domain, perhaps someday .gov can get there.

To know the current situation, one must consult the Chromium HSTS Preloaded list.

The preloaded list is also available on Chromium's GitHub mirror; especially the raw version is best for curl or wget. The list is a non-standard JSON with comment lines. It is possible to analyse it with jq after removing the comments with e.g. sed.

Here, the jq gives all domain names on the preloaded list and the grep reduces it into TLDs:

cat transport_security_state_static.json \
  | sed 's/^\s*\/\/.*//' \
  | sed '/^$/d' \
  | jq -r '.entries[]|select(.include_subdomains==true)|"\(.name)"' \
  | grep -P "^\.?[a-z]*\.?$"

To search for public suffixes instead of TLDs:

cat transport_security_state_static.json \
  | sed 's/^\s*\/\/.*//' \
  | sed '/^$/d' \
  | jq '.entries[]' \
  | jq 'select((.policy=="public-suffix") and (.include_subdomains==true))' \
  | jq -r '"\(.name)"'
Jonathan Kimball
  • 3
  • 3
Esa Jokinen
  • 52,963
  • 3
  • 95
  • 151
6

This was generated using the procedure in Esa Jokinen's answer, but it seemed like it might be useful to have a literal list, even if it does need to be updated periodically.

HSTS Preloaded TLDs

  • amazon
  • android
  • app
  • audible
  • azure
  • bank
  • bing
  • boo
  • channel
  • chrome
  • dad
  • day
  • dev
  • eat
  • esq
  • fire
  • fly
  • foo
  • fujitsu
  • gle
  • gmail
  • google
  • hangout
  • hotmail
  • imdb
  • ing
  • insurance
  • kindle
  • meet
  • meme
  • microsoft
  • mov
  • new
  • nexus
  • office
  • page
  • phd
  • play
  • prime
  • prof
  • rsvp
  • search
  • silk
  • skype
  • windows
  • xbox
  • youtube
  • zappos
  • zip

HSTS Preloaded Public Suffixes

(this portion of the answer is likely to go out of date faster)

  • bmoattachments.org
  • now.sh
  • cnpy.gdn
  • gentapps.com
  • onavstack.net
9072997
  • 270