Hacker News new | past | comments | ask | show | jobs | submit | page 2 login
Introducing .app, a more secure home for apps on the web (blog.google)
395 points by daniel-alex on May 1, 2018 | hide | past | web | favorite | 366 comments



Here is a small script for the Terminal lovers.

    #!/bin/bash
    DOMAIN="${1:-google}"
    RESPONSE=$(
        curl -XGET -s \
        -H "Accept-Language: en-us" \
        -H "Accept: */*" \
        -H "Connection: keep-alive" \
        -H "Host: domain-registry.appspot.com" \
        -H "Origin: https://get.app" \
        -H "Referer: https://get.app/" \
        -H "User-Agent: Mozilla/5.0 (KHTML, like Gecko) Safari/537.36" \
        "https://domain-registry.appspot.com/check?domain=${DOMAIN}.app"
    )
    echo "$RESPONSE" | sed "s/{\"/{\"domain\":\"${DOMAIN}.app\",\"/g"


Simpler:

    $ curl -sL https://domain-registry.appspot.com/check?domain=$DOMAIN.app
    {"status":"success","available":true,"tier":"standard"}


This is confusing because Mac apps literally end in that extension, and if I say Messages.app you would know what I mean.

Also, if I say “dingus dot app” it confuses people because that’s not a mobile app, it’s a site or web app.


Old DOS executables (actually, commands) (which still run on Windows) ended in .com ; there was an overlap with the Internet when they were still quite common (command.com was how you started a command prompt on windows 95), and no-one seemed to get confused


This is a fair & fun point, however maybe a bit of a stretch to compare here; DOS binaries were almost all .EXE well into DOS 3.x, which was many generations before Windows 95. I would say the exception to that had been command.com


Registration opens May 8th.

I went through a few of the registrars and got error messages that the TLD wasn’t supported.

Godaddy of course has a solidly gouging pre-registration price.

Set an alarm to park park park.

Edit: Godaddy isn’t straight up gouging. Seems like dictionary words are much more expensive than made up words or non-dictionary brand names.

Name.com somehow has a “buy it now” option in the 10k+ range. Curious how that works.


.app is in the sunrise phase right now -- I think all the registrars pay the same wholesale rate and it's possible that the actual price is set as well.

It'll drop to the regular price on 5/8.


If you are looking to park an obvious bell-ringer it looks like just about every Fortune 500 has already had their domains pre-registered. Even McDonalds.app is registered.

Happy hunting.


Not surprisingly Google has already prevented registration(pre pre registration) of anything related to their services alphabet[1], chrome[2], chromeos[3], etc... I guess you can do whatever you want when you own the domain extension.

[1] https://www.godaddy.com/dpp/find?checkAvail=1&tmskey=&domain...

[2] https://www.godaddy.com/dpp/find?checkAvail=1&tmskey=&domain...

[3] https://www.godaddy.com/dpp/find?checkAvail=1&tmskey=&domain...


> Mar 29 - May 1: Trademark holders can register .app domains (known as the "Sunrise" period).


Not sure why this is surprising to you. Of course I'll protect against namesquatting if I have the right to first dibs.


Note that most registrars participating in EAP or landrush charge a non-refundable fee, which is major chunk of the price increase from day 7 to day 1. It doesn't seem that there is "no cost" to participating in this period if one doesn't get the domain name.


Why can't they add a new URL scheme "secure://" to Chrome that will only support HTTPS?

Adding a new scheme would support all existing https websites on the internet today with no need to pay anyone money or rush to reserve domains.

This .app thing is needlessly difficult, and just a way for Google to push its brand on technology concepts en-masse, like the .dev fiasco. Now everyone in the world has to register a new domain (and make it work for their site) to make sure their URL is always secure.


How would "secure://" differ from "https://"?


Most people don't know what https:// means, and is often confused with http://. Plus, https:// has allowed people to do things like click through certificate warnings, which secure:// should never do. Finally, secure:// should require all standard best practices for the security of web apps, first simply by refusing to render obviously insecure sites, and then by requiring extra parameters.


Starting today at 9:00am PDT and through May 7, .app domains are available to register as part of our Early Access Program, where, for an additional fee, you can secure your desired domains ahead of general availability.

Additional fee:

hackernews.app is available! CA $25.72 per year (pre-registration) CA $16,082.01 (early access)

Helluva fee.

https://www.name.com/preorder/app?domain=hackernews.app&tld=...


Does GoDaddy refund if you dont get the domain ?

EDIT: Found the FAQ -

Does pre-registering a domain guarantee I'll get it? No. Pre-registering reserves your place in our queue for that domain. The instant the registration phase opens, we'll submit our list of registrations electronically. If you don't get the domain you've pre-registered, we'll refund the cost of the registration. Any application fees are non-refundable however.


Is the "Early Registration Fee" considered a "cost of registration" or "application fee"? It's listed as "Early Registration Fee (non-refundable)" in the cart.


So, Google paid big bucks to secure a juicy top-level domain name. Now it says it's good because "hey, if you pay us money, we'll get you in our registry, call you secure, prominently display you in search (not now, but logical next step), and pretend it's all for great good and not to extend and protect our dominance".

IANA's decision to expand and auction off to-level donations was a horrible idea.


So what registrars are taking part Early Access Program?



How does this work technically? What prevents use of plaintext http on these domains? The preloading seems like a browser specific feature.


HSTS can be enabled for whole domain. See here: https://hstspreload.org/#tld

General information about HSTS: https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

But you are right that it is a browser thing.


It is only enforced by the browser. So curl and similar stuff still works. But on a sidenote: Why shouldn't it. It is just a domain, whatever is running on the resolving IP address is up to the server administrator.


I don't think there's anything stopping you from using plain http when _not_ using a browser, such as through a server-side http client or a random python script you could whip up in 2 minutes.

From what I can tell, the only enforcement is this gentleman's agreement between the browsers.


Still waiting for them to release the .dev domains


Everyone that has been using that for local development agrees. Though the writing on the wall has been there for awhile - https://iyware.com/dont-use-dev-for-development/


.. and I am still waiting for .ing personally.


Me too, Dan. Me too.


Why does "his.app" cost $499.99 for pre-registration, but "her.app" only costs $249.99? :)

Is this some built-in gender bias?


I am new to domain trading. I have one question - Would I be sued (i.e is it legal?) if I buy some .app domains related to some popular apps of my country and list their google play store and apple store link with some ads on those domains?


I don't know if it's illegal, but unless you have a trademark on those names, you're almost certain to lose them.


It's a bidding war. Someone already bid 249.99 for "his.app". Next step up is 499.99. If you buy her.app for 249.99, then both will cost 499.99.


Christ!


Are already sex.app and dating.app registered?


sex.app returns this "available: false, reason: in use".

dating.app returns this "available: true, tier: premium"


why is it premium?


Because it says dating :) Registrars can device on a set of names the wish to withhold, they are usually dictionary names with great interest involved.


Moves like this intrigue me.

On the one hand, I support creating new platforms with security built-in by default, but on the flip side, the Chrome team just axed HPKP without even so much as bothering to try to refine it to mitigate the footguns.

I don't understand how the web-facing security decisions at Google are made. :/


There are motivating reasons for that[0]. The Expect-CT header is its replacement, and is getting picked up by recent versions of Chrome.

[0]: https://scotthelme.co.uk/im-giving-up-on-hpkp/


Yep. I contributed rather substantially to one of those reasons with a talk on abuse cases for hpkp at defcon two years back.

I'm still disappointed. I don't feel expect-ct effectively covers the same use cases.


What if I put my app's REST backend on my .app domain? Are .app domains only allowed to host brochureware?


The only restriction with .app domains is that HTTPS is enforced when connecting from a web browser. We definitely encourage you to use .app for more than mere brochureware, and of course we also encourage you to encrypt all APIs (REST or otherwise). This will be enforced by browsers if said APIs are being hit from a webpage.


Finally! I've been waiting for this for the last 11 years http://www.laktek.com/2007/05/18/app-tld-for-web-application...


HSTS seems to require the website to conform to what google defines as 'Serve a valid certificate.' Does this mean that self-signed certs will not be acceptable for a .app domain and centralized certificate authorities will be required?


Validity of SSL certificates is enforced by web browsers. If you choose to allow your self-signed certs in your browser then it will work for you, though of course not for other people.


The defining feature here seems to be HSTS - all .app domains will connect via HTTPS by default, and never try HTTP. Which is nice.

Otherwise... eh. In theory this becomes a home for web sites specifically related to apps. Certainly that seems to be what Google are suggesting. But are web apps "apps"? Is this native only? Are Google going to be actively monitoring these to make sure the content is related to the .app TLD? (spoiler: no).

So it's just another TLD, really.


> But are web apps "apps"?

Both Google and Microsoft are both strongly in the "Yes" category here and are heavily pushing PWAs as a future of many types of apps. If a lot of PWAs also want to use .app as their TLD, that serves Google's purposes just fine, I'd imagine.

> Are Google going to be actively monitoring these to make sure the content is related to the .app TLD?

Where's the creativity in that? The internet decided a long time ago that it would rather do interesting things with TLDs than strictly enforce them; use the origins and "purpose" of a TLD as a loose guideline.

What's the harm in a restaurant deciding that .app fits their brand because they have the best apps (appetizers) in town?

Is it any worse than all the startups that have been using Chagos' country TLD .io without having anything to do with the atoll of Chagos? (Which of course is made worse by the funds from .io going to British corporate colonialists rather than directly to benefit anyone in Chagos. How many startups even think of that when paying for their hip domain name?)


Would Chagos get .io if it wasn't British Indian Ocean Territory?


Chagos is the preferred name for the atoll that the British named to be "their" Indian Ocean Territory in the colonial empire era.

Chagos should get direct control of .io, but it is a weird political fight.

One awareness campaign: http://www.thedarksideof.io/


I mean why would Chagos, free of ever having the British, end up with IO as a country code?


Well, there aren't any obvious alternatives, for one thing: .ch is Switzerland, .ca is Canada, etc.

I don't know, it's a problem for politicians and standards bodies. Even if not "British", Chagos is still inside the "Indian Ocean", so the reason for the country code remains.


Ok but that sort of takes away the entire argument that .io "belongs" to these people somehow. It doesn't, it's purely a political issue. It's not some natural resource or anything they'd have claim to otherwise. (And seems that Mauritius might have claim, meaning no extra ccTLD.)

It's fine if people want to raise awareness to Brits behaving badly. But saying .io should go to those people is misleading.


.vi is controlled directly by residents of the US Virgin Islands. The primary contact address is on St. Thomas, and the NIC follows some pretty restrictive domain naming rules to favor the residents of the US Virgin Islands. It's run by the local telecom and presumably all money generated from .vi revenue goes to the island economies.

That is much closer to the ccTLD original intent than any of the British territories have seen (.io, .vg, etc). It's not misleading to suggest that the territory control their own ccTLD's destiny, given that was the original presumption of the early IETF and many of the original NICs.

Of course it's not a "natural" resource as a digital artifact of the internet economy, but that doesn't mean the ccTLDs weren't intended to be a resource to a specific locality, and that that specific locality shouldn't most control or best benefit when that ccTLD is exploited by foreign interests find a different use/meaning/domain-hacks for that TLD.


.cs is free.


If they're PWAs they get really close to being apps. Seems like Google is making a big push in Chrome and Android to provide that App experience for websites which do the work to support it.


I think this domain will be very popular as app means app in almost every language. I hope Google will do something about the domain snapping or all good names will be taken (and not used).


What's the pricing? I couldn't find this info on the site.


On GoDaddy at least, pricing seems to vary by domain name. beer.app is $1,999.99 while hackernews.app is $16.99. You can check pricing on individual .app domains here: https://www.godaddy.com/tlds/app-domain

Edit: It appears this pre-registration doesn't even guarantee you'll get the domain. It just increases your chances :( I'm gonna pass...


How would it? Godaddy can't buy the domain until General Availability, so they can't guarantee that you'll get it. Someone else could buy it first.


Yeah, this isn't Early Access. :(


We aren't (and cannot) sell directly to end users. Every domain name registrar sets its own price.


It is very strange.

101domains wanted to charge me ~13,000 USD for a domain / year.

gandi, however, allowed me to purchase it (the same domain!) for ~650 GBP / year.

What is going on?


I would assume one is for early phase registration (101domains - May 1-7), and one is general registration (gandi - May 8). If the domain isn't registered in the early phase, you'll be in line to have it registered on May 8.


It looks like it, indeed.

I was confused because gandi and 101domains did not explicitly state the phase. And gandi took my money and deducted it from my account but apparently did not actually obtain the domain yet.


I noticed this too. Has the domain actually been registered with Gandi yet?

Maybe 13k gets you a fully registered domain, and the £650 is like buying an option or a chance to be in the running.


Gandi was super intransparent about the phase and what they are actually selling.

Indeed, Gandi did not actually obtain the domain. But merely offered to try to bid with the money once the price of the domain reached that point where it was available for that price.

In my case, that failed. The domain was purchased by someone else at a higher price.

I now have to fight to get my money back into my bank account. Gandi made their life extra hard by not being fully transparent.


Does this mean all request's will go via Google servers ? Like cloudflare ? Or how else would they enforce httpS ?


No. The TLD ".app" is on the HSTS preload list shipped with the browser, so the browser will only accept connections over SSL. It's up to you as the domain registrant to make sure your site supports it.


Seen on name.com...

https://imgur.com/kYyNQQg ?!


I wish Google or someone else with a lot of money would go and register every word in the English dictionary and then sell domains for reasonable prices. And there should also be a rule against domain squatting, for example only allow five domains per person/company.


What if we just sell TLDs directly to consumers?


I think it's important that any TLD is open for registration of domains. For example if Facebook bough .book they should need to allow others to register under it.


If there's anyone with an x-rated business idea, f.app is available though it's marked as a "premium" domain, likely due to the single letter.

It'll cost you a cool $1,790.88/year. I wonder how much of that goes to Google.


I mean, what kinda of app want's to be called Fapp for $1500+/yr?


An app that wants a memorable domain.


But all the success stories just post a simple intro to their apps (actually available on Android/IOS app stores) on their sites. Not valuable.


Well I'm out, Cr is already taken.


Well crap


Get.app said the domain I want is available, but none of the linked websites said they supported that tld

Edit: any recommendations for what to do with my new domain, donaldtrump.app?


Right beneath the domain available message should have been a note that these domains aren't available for purchase until May 8th.


Try more registrars, further up in the list.


so a web based product can be called an _app_ and get hosted for a certain *.app domain?


I was not aware .google was a tld.

Can any company get a tld made? Who's even in charge of that sort of thing?


yes, any company willing to pay the application fee of $185k and able to pass a review as "capable" of operating a TLD can register a TLD. ICANN is in charge of it.

https://newgtlds.icann.org/en/about/program


Any plans to support IDNs?


No, Google. Just no.


Just for fun, I tried these domain names via the url get.app:

apple.app

facebook.app

instagram.app

twitter.app

ycombinator.app *

snapchat.app *

producthunt.app *

whatsapp.app

amazon.app

microsoft.app

google.app

hotmail.app *

dropbox.app

intercom.app *

pivotal.app *

tesla.app

dell.app

ibm.app *

* AVAILABLE


Would I be sued (i.e is it legal?) if I buy some .app domains related to popular apps of my country and list their google play store and apple store link with some ads on those domains?


If your intention is to make some money and they have trademarks and already existing similar domains you are not acting legal! There were other people who already had the same thought as you... they failed!


i call dibs on 'whats.app'


haha, not available any more, this was the one to get indeed.


Three arbitrary letters in a list of TLDs and they call it "innovation"...


Did you fabricate a quote? (And if so, why?) Neither "innovation" nor any derivatives of "innovate" appear in this post.


I go to https://domains.google.com and search for my desired .app domain and it says "Google Domains does not support the .APP ending" :(


Why do we have TLDs at all? If ANY COMBINATION OF LETTERS is now a TLD, we should be able to register myname.whatever if I want to, or in fact just whatever as a domain.

Ok, ok, I'll pay GOOGLE, the owner of the internet, for doing this now.


Why on earth should I do it? Give me one good reason; enforcing HTTPS doesn't count as one. And yet, it seems like HN crowd is queuing o buy these... Are you planning to get them so that you can sell them at a higher price later? What makes you think this product of Google does better than Google+?




Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: