Google throws down a few hundred grand to get the .app domain, in concert with modifying their web browser to deliberately mark others' traffic as "Insecure" (it is not necessarily!), and reaps the fees now and in perpetuity ever year thereafter for maintaining a simple database of DNS glue entries which you literally could maintain using MS Access (by which I mean, the database schema and maintainence is bog-simple).
How is the coming Chrome modification not "tying"? Anyone familiar with anti-trust laws care to comment?
We're not expecting to make our money back on this one. And these amounts are a drop in bucket compared to many other Google products anyway.
So a cynical profit motive is not why we're doing it. We're doing it for the stated reasons, to move security forward on the Web; see https://security.googleblog.com/2017/09/broadening-hsts-to-s... and https://security.googleblog.com/2018/02/a-secure-web-is-here...
Also, I could talk your ear off about the design of our infrastructure for hours. Suffice it to say, it's a lot harder than you're making it out to be, particularly as regards to scaling. Our registry platform is open source, so feel free to inspect the code at https://nomulus.foo . And that's not even getting into DNS hosting, which involves a very large number of instances distributed around the entire globe.
However, 10 years of 1 million domains, even if Google's cut is only $1 out of the registration price, is still $10 million per year * 10 years = $100 million.
If Google's own registry is used and you capture more of the ($17/year ?) domain fee, it goes up by multiples of that.
Correct me if I am wrong, but serving the DNS entries of .app will be almost the same as serving up a DNS entry for another domain like .com: the HSTS/https-only requirements will be set up in the browser, not the DNS server.
And serving DNS has been handled successfully and profitably by Namecheap/GoDaddy/Moniker et al for years.
Note that registrars ultimately set the pricing that you see, which is why it's different across different registrars, same as if you wanted to buy, e.g., a .com domain.
That's, if anything, less reassuring.
Google doing it to make money makes sense. THey are a for profit company, it's what they do.
Goodness of our hearts just makes me suspect it's more evil. Quit being evil google.
HTTP traffic -is- necessarily insecure. It's trivial for anyone on your network to run Wireshark and see/modify all of your traffic. And a lack of HSTS leaves your site potentially vulnerable to SSLstrip.
The problem is either the “not necessarily” part is wrong (in regard to flagging HTTP) or the criticism is directed at a fantasy that isn't actually occurring (in regard to flagging things that aren't .app). Either way, the criticism is defective.
> Google throws down a few hundred grand to get the .app domain,
> in concert with modifying their web browser
> to deliberately mark others' traffic as "Insecure"
> (it is not necessarily!),
> and reaps the fees now
This is what patrickg_zill's comment said, just with some newlines and emphasis to make it more understandable. The not necessarily does not refer to HTTP, it refers to non-.app domains. And there is no "criticism is directed at a fantasy", there is a cynical prediction which is completely possible in all respects. You---or I---may think that that'll never be the reality, but regardless, that's what the comment said, and the other commenter misunderstood. I don't get why I get downvotes and criticism for this.
They -could- have meant .app, but we'd need the guys word to know for sure. It's not as straightforward of a comment as you think it is.
> modifying their web browser to deliberately mark others' traffic as "Insecure"
I'm assuming the parent comment meant how Chrome marks HTTP connections as insecure; they're not marking TLD's that aren't .app as insecure.
add a special extra greener bar for .app sites
That would be really weird, considering that most Google sites are not .app, and would be quite a pain to change. Suddenly every competitor to their services get a special greener bar for a few bucks?
That's just on GoDaddy.
"EAP is a one-time acquisition fee; you do not pay that on subsequent renewal."
How does that work? I thought they needed cooperation from browser makers.
Edit: explained here: https://news.ycombinator.com/item?id=16968262
However, they will get extra fees from any .app domain registrations.
Sure, but labeling a site as “Possibly not secure” wouldn’t be a very effective way of communicating the risks to users.
AFAIK Google does not have a monopoly on .app registrations:
Many registrars will sell .app names, but they pay a portion of every sale to Google.