I've always felt conflicted about this. I generally support moving everything to HTTPS, and requiring it for new TLDs isn't a terrible idea because there's no chance of breaking anything legacy.[1]
On the other hand, Google owns the TLD, controls the HSTS preload list, controls the most popular browser. The idea that an entire TLD could be added to the HSTS preload list was a completely unilateral decision by Google. It makes me uneasy.
[1] ...unless you were using the domain internally assuming it would never be added to the root zone, which bit some people when they did this with .dev
I've always felt conflicted about this. I generally support moving everything to HTTPS, and requiring it for new TLDs isn't a terrible idea because there's no chance of breaking anything legacy.[1]
On the other hand, Google owns the TLD, controls the HSTS preload list, controls the most popular browser. The idea that an entire TLD could be added to the HSTS preload list was a completely unilateral decision by Google. It makes me uneasy.
[1] ...unless you were using the domain internally assuming it would never be added to the root zone, which bit some people when they did this with .dev