Google Chrome will soon enforce HTTPS by default

Google wants to make the web more secure by attempting to make HTTPS-First mode the default experience in Chrome soon.

Key Takeaways

Google is taking aggressive steps to enforce HTTPS and make it the default experience in Chrome, in an effort to change behavior and improve internet security.
HTTPS-First mode is already enabled for Advanced Protection Program customers and will be enabled for others soon, including in Incognito mode.
Google recommends that web developers serve all their content over HTTPS, as even low-risk content can be exploited by attackers to inject malware. They are also exploring other measures to make the web safer.

While most traffic on the internet now goes through HTTPS websites, Google says that about 5-10% of the activity still depends upon HTTP, which is a highly insecure and legacy protocol that should not be used anymore. Currently, Chrome shows warnings if you visit websites which leverage HTTP, but many people ignore them. As such, the company has now decided that it will be taking more aggressive steps towards enforcing HTTPS in an effort to change behavior both in web authors and their audience.

Back in September 2021, Google rolled out HTTPS-First mode in Chrome 94, forcing sites to open in HTTPS where possible for users who enable this capability. However, the company is now taking a more proactive approach by making it the default experience in upcoming Chrome releases. Since the release of Chrome 115, Google has been experimenting with enabling this behavior by default in the browser. Websites which utilize HTTP are automatically upgraded to HTTPS except in cases where this fails due to an invalid certificate or an HTTP 404 error. When this happens, there is still a fallback mechanism in place which shows a warning about connection security to a user and allows them to continue to the website by explicitly providing their permission.

Also Read: Formula 1 Singapore GP live stream: When and how to watch

This process is expanding to “high risk” files downloaded over insecure connections too. Here, Google will show a warning in a dialog box but will still allow a user to proceed with the download if they acknowledge the risk. If HTTPS-First mode is disabled, warnings will not be shown for simpler downloaded formats like images, videos, and audios, as Google believes that they do not carry the same risk as the aforementioned high risk files, possibly referring to compressed file types like .zip.

In terms of rollout, HTTPS-First mode is already enabled by default for Advanced Protection Program customers who are signed in to Chrome. For others, the configuration will be enabled in Incognito soon. Google is also exploring the idea of automatically enabling HTTPS-First mode on websites it believes that you already use over the protocol, and it’s also experimenting with making it the default experience for users who rarely use HTTP in the first place.

For now, those interested in trialing this experience themselves can enable the “HTTPS Upgrades” and “Insecure download warnings” flags in chrome://flags. Similarly, you can also toggle HTTPS-First mode through the “Always use secure connections” security setting in Chrome.

Google has encouraged web developers to ensure that all of their content is being served over HTTPS connections. It has emphasized that this also applies to low-risk content since attackers can exploit them just to inject malware in the browser for other malicious activities rather than just targeting the particular payload on the website itself. The tech firm is also recommending enterprise and education customers to modify their environments according to their specialized needs.