Google Chrome is intensifying its efforts to enhance web security by aiming to make HTTPS-First mode the standard experience for its users. Joe DeBlasio of the Chrome Security team writes on the Chromium Blog that, “for the past several years, more than 90% of Chrome users' navigations have been to HTTPS sites, across all major platforms.” Yet, he pointed out that “a stubborn 5-10% of traffic has remained on HTTP,” leaving users vulnerable to potential network threats.
Automatic Upgrades to HTTPS
Chrome plans to “automatically upgrade all http:// navigations to https://,” as conveyed by DeBlasio. The goal is to make sure that “Chrome only ever uses insecure HTTP when HTTPS truly isn't available.” This modification is under trial in Chrome version 115. If the transition is unsuccessful due to issues like an invalid certificate or an HTTP 404 error, Chrome “will automatically fallback to http://.”
Warnings for Insecure Downloads
Building upon its prior initiatives, Chrome is gearing up to display warnings before downloading high-risk files from unsecured sources. DeBlasio clarifies that “this warning aims to inform people of the risk they're taking.” However, if HTTPS-First Mode isn't activated, “Chrome will not show warnings when insecurely downloading files like images, audio, or video.” These updates are expected to roll out by mid-September.
Expanding HTTPS-First Mode
Google's overarching goal is to “enable HTTPS-First Mode for everyone.” In line with this vision:
- HTTPS-First Mode is now active for users who are part of Google's Advanced Protection Program and are logged into Chrome.
- There's an upcoming plan to “enable HTTPS-First Mode by default in Incognito Mode soon.”
- Google is in the phase of “experimenting with automatically enabling HTTPS-First Mode protections on sites that Chrome knows you typically access over HTTPS.”
- Consideration is also being given to “automatically enabling HTTPS-First Mode for users that only very rarely use HTTP.”
Developer and Enterprise Recommendations
Developers are urged to “fully adopt HTTPS and redirect all HTTP URLs to their HTTPS equivalents.” DeBlasio stresses that even websites not containing personal data can be a risk to users if they operate on HTTP. For enterprise and educational networks, “these features can be turned on early, customized, or turned off entirely via the HttpsOnlyMode, HttpsUpgradesEnabled, HttpAllowlist, and InsecureContentAllowedForUrls policies.”
Chrome continues to champion a web that is secure by default. With these measures in place, the browser is steadily moving towards realizing “HTTPS by default for all users,” says DeBlasio.