Google Chrome Moves towards HTTPS as Default for Web-Links

Developers are urged to fully adopt HTTPS and redirect all HTTP URLs to their HTTPS equivalents.

is intensifying its efforts to enhance web security by aiming to make HTTPS-First mode the standard experience for its users.Ā Joe DeBlasio of the Chrome Security team writes on the Chromium Blog that, ā€œfor the past several years, more than 90% of Chrome users' navigations have been to HTTPS sites, across all major platforms.ā€ Yet, he pointed out that ā€œa stubborn 5-10% of traffic has remained on HTTP,ā€ leaving users vulnerable to potential network threats.

Automatic Upgrades to HTTPS

Chrome plans to ā€œautomatically upgrade all http:// navigations to https://,ā€ as conveyed by DeBlasio. The goal is to make sure that ā€œChrome only ever uses insecure HTTP when HTTPS truly isn't available.ā€ This modification is under trial in Chrome version 115. If the transition is unsuccessful due to issues like an invalid certificate or an HTTP 404 error, Chrome ā€œwill automatically fallback to http://.ā€

Warnings for Insecure Downloads

Building upon its prior initiatives, Chrome is gearing up to display warnings before downloading high-risk files from unsecured sources. DeBlasio clarifies that ā€œthis warning aims to inform people of the risk they're taking.ā€ However, if HTTPS-First Mode isn't activated, ā€œChrome will not show warnings when insecurely downloading files like images, audio, or video.ā€ These updates are expected to roll out by mid-September.

Expanding HTTPS-First Mode

's overarching goal is to ā€œenable HTTPS-First Mode for everyone.ā€ In line with this vision:

  • HTTPS-First Mode is now active for users who are part of Google's Advanced Protection Program and are logged into Chrome.
  • There's an upcoming plan to ā€œenable HTTPS-First Mode by default in Incognito Mode soon.ā€
  • Google is in the phase of ā€œexperimenting with automatically enabling HTTPS-First Mode protections on sites that Chrome knows you typically access over HTTPS.ā€
  • Consideration is also being given to ā€œautomatically enabling HTTPS-First Mode for users that only very rarely use HTTP.ā€

Developer and Enterprise Recommendations

Developers are urged to ā€œfully adopt HTTPS and redirect all HTTP URLs to their HTTPS equivalents.ā€ DeBlasio stresses that even websites not containing personal data can be a risk to users if they operate on HTTP. For enterprise and educational networks, ā€œthese features can be turned on early, customized, or turned off entirely via the HttpsOnlyMode, HttpsUpgradesEnabled, HttpAllowlist, and InsecureContentAllowedForUrls policies.ā€

Chrome continues to champion a web that is secure by default. With these measures in place, the browser is steadily moving towards realizing ā€œHTTPS by default for all users,ā€ says DeBlasio.