Google Chrome is intensifying its efforts to enhance web security by aiming to make HTTPS-First mode the standard experience for its users.Ā Joe DeBlasio of the Chrome Security team writes on the Chromium Blog that, āfor the past several years, more than 90% of Chrome users' navigations have been to HTTPS sites, across all major platforms.ā Yet, he pointed out that āa stubborn 5-10% of traffic has remained on HTTP,ā leaving users vulnerable to potential network threats.
Automatic Upgrades to HTTPS
Chrome plans to āautomatically upgrade all http:// navigations to https://,ā as conveyed by DeBlasio. The goal is to make sure that āChrome only ever uses insecure HTTP when HTTPS truly isn't available.ā This modification is under trial in Chrome version 115. If the transition is unsuccessful due to issues like an invalid certificate or an HTTP 404 error, Chrome āwill automatically fallback to http://.ā
Warnings for Insecure Downloads
Building upon its prior initiatives, Chrome is gearing up to display warnings before downloading high-risk files from unsecured sources. DeBlasio clarifies that āthis warning aims to inform people of the risk they're taking.ā However, if HTTPS-First Mode isn't activated, āChrome will not show warnings when insecurely downloading files like images, audio, or video.ā These updates are expected to roll out by mid-September.
Expanding HTTPS-First Mode
Google's overarching goal is to āenable HTTPS-First Mode for everyone.ā In line with this vision:
- HTTPS-First Mode is now active for users who are part of Google's Advanced Protection Program and are logged into Chrome.
- There's an upcoming plan to āenable HTTPS-First Mode by default in Incognito Mode soon.ā
- Google is in the phase of āexperimenting with automatically enabling HTTPS-First Mode protections on sites that Chrome knows you typically access over HTTPS.ā
- Consideration is also being given to āautomatically enabling HTTPS-First Mode for users that only very rarely use HTTP.ā
Developer and Enterprise Recommendations
Developers are urged to āfully adopt HTTPS and redirect all HTTP URLs to their HTTPS equivalents.ā DeBlasio stresses that even websites not containing personal data can be a risk to users if they operate on HTTP. For enterprise and educational networks, āthese features can be turned on early, customized, or turned off entirely via the HttpsOnlyMode, HttpsUpgradesEnabled, HttpAllowlist, and InsecureContentAllowedForUrls policies.ā
Chrome continues to champion a web that is secure by default. With these measures in place, the browser is steadily moving towards realizing āHTTPS by default for all users,ā says DeBlasio.
