Google Chrome to enable HTTPS-first by default for all users
Google says it wants to enable HTTPS for everyone. A post on Chromium's blog says that 90% of users' navigate to HTTPS sites, but 5-10% still connect to HTTP pages, which poses a security risk from network attacks.
While Chrome does show a warning when users land on a non-HTTPS page, the Mountain View company says that some people may miss the notice, and could be impacted by threats. Earlier this year, Google had announced that it would replace Chrome's HTTPS lock icon (the padlock) with a new tune button. Refer to our previous coverage for more information regarding this change.
Google Chrome to enable HTTPS-first by default
Google says that the proper way to solve the HTTP problem, is to enable HTTPS-First Mode. When it is enabled, the feature tells the browser to automatically upgrade all http:// navigations to https://. This works even when a link that you clicked on was an HTTP URL.
Google is experimenting with HTTPS-First by rolling out the feature to users who have enrolled in Google's Advanced Protection Program. The features will also be enabled by default in incognito mode. You can enable HTTPS-First Mode from Chrome's security settings (chrome://settings/security), by toggling the button next to "Always use secure connections".
This is slightly different from how HTTPS-only mode functions. According to the official explainer documentation for HTTPS upgrades, when a browser tries to access an HTTPS-enabled website, it may still send HTTP requests to the server, the problem is the latter is insecure. Sites that have old HTTP links and support HTTPS can opt into the HTTP Strict Transport Security (HSTS) preload list, after configuring their domain to handle the redirection requests.
The issue is, HTTP requests are made when a browser visits a HSTS website for the first time, or lands on a page that supports HTTPS but does not use HSTS, or if the site has an HTTPS version but does not redirect them from the HTTP domain to the secure version.
Google's proposal for HTTPS Upgrades are quite simple, the browser will automatically upgrade all HTTP links on a web page to HTTPS, without compromising the user's privacy and security. When a website cannot be accessed, and results in an HTTP 404 error or an invalid certificate, i.e. if the site does not support HTTPS at all, Chrome will treat that as a failed upgrade, and quickly fallback to HTTP to allow you to access the portal. This ensures that users only access HTTP domains when an HTTPS version is not available, and are protected from other HTTP links that may be outdated, or insecure.
You can manually enable the option from chrome://flags/ to try it out. The setting is called HTTPS Upgrades.
Chrome will warn you about insecure downloads
In 2020, Chrome began removing support for insecure downloads, i.e. downloads that may have originated from an HTTPS page, but the files were hosted via HTTP links. These "mixed downloads" were blocked by the browser. Google says that Chrome will now show a warning dialog before downloading files that it deems as high-risk over an insecure connection. The pop-up will alert the user that the downloaded file could be tampered with, and may be malicious. Google says that such files could bypass Chrome's sandbox and other protections, presenting new attack vectors for hackers to infect a computer. That said, users will be given the choice to download the file, if they are comfortable with the risk.
The setting for the feature's flag is called "Warn on insecure downloads".
The warning will not appear when insecurely downloading files like images, audio, or videos, unless HTTPS-First Mode is enabled. Google will roll out these warnings starting in mid September, which is when Chrome 117 will be released for the Stable channel. On a side note, Google Chrome is getting a security feature that will tell you why an extension was removed.Advertisement