Google Chrome to enable HTTPS-first by default for all users

Ashwin
Aug 17, 2023
Google Chrome
|
18

Google says it wants to enable HTTPS for everyone. A post on Chromium's blog says that 90% of users' navigate to HTTPS sites, but 5-10% still connect to HTTP pages, which poses a security risk from network attacks.

While Chrome does show a warning when users land on a non-HTTPS page, the Mountain View company says that some people may miss the notice, and could be impacted by threats. Earlier this year, Google had announced that it would replace Chrome's HTTPS lock icon (the padlock) with a new tune button. Refer to our previous coverage for more information regarding this change.

Google Chrome to enable HTTPS-first by default

Google says that the proper way to solve the HTTP problem, is to enable HTTPS-First Mode. When it is enabled, the feature tells the browser to automatically upgrade all http:// navigations to https://. This works even when a link that you clicked on was an HTTP URL.

Google is experimenting with HTTPS-First by rolling out the feature to users who have enrolled in Google's Advanced Protection Program. The features will also be enabled by default in incognito mode. You can enable HTTPS-First Mode from Chrome's security settings (chrome://settings/security), by toggling the button next to "Always use secure connections".

Google Chrome HTTPS-first option

HTTPS Upgrades

This is slightly different from how HTTPS-only mode functions. According to the official explainer documentation for HTTPS upgrades, when a browser tries to access an HTTPS-enabled website, it may still send HTTP requests to the server, the problem is the latter is insecure. Sites that have old HTTP links and support HTTPS can opt into the HTTP Strict Transport Security (HSTS) preload list, after configuring their domain to handle the redirection requests.

The issue is, HTTP requests are made when a browser visits a HSTS website for the first time, or lands on a page that supports HTTPS but does not use HSTS, or if the site has an HTTPS version but does not redirect them from the HTTP domain to the secure version.

Google's proposal for HTTPS Upgrades are quite simple, the browser will automatically upgrade all HTTP links on a web page to HTTPS, without compromising the user's privacy and security. When a website cannot be accessed, and results in an HTTP 404 error or an invalid certificate, i.e. if the site does not support HTTPS at all, Chrome will treat that as a failed upgrade, and quickly fallback to HTTP to allow you to access the portal. This ensures that users only access HTTP domains when an HTTPS version is not available, and are protected from other HTTP links that may be outdated, or insecure.

HTTPS Upgrades are not exclusive to Chrome, it will be supported in other browsers. Mozilla has already approved the web standard proposal. Brave browser already supports the feature.

You can manually enable the option from chrome://flags/ to try it out. The setting is called HTTPS Upgrades.

Google chrome experiment flags HTTPS Upgrades

Chrome will warn you about insecure downloads

In 2020, Chrome began removing support for insecure downloads, i.e. downloads that may have originated from an HTTPS page, but the files were hosted via HTTP links. These "mixed downloads" were blocked by the browser. Google says that Chrome will now show a warning dialog before downloading files that it deems as high-risk over an insecure connection. The pop-up will alert the user that the downloaded file could be tampered with, and may be malicious. Google says that such files could bypass Chrome's sandbox and other protections, presenting new attack vectors for hackers to infect a computer. That said, users will be given the choice to download the file, if they are comfortable with the risk.

Google chrome insecure downloads error

The setting for the feature's flag is called "Warn on insecure downloads".

Google chrome experiment flags Warn on insecure downloads

The warning will not appear when insecurely downloading files like images, audio, or videos, unless HTTPS-First Mode is enabled. Google will roll out these warnings starting in mid September, which is when Chrome 117 will be released for the Stable channel. On a side note, Google Chrome is getting a security feature that will tell you why an extension was removed.

Summary
Google Chrome to enable HTTPS-first by default for all users
Article Name
Google Chrome to enable HTTPS-first by default for all users
Description
Google will enable HTTPS-first in Chrome for all users to protect them from insecure websites and downloads.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Anonymous said on August 22, 2023 at 7:58 am
    Reply

    Is there a way to exclude a particular http site?

  2. owl said on August 18, 2023 at 2:58 am
    Reply

    From what I’ve read of Ashwin’s article, I agree with that approach.
    HTTPS (Hypertext Transfer Protocol Secure) means that communication between web servers and web browsers is encrypted, preventing eavesdropping, falsification, and spoofing by third parties on the communication path.

    And @bruh’s lament is also understandable.
    Most of the individual developers who publish apps with good intentions (for example, Nirsoft, etc.) oppose that the burden (worrying with troublesome time and effort) beyond good intentions is not worth it.
    On the other hand, web producers also dislike cumbersome procedures (example, even Japan’s public broadcaster “Japan Broadcasting Corporation” remains http).
    We can’t unilaterally force them to move to HTTPS.

    1. Tachy said on August 18, 2023 at 5:06 am
      Reply

      @owl

      If your visiting a site that is not “https://www.nirsoft.net/” then you’ve probably been spoofed.

      I didn’t know there where any browsers left that didn’t offer https only mode. But then I stopped using chrome long ago when they started, without my permission, removing extensions they didn’t want me using.

      1. owl said on August 18, 2023 at 6:03 am
        Reply

        @Tachy,

        Thanks for the revalidated.
        I also confirmed that Nirsoft has been upgraded to https.
        I was careless without checking the current situation.
        On the other hand, “Japan Broadcasting Corporation” confirmed http even in the current situation.

  3. Brad said on August 17, 2023 at 12:51 pm
    Reply

    Um, no. Any website that cares so little about their users that they can’t be bothered to enable HTTPS should die.

    They can even get TLS certs for free:
    https://letsencrypt.org/about/

    1. bruh said on August 17, 2023 at 5:35 pm
      Reply

      “should die” who’s gonna kill it? If it’s a personal site that doesn’t rely on traffic, you can’t do anything. Nor should you want to do anything, live and let live

  4. bruh said on August 17, 2023 at 11:03 am
    Reply

    When I create my website, it will be http, because it will be an old-style static site with no tracking, analytics, login, etc.

    I don’t believe the https hype, I remember when all sites were http, and we didn’t die.

    A lot of older browsers on older devices struggle with https, because of certificate-related issues (I think?) so in reality, http is the most “accessible” type of website – anything from the past 20 years should have no trouble loading it.

    1. Grand Prosecutor Jihana said on August 19, 2023 at 1:22 pm
      Reply

      Even if you’re creating a static personal website, and are not: collecting user input, running client-side scripts, cookies, offering downloads, etc. Your potential visitors could still benefit from you serving HTTPS.

      If your browser is around twenty years old it won’t support the latest HTML Standard either. From about 20-years ago, you’re talking about obsolete relics like Firebird 0.5 and Internet Explorer 6.0. Windows XP supports MSIE 8.0 and Firefox 52, if you meant supporting an old OS.

      Let’s Encrypt is not the correct type of encryption Certificate for ecommerce. The free ‘Let’s Encrypt’ certificate uses (X.509) a Domain Validation (DV) certificate. For validating the Domain that only ensures a secure connection to the website. You shouldn’t really use the Let’s Encrypt SSL for any commercial purposes.

      Hallowed be the memory of the Lost Souls.

    2. Frankel said on August 18, 2023 at 9:43 am
      Reply

      And this affects us how?

      1. bruh said on August 18, 2023 at 10:15 am
        Reply

        I am just saying http != the devil, and there is is hardly any reason to act like it is.

      2. Anonymous said on August 18, 2023 at 12:37 pm
        Reply

        for a static page, that’s only transmitting static information that’s indeed perfectly fine
        BUT http is (unlike https) vulnerable to MITM,
        so any website requiring submission of confidential data (eg credentials) absolutely must MUST use https, use of http would be a total no-go

      3. owl said on August 19, 2023 at 12:10 am
        Reply

        @Anonymous,
        > use of http would be a total no-go

        Which category ?

        Websites in Japan (especially from financial difficulties local public bodies, where budgets and personnel continues to are being cut) have not made any progress in transitioning to HTTPS.

        In Japan, the current government has linked all public and private services with the “My Number Portal Card” for all citizens and made it mandatory to use the card (web). Originally, the public was against it, so 40% still refuse to get an account (I’m speechless, the user login is stipulated as 12 digits with half-width numbers only). Of course, our family and close people are a firm refusal.
        Many of the linked local government web services are still http.
        It is a very serious reality.

      4. Anonymous said on August 19, 2023 at 2:31 am
        Reply

        If websites in Japan regularly submit confidential data (eg credentials) via http, then I don’t wonder, why their military and intelligence networks have for years been completely pwned by the Chinese.

        I’m not sure, how technically competent you are, but everyone who uses http instead of https to publicly submit confidential data is either incredibly dumb or technologically incompetent, doesn’t matter, if he/she/it is European, American, Asian or Martian, white, black, red, yellow or green with pink stars lining the the upper tentacles.

        One does NOT send confidential data unencrypted over the internet. That’s just dumb beyond belief. Doesn’t matter if people do it in Japan or not.

      5. owl said on August 19, 2023 at 7:46 am
        Reply

        @Anonymous,

        You’re right,
        and that’s why I don’t use Japanese “dynamic HTTP”.
        That’s not what I asked you about, but the specific categories of “prohibited”.
        I can’t find it (Legally valid documents and declarations), so I want you to tell me.
        This is because I want to appeal to local governments and the Japan Broadcasting Corporation.

        By the way,
        the current state of the Web is “not as good infrastructure as we think. Without enough engineers, budget and clients to recognize it, it’s nothing more than a house of cards”.
        Such coercion to the people in the current situation will occur not only in “Japan” but also in other countries.
        It’s a very serious situation.

      6. owl said on August 19, 2023 at 8:45 am
        Reply

        In addition,
        In Japan, the reality is that “HTTP is everywhere on the website and left unattended”, so it is full of holes and impossible to maintain personal information.
        The My Number Portal Card was originally devised (by traditional conservatives) as a means of excluding foreigners and monitoring and controlling the public, and it is a system that completely goes against the protection of personal information.
        As such, the Web is a tragic situation for the convenience of the governing administering.
        What is happening in Japan will happen in other countries and will be conveniently imitated.
        After all, the Web is just being used for convenience tools that are used to the advantage of governments, the elite, the capitalists, and those obsessed with making money.

        As I was exposed to the reality of the web, I wanted to “avoid the web” as much as possible, and my family moved to a “digital detox” lifestyle. However, the government never forgive it (forcing all citizens to use the “My Number Portal Card”).

        We must recognize such a fictional reality.
        We must learn from Japan’s case and not leave it to other people’s affairs so that we do not fall into the fate of being oppressed.

      7. owl said on August 19, 2023 at 2:23 pm
        Reply

        In a “capitalist society of desire”, cost performance is prioritized and individual rights tend to be neglected.
        Without legal restrictions, and (unless a problem is discovered) there is no need to actively pursue costly activities. The ratio of outdated social capital is increasing at an accelerating pace, while the number of technical staff is decreasing and lacking, and the budget is subject to cuts due to financial difficulties.
        Furthermore, local governments and small and medium-sized enterprises that do not have sufficient human resources or budgets are unable to do so.

        Similar examples include the privatized UK water utility (frequent bursts and leaks of water pipes) and the US power transmission business (usual power outages due to aging facilities). The beneficiaries are suffering because the costly regular inspection and maintenance cycle has become a mere formality.

        What is clear from Japan’s case is that the current state of the Web is nothing more than a papier-mâché fiction and “untrustworthy”.

        Even if individuals do their best, if there is “A little leak will sink a great ship” in the environment surrounding them, their human rights will be fragile and shattered.
        Peple may be attracted to the “web”, but it’s double-edged sword that needs to be recognized.
        If the use of the Web is forced, there is no doubt that individual rights will be at the mercy of those in power. We need to keep an eye on developments in Russia, China, and Japan, and be careful not to repeat the same mistakes. Light and shadow are two sides of the same coin, and we must not be blindness to (ignoring) the existence of that shadow.

        The mission of ghacks.net should not only pursue the light side, but also highlight the shadow side, which is two sides of the same coin.

      8. owl said on August 19, 2023 at 2:42 pm
        Reply

        sentence correction:
        Before correction,
        In a “capitalist society of desire”, cost performance is prioritized and individual rights tend to be neglected.
        Without legal restrictions, and (unless a problem is discovered) there is no need to actively pursue costly activities.

        After correction,
        In a “capitalist society of desire”, cost performance is prioritized and individual rights tend to be neglected.
        Without legal restrictions, and (unless the problem is discovered and the public is outraged) there is no need to actively pursue costly activities.

      9. owl said on August 19, 2023 at 3:05 pm
        Reply

        Well, having said that, since the greedy capitalist society and the people hold the value of “scrap and build” supreme, no one pays any attention to the maintenance of social infrastructure (If they don’t catch sparks directly on themselves, they won’t be a problem), so the future is bleak.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.