Google Chrome will finally default to secure HTTPS connections starting in April

The transition to the more-secure HTTPS web protocol has plateaued, according to Google. As of 2020, 95 to 99 percent of navigations in Chrome use HTTPS. To help make it safer for users to click on links, Chrome will enable a setting called Always Use Secure Connections for public sites for all users by default. This will happen in October 2026 with the release of Chrome 154.

The change will happen earlier for those who have switched on Enhanced Safe Browsing protections in Chrome. Google will enable Always Use Secure Connections by default in April when Chrome 147 drops. When this setting is on, Chrome will ask for your permission before it first accesses a public website that doesn’t use HTTPS.

Google has been moving in this direction for some time. Chrome started alerting users to unsecure HTTP websites in 2018 and it began defaulting to HTTPS in April 2021. The following year, it started offering Always Use Secure Connections on an opt-in basis.

When HTTPS isn’t used, an attacker can reroute the connection with relative ease and target a user with malware, social engineering attacks or other exploits. “Attacks like this are not hypothetical — software to hijack navigations is readily available and attackers have previously used insecure HTTP to compromise user devices in a targeted attack,” the Chrome team wrote in a blog post. “Since attackers only need a single insecure navigation, they don’t need to worry that many sites have adopted HTTPS — any single HTTP navigation may offer a foothold. What’s worse, many plaintext HTTP connections today are entirely invisible to users, as HTTP sites may immediately redirect to HTTPS sites.” Always Use Secure Connections is one of the Chrome team’s attempts to mitigate such risks.

HTTP connections still persist in navigations to private sites, such as local IP addresses and company intranets. It’s complicated for a private site to obtain an HTTPS certificate (something Engadget has had since 2016, fact fans), because the same private name can point to different hosts on multiple networks. For instance, many router manufacturers use “192.168.0.1” as a local IP address for accessing the hardware’s admin panel. Still, HTTP navigations to private sites are inherently less risky than on the public web. They aren’t entirely safe, but the only vector of attack for HTTP on private sites is from within the local network.