Google Chrome to Enable HTTPS Default Browsing 

In a change that's been a long time coming, Google said that next year it will tweak its default settings for its Chrome browser to ask user permissions before they access any public site without HTTPS. 

In October 2026, Chrome 154 will change the default settings to include its existing “Always Use Secure Connections” feature. That means that when users go to an HTTP site, a popup bar will appear telling them the site doesn’t support secure connections, warning them of the risks, and offering the options to “go back” or “continue to site.”

The aim here is to continue to dissuade users from navigating to sites using the unencrypted HTTP protocol, which can pave the way for threats like man-in-the-middle (MiTM) attacks. 

“When links don't use HTTPS, an attacker can hijack the navigation and force Chrome users to load arbitrary, attacker-controlled resources, and expose the user to malware, targeted exploitation, or social engineering attacks,” according to Google on its security blog on Tuesday. “Attacks like this are not hypothetical—software to hijack navigations is readily available and attackers have previously used insecure HTTP to compromise user devices in a targeted attack.”

Default HTTPS browsing has been a long time in the making, with Google introducing alerts warning that HTTP websites are “Not Secure” in 2018 and then defaulting to HTTPS in the Chrome address bar in 2021. In 2022, Google introduced “Always Use Secure Connections” as an optional feature.

However, Google on Tuesday indicated that further steps are needed. 

“Since attackers only need a single insecure navigation, they don't need to worry that many sites have adopted HTTPS—any single HTTP navigation may offer a foothold,” said Google.
“What's worse, many plaintext HTTP connections today are entirely invisible to users, as HTTP sites may immediately redirect to HTTPS sites. That gives users no opportunity to see Chrome's ‘Not Secure’ URL bar warnings after the risk has occurred, and no opportunity to keep themselves safe in the first place.”

Another reason for the default feature is that there are still Chrome users navigating via HTTP. Overall, the percentage of navigations in Chrome using HTTPS has increased steadily from 30-45 percent in 2015 up to 95-99 percent in 2020, showing that HTTPS is now mature and widespread. 

Google, which tracks this percentage in its HTTPS transparency report, said that since then progress has plateaued. Even a few percentage points is still a lot of navigation that’s happening via the unencrypted protocol, the tech giant said. 

“Since HTTP navigations remain a regular occurrence for most Chrome users, a naive approach to warning on all HTTP navigations would be quite disruptive. At the same time, as the plateau demonstrates, doing nothing would allow this risk to persist indefinitely,” according to Google. “To balance these risks, we have taken steps to ensure that we can help the web move towards safer defaults, while limiting the potential annoyance warnings will cause to users.”