Google has announced plans to push automatic upgrades to HTTPS more aggressively on Chrome, now covering even more use-case scenarios, including the Incognito browsing mode.
HTTPS (HyperText Transfer Protocol Secure) is a data exchange protocol developed as a more secure version of HTTP, with the main difference between the two being the encryption of the transmitted data. In short, HTTP connections are susceptible to man-in-the-middle attacks by capturing data transmitted between the user and the server, while HTTPS adds a layer of protection against these attacks by encrypting the exchange.
Most modern websites maintain two versions for both HTTP and HTTPS for compatibility. However, this creates data security issues for users who visit online resources using an outdated “http://” link. Also, users automatically fall back to HTTP when there are validity issues with the signing certificate of the HTTPS version.
Chrome has been offering an option to upgrade HTTP connections to HTTPS named “HTTPS-First,” and similar features are available on Firefox (HTTPS-only), Brave (HTTPS Everywhere), and Safari (Upgrade Insecure Requests). However, the company says that approximately 10% of all internet traffic that passes through Chrome still uses HTTP, constituting a significant opportunity for malicious exploitation. The tech giant has previously tried to remediate this risk by generating warnings on the program, yet these didn’t have a substantial impact on the adoption of HTTPS upgrades by users.
HTTPS Under All Conditions
To minimize that 10% of traffic volume as much as possible, Chrome will now automatically upgrade to HTTPS connections even when the user clicks on an “http://” link, as long as the more secure version for the target resource is available.
Additionally, Chrome’s Incognito mode, which claims to offer browsing without recording history, saving cookies, or retaining user input, will now default to the HTTPS-First approach. Since Chrome extensions are typically deactivated in Incognito to prevent potential third-party data leaks, users couldn’t previously utilize extensions for HTTPS upgrades. This update addresses that limitation.
Finally, Google will activate the HTTPS-First mode by default for all users participating in its ‘Advanced Protection Program’ on the presumption that they seek optimal security throughout their browsing sessions.
Along with the above, Chrome will soon introduce a warning message for when the user attempts to download certain file types from an HTTP site, such as executables (.exe), to highlight the risk and help the user treat that file with elevated caution and scrutiny. The warning will not be served for media file downloads as those aren’t as dangerous.
The new features are being tested since Chrome 115, and Google says they will be rolled out to users soon, albeit without giving a specific date or version number. However, those who want to use them now can do so by navigating to Settings → Privacy and Security → Always use secure connections (toggle on). Universal HTTPS upgrading and insecure download warnings can be enabled through “chrome://flags” by enabling the “HTTPS Upgrades” and “Insecure download warnings” flags.
Computers in Everything
Wow, hasn’t this been available forever?
Maybe Google could make Chromium a decent browser with a modifiable interface and toolbars, useful switches not buried under layers of menus, downloads that download and don’t stay stuck on the bottom, cache deletion on close not only after opening, scrolling that works smoothly and a bazillion other improvements that users would notice. Alas, users don’t matter to Google beyond their value as ad recipients and phone users rarely use browsers anyway.
At least Google’s not blocking third party cookies, a la Safari. The Safari users I know think it’s awful, they just ignore it and poke at apps instead.
Thank God Google’s still funding Mozilla, cheap avoidance of potential anti-trust action. Modified, Firefox makes Chromium/Chrome look like alphaware.
i.
It seems Brave’s HTTPS Everywhere has been replaced since Feb. 2023 by HTTPS by Default:
https://brave.com/privacy-updates/22-https-by-default/
So Google is a bit late…!
Reader
This is a very useful and informative article. It updates the user about an important online security measure taken by Google which is in the right interest of and benefits a majority of internet users and despite many criticisms of Google, it does some genuinely good things too albeit partly to maintain its monopoly. Considering the overwhelming market share of Google Chrome Browser and influence of Google on open source Chromium project this strict enforcement and standardization of HTTPS is a step in the right direction which significantly improves online security and privacy of internet users. It is something if a smaller player like say EFF wanted could not have done because it does not have as much influence over the internet as Google has.
OB2
I don’t see the point or value of this blog piece. We have been able to enforce HTTPS within Chrome for a long time, or we can also use an extension.
Unfortunately, it often leads to annoying and frustrating outcomes where you get messages warning about a site not using HTTPS or the landing page doesn’t.
The internet is not ready for 100% HTTPS. When the update reaches me, I will do whatever I can to turn off mandatory HTTPS or just use Mozilla or another Chromium browser, assuming it doesn’t have mandatory HTTPS.
And as for this blog, I think this write-up is just filler, nothing more.
Reader
Thank you Heinrich Sir for the article.
Reader
While Google Chrome Browser has great security which includes great sand-boxing and site isolation and malware and phishing protection, Google at the ends of the day is an ad sense company and collects data of its users and shares it with the companies registered with itself which are really data brokers some of which I believe have malicious intentions. Yes, the data sharing is of a group or cohort of people and not at an individual level and takes place during bidding in a matter of milliseconds when advertisements are about to be displayed to a user in chrome on websites which has google ads, but the data can be de-anonymized when combined with data from other sources and this user complete profile ends up on unknown servers which is used to target the individual both digitally and physically by numerous malicious actors which have their vested interests in robbing, intimidating and threatening, manipulating and misleading the user.
So we see while apparently Google Chrome seems to provide online security to its users with a fast and pleasant browsing experience, in reality it is really hurting Chrome users even from point of view of digital security as although Google Chrome browser employs strong security measures, not only it fails to address the central aspect of security which is securing sensitive personal information which it collects and shares with others which not only makes the user a target in the long run, but also, the sensitive personal information of the user goes to countless unknown and malicious actors stored on their computers forever which cannot be undone and remains a thing for life which is something very brutal.