Google has announced plans to push automatic upgrades to HTTPS more aggressively on Chrome, now covering even more use-case scenarios, including the Incognito browsing mode.
HTTPS (HyperText Transfer Protocol Secure) is a data exchange protocol developed as a more secure version of HTTP, with the main difference between the two being the encryption of the transmitted data. In short, HTTP connections are susceptible to man-in-the-middle attacks by capturing data transmitted between the user and the server, while HTTPS adds a layer of protection against these attacks by encrypting the exchange.
Most modern websites maintain two versions for both HTTP and HTTPS for compatibility. However, this creates data security issues for users who visit online resources using an outdated “http://” link. Also, users automatically fall back to HTTP when there are validity issues with the signing certificate of the HTTPS version.
Chrome has been offering an option to upgrade HTTP connections to HTTPS named “HTTPS-First,” and similar features are available on Firefox (HTTPS-only), Brave (HTTPS Everywhere), and Safari (Upgrade Insecure Requests). However, the company says that approximately 10% of all internet traffic that passes through Chrome still uses HTTP, constituting a significant opportunity for malicious exploitation. The tech giant has previously tried to remediate this risk by generating warnings on the program, yet these didn’t have a substantial impact on the adoption of HTTPS upgrades by users.
HTTPS Under All Conditions
To minimize that 10% of traffic volume as much as possible, Chrome will now automatically upgrade to HTTPS connections even when the user clicks on an “http://” link, as long as the more secure version for the target resource is available.
Additionally, Chrome’s Incognito mode, which claims to offer browsing without recording history, saving cookies, or retaining user input, will now default to the HTTPS-First approach. Since Chrome extensions are typically deactivated in Incognito to prevent potential third-party data leaks, users couldn’t previously utilize extensions for HTTPS upgrades. This update addresses that limitation.
Finally, Google will activate the HTTPS-First mode by default for all users participating in its ‘Advanced Protection Program’ on the presumption that they seek optimal security throughout their browsing sessions.
Along with the above, Chrome will soon introduce a warning message for when the user attempts to download certain file types from an HTTP site, such as executables (.exe), to highlight the risk and help the user treat that file with elevated caution and scrutiny. The warning will not be served for media file downloads as those aren’t as dangerous.
The new features are being tested since Chrome 115, and Google says they will be rolled out to users soon, albeit without giving a specific date or version number. However, those who want to use them now can do so by navigating to Settings → Privacy and Security → Always use secure connections (toggle on). Universal HTTPS upgrading and insecure download warnings can be enabled through “chrome://flags” by enabling the “HTTPS Upgrades” and “Insecure download warnings” flags.