Google has been a big proponent of HTTPS over the years and today announced its latest efforts in Chrome for “HTTPS by default.”
According to Google’s latest Transparency Report focused on HTTPS encryption on the web, “more than 90% of Chrome users’ navigations have been to HTTPS sites.” This is the case “across all major platforms,” including Android, Mac, and Windows.
However, a stubborn 5-10% of traffic has remained on HTTP, allowing attackers to eavesdrop on or change that data.
The company believes that Chrome’s “not secure” address bar warning is “insufficient: not only do many people not notice that warning, but by the time someone notices the warning, the damage may already have been done.”
Chrome’s answer to this has been HTTPS-First Mode, wherein the browser will try to upgrade to HTTPS, and if that fails, users have to confirm they want to visit an insecure site over HTTP. The goal is to enable this for everyone by default, but Google notes how “the web isn’t quite ready to universally enable HTTPS-First Mode today.”
Until then, HTTPS-First Mode will be enabled for those using the Advanced Protection Program. It will also “soon” be the default in Incognito Mode. Additionally:
- “We’re currently experimenting with automatically enabling HTTPS-First-Mode protections on sites that Chrome knows you typically access over HTTPS.”
- “Finally, we’re exploring automatically enabling HTTPS-First Mode for users that only very rarely use HTTP.”
Elsewhere, Chrome will show a warning when “downloading any high-risk files over an insecure connection.”
You will still be able to download the file if you’re comfortable with the risk. Unless HTTPS-First Mode is enabled, Chrome will not show warnings when insecurely downloading files like images, audio, or video, as these file types are relatively safe. We’re expecting to roll out these warnings starting in mid September.
More on Chrome:
FTC: We use income earning auto affiliate links. More.