Google is changing its default Chrome settings to always try an HTTPS-encrypted connection first. Users will see warnings when visiting HTTP sites that do not support this secure connection.
Google announced that the changes will come into effect in October 2026, with Chrome version 154 (the current stable version is 142).
The “Always Use Secure Connection” setting warns users before accessing any site that doesn’t have HTTPS, the protocol that encrypts data transferred between a web browser and a server.
This opt-in option was first introduced in 2022. When enabled, Chrome attempts every connection over HTTPS and displays a warning message if it is unavailable.
The alert cautions users about attackers who can see and change information sent or received from websites, especially when using public networks. The vast majority of the most popular sites already fully support HTTPS.
“We now think the time has come to enable ‘Always Use Secure Connections’ for all users by default,” Google said in a blog post.
For one billion Chrome users, who have opted in to use “Enhanced Safe Browsing” protections, the feature will be enabled by default sooner, in April 2026.
Users will still be able to bypass the alert and turn the feature off if needed, for example, when visiting local services.
The setting will also not repeatedly warn users about regularly visited HTTP sites – Chrome will only alert users when they visit a new (or not recently visited) site without using HTTPS.
The tech giant explains that attackers can hijack HTTP sessions and force Chrome users to load arbitrary resources, exposing them to malware and social engineering attacks. A single HTTP site may offer attackers a foothold. This older protocol is entirely visible to anyone on the network.
“Attacks like this are not hypothetical – software to hijack navigations is readily available and attackers have previously used insecure HTTP to compromise user devices in a targeted attack,” the post reads.
Already 95-99% of Chrome sessions use HTTPS. However, the remainder still amounts to “a lot of navigations.” These mostly lead to private sites, local IP addresses, and intranets.
“In recognition of the reduced risk HTTP to private sites represents, last year we introduced a variant of ‘Always Use Secure Connections’ for public sites only. For users who frequently access private sites (such as those in enterprise settings, or web developers), excluding warnings on private sites significantly reduces the volume of warnings those users will see,” Google explains.
“We intend to enable this variant for all users next year.”
Google also believes that transitioning to HTTPS isn’t disproportionately hard, and the certificates can be obtained for free.
Many of the remaining HTTP page loads simply redirect users to HTTPS sites.
Google recommends that admins, developers, and other IT professionals enable the “Always Use Secure Connections” settings today to help identify any sites that may prompt alerts.
HTTPS doesn’t guarantee that the website you’re visiting is trustworthy or safe – it can still be malicious or compromised, even if attackers use HTTPS. HTTPS only protects the connection – it encrypts data in transit, preventing any outsiders from viewing or tampering with it.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked