How Chrome’s New HTTPS‑First Mode Will Secure the Web by Default

HTTPS Automatic Upgrade

Chrome 115 introduces a trial that automatically upgrades every http:// request to https://, even when the user explicitly types an insecure URL. The mechanism is similar to HSTS but adds a safety check: if the HTTPS connection fails because of an invalid TLS certificate, a handshake error, or a 404 response, Chrome falls back to the original http:// URL. This ensures that insecure fallback occurs only when HTTPS is truly unavailable.

Insecure Download Warning

Chrome has removed support for mixed downloads (downloading HTTP content from an HTTPS page). Now, before downloading any high‑risk file over an insecure connection, Chrome displays a warning that the file could bypass the browser sandbox and contain malicious code. Users may still choose to proceed if they accept the risk. Starting in mid‑September, the warning will also cover lower‑risk file types such as images, audio, and video.

Gradual Rollout of HTTPS‑First Mode

Enabled by default for users enrolled in the Google Advanced Protection program and signed into Chrome.

Enabled by default in Incognito windows.

Chrome is testing automatic enablement for users who rarely use the HTTP protocol.

Users who want immediate protection can manually enable the setting at chrome://settings/security by turning on “Always use secure connections”.

Reference

https://blog.chromium.org/2023/08/towards-https-by-default.html