Why Chrome Is Moving to HTTPS‑First: What It Means for Web Security

Background and Adoption

On August 16, the Chromium blog announced an experiment to make every website protocol default to HTTPS, even when users explicitly request HTTP. Chrome 115 already enables this trial. Over 90% of Chrome users now browse via HTTPS, and most major platforms and the top‑100 sites have default HTTPS enabled.

Automatic HTTPS Upgrade

Chrome will automatically upgrade any http:// URL to https://, similar to HSTS but applied to all sites. If the upgrade fails (e.g., invalid certificate or 404), Chrome falls back to HTTP, ensuring it only uses insecure connections when HTTPS is truly unavailable.

Unsafe Download Warnings

Chrome has removed support for mixed‑content downloads (HTTPS page downloading HTTP files) and will warn users before downloading high‑risk files over an insecure connection. The warning can be bypassed if the user accepts the risk. Starting mid‑September, even seemingly safe media types will trigger warnings.

Gradual Rollout of HTTPS‑First Mode

To minimize disruption, Chrome will enable HTTPS‑First mode gradually:

Users enrolled in Google Advanced Protection and signed into Chrome.

Incognito mode will have HTTPS‑First enabled by default.

Exploration of automatic enablement for users who rarely use HTTP.

Users can manually enable the mode now via chrome://settings/security by turning on “Always use secure connections”.

Conclusion

The initiative aims to eliminate HTTP traffic, reducing the surface for hijacking, tampering, and eavesdropping, and to move the web toward an HTTPS‑First ecosystem.