Why Chrome Is Switching All Sites to HTTPS by Default

On August 16, the Chromium official blog announced that Chrome will begin experimenting with a default‑first HTTPS policy, automatically upgrading all HTTP requests to HTTPS even when users explicitly type an http:// URL. This follows years of migration from HTTP to HTTPS, driven by the need to protect data from eavesdropping and tampering.

Chrome statistics show that over 90% of users already browse via HTTPS, and major platforms have high HTTPS adoption rates. Nevertheless, about 5‑10% of traffic still uses HTTP, leaving it vulnerable to interception.

Chrome’s upcoming HTTPS‑First mode will prioritize secure connections. When a site cannot be reached via HTTPS—due to an invalid TLS certificate or a 404 response—Chrome will fall back to HTTP, ensuring functionality while still encouraging secure defaults. This behavior is similar to HSTS but more user‑friendly, as Chrome tests the upgrade and only reverts when necessary.

HTTPS Automatic Upgrade

Chrome will automatically rewrite any http:// URL to https://, mirroring HSTS (Strict‑Transport‑Security) behavior. Unlike HSTS, Chrome first checks whether the upgrade would fail and only then reverts to HTTP, preventing broken sites from becoming inaccessible.

Insecure Download Warning

Chrome has removed support for mixed downloads—downloading HTTP resources from HTTPS pages. When a high‑risk file is downloaded over an insecure connection, Chrome will display a warning, alerting users to potential malicious code that could bypass Chrome’s sandbox.

Initially, only high‑risk file types trigger warnings; less risky types (images, audio, video) will receive warnings starting mid‑September.

Gradual Rollout of HTTPS‑First Mode

To minimize impact, Chrome will enable HTTPS‑First gradually in the following areas:

Users enrolled in Google Advanced Protection who are signed into Chrome can enable HTTPS‑First mode.

The mode will become the default in Incognito windows.

Chrome is exploring automatic activation for users who rarely use HTTP.

Users can also manually enable the mode now by navigating to chrome://settings/security and turning on “Always use secure connections.”

Conclusion

The goal is a web where HTTP no longer exists, eliminating hijacking, tampering, and eavesdropping. For more details, see the Chromium blog post at https://blog.chromium.org/2023/08/towards-https-by-default.html.