Google continues the fight against HTTP-only websites by implementing a new feature in Chromium named “HTTPS-First Mode,” meaning that browsers built on this foundation will try to resolve any website using HTTPS.
Chromium is used by most Internet browsers, including Google Chrome, so any security features will eventually be implemented in all browsers. HTTPS websites ensure encrypted communication with users, but many websites are still HTTP-only, which means that criminals can easily intercept that traffic.
“A stubborn 5-10% of traffic has remained on HTTP, allowing attackers to eavesdrop on or change that data,” explained Chromium developers. “Chrome shows a warning in the address bar when a connection to a site is not secure, but we believe this is insufficient: not only do many people not notice that warning, but by the time someone notices the warning, the damage may already have been done.”
The new security feature is very straightforward, and it’s not the only one in the new package. Besides enforcing HTTPS, downloads from HTTP-only websites will be limited.
“Chrome will automatically upgrade all http:// navigations to https://, even when you click on a link that explicitly declares http://.,” the developers said. “This works very similarly to HSTS upgrading, but Chrome will detect when these upgrades fail (e.g. due to a site providing an invalid certificate or returning a HTTP 404), and will automatically fallback to http://.”
As for downloads, Chrome will start by showing a warning before downloading any high-risk files over an insecure connection. The HTTPS-First Mode will debut in Google Chrome 115, and warnings for unsecured downloads will arrive this fall.
Google will eventually begin to automatically enable HTTPS-First Mode for users that only very rarely use HTTP, and it’s very likely that the company's effort to force websites to drop HTTP use will continue with more aggressive methods in the future.