Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Google Adds HTTPS-First Mode to Chrome

Google is about to give Chrome users a small security boost with new functionality that will attempt to automatically upgrade web pages to HTTPS.

Dubbed HTTPS-First mode, the feature resembles the HTTPS-only mode in Firefox.

Google is about to give Chrome users a small security boost with new functionality that will attempt to automatically upgrade web pages to HTTPS.

Dubbed HTTPS-First mode, the feature resembles the HTTPS-only mode in Firefox.

With HTTPS, eavesdroppers can’t access the data transmitted between the web browser and the server on which a website is hosted, as sensitive information and credentials are encrypted.

For years, Google and other Internet companies out there have been actively advocating for the wide adoption of HTTPS across the web, both there still are websites that don’t use encryption yet, thus posing a threat to their users. At the moment, approximately 90% page loads in Chrome are over HTTPS.

With HTTPS-First Mode enabled, Chrome 94 will attempt to upgrade all page loads to HTTPS and will warn users when landing on a page that doesn’t support encryption, allowing them to connect to the HTTP page if they choose to.

“Based on ecosystem feedback, we’ll explore making HTTPS-First mode the default for all users in the future. Mozilla has also shared their intent to make HTTPS-only mode the future of web browsing in Firefox,” Google says.

The HTTPS-First mode will also bring changes to the lock icon that Chrome typically displays when a site loads over HTTPS. As an experiment, Chrome 93 will replace the lock icon with “a more neutral entry point to Page Info,” but a “Not Secure” indicator will continue to be displayed on websites that lack HTTPS support.

Even with the HTTPS-first mode, Chrome will continue to support HTTP connections, but will impose restrictions when it comes to loading specific resources, to ensure that users are protected.

“Continuing from our past efforts to restrict new features to secure origins and deprecate powerful features on insecure origins, we’ll evaluate a broad set of web platform features to determine if they should be limited or restricted on HTTP webpages,” Google says.

Related: Google Confirms Sixth Zero-Day Chrome Attack in 2021

Related: Chrome for Windows Gets Hardware-enforced Exploitation Protection

Related: Attackers Leverage Locally-Loaded Chrome Extension for Data Exfiltration

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Software maker Adobe has rolled out its first batch of security patches for 2023 with fixes for at least 29 security vulnerabilities in a...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Endpoint Security

Microsoft this week shared details on CVE-2022-42821, a Gatekeeper bypass vulnerability that Apple recently addressed in macOS Ventura, Monterey, and Big Sur.

Application Security

Virtualization technology giant Citrix on Tuesday scrambled out an emergency patch to cover a zero-day flaw in its networking product line and warned that...