Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Google Adds HTTPS-First Mode to Chrome

Google is about to give Chrome users a small security boost with new functionality that will attempt to automatically upgrade web pages to HTTPS.

Dubbed HTTPS-First mode, the feature resembles the HTTPS-only mode in Firefox.

Google is about to give Chrome users a small security boost with new functionality that will attempt to automatically upgrade web pages to HTTPS.

Dubbed HTTPS-First mode, the feature resembles the HTTPS-only mode in Firefox.

With HTTPS, eavesdroppers can’t access the data transmitted between the web browser and the server on which a website is hosted, as sensitive information and credentials are encrypted.

For years, Google and other Internet companies out there have been actively advocating for the wide adoption of HTTPS across the web, both there still are websites that don’t use encryption yet, thus posing a threat to their users. At the moment, approximately 90% page loads in Chrome are over HTTPS.

With HTTPS-First Mode enabled, Chrome 94 will attempt to upgrade all page loads to HTTPS and will warn users when landing on a page that doesn’t support encryption, allowing them to connect to the HTTP page if they choose to.

“Based on ecosystem feedback, we’ll explore making HTTPS-First mode the default for all users in the future. Mozilla has also shared their intent to make HTTPS-only mode the future of web browsing in Firefox,” Google says.

The HTTPS-First mode will also bring changes to the lock icon that Chrome typically displays when a site loads over HTTPS. As an experiment, Chrome 93 will replace the lock icon with “a more neutral entry point to Page Info,” but a “Not Secure” indicator will continue to be displayed on websites that lack HTTPS support.

Even with the HTTPS-first mode, Chrome will continue to support HTTP connections, but will impose restrictions when it comes to loading specific resources, to ensure that users are protected.

Advertisement. Scroll to continue reading.

“Continuing from our past efforts to restrict new features to secure origins and deprecate powerful features on insecure origins, we’ll evaluate a broad set of web platform features to determine if they should be limited or restricted on HTTP webpages,” Google says.

Related: Google Confirms Sixth Zero-Day Chrome Attack in 2021

Related: Chrome for Windows Gets Hardware-enforced Exploitation Protection

Related: Attackers Leverage Locally-Loaded Chrome Extension for Data Exfiltration

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.