Google is about to give Chrome users a small security boost with new functionality that will attempt to automatically upgrade web pages to HTTPS.
Dubbed HTTPS-First mode, the feature resembles the HTTPS-only mode in Firefox.
With HTTPS, eavesdroppers can’t access the data transmitted between the web browser and the server on which a website is hosted, as sensitive information and credentials are encrypted.
For years, Google and other Internet companies out there have been actively advocating for the wide adoption of HTTPS across the web, both there still are websites that don’t use encryption yet, thus posing a threat to their users. At the moment, approximately 90% page loads in Chrome are over HTTPS.
With HTTPS-First Mode enabled, Chrome 94 will attempt to upgrade all page loads to HTTPS and will warn users when landing on a page that doesn’t support encryption, allowing them to connect to the HTTP page if they choose to.
“Based on ecosystem feedback, we’ll explore making HTTPS-First mode the default for all users in the future. Mozilla has also shared their intent to make HTTPS-only mode the future of web browsing in Firefox,” Google says.
The HTTPS-First mode will also bring changes to the lock icon that Chrome typically displays when a site loads over HTTPS. As an experiment, Chrome 93 will replace the lock icon with “a more neutral entry point to Page Info,” but a “Not Secure” indicator will continue to be displayed on websites that lack HTTPS support.
Even with the HTTPS-first mode, Chrome will continue to support HTTP connections, but will impose restrictions when it comes to loading specific resources, to ensure that users are protected.
“Continuing from our past efforts to restrict new features to secure origins and deprecate powerful features on insecure origins, we’ll evaluate a broad set of web platform features to determine if they should be limited or restricted on HTTP webpages,” Google says.
Related: Google Confirms Sixth Zero-Day Chrome Attack in 2021
Related: Chrome for Windows Gets Hardware-enforced Exploitation Protection
Related: Attackers Leverage Locally-Loaded Chrome Extension for Data Exfiltration