Google wants to boost HTTPS adoption ever further with Chrome’s HTTPS-First mode
HTTPS, short for Hypertext Transfer Protocol Secure, uses Transport Layer Security (TLS) to protect the data transferred between the user and a website. Webmasters have been advised for years to adopt HTTPS on their websites in order to protect users, and thanks to widespread adoption of the protocol, most web browsers have made HTTPS the default for page loads. There are still a few holdouts that haven’t adopted HTTPS for page loads, so Google is introducing a new mode in Chrome that will protect users from connecting to sites over HTTP.
With the release of Chrome 94 in late September, users will be able to enable a new HTTPS-First mode. Once enabled, the Chrome browser will try to upgrade all page loads to HTTPS and will display a full-page warning before loading any site over HTTP. This assures that Chrome is connecting users to websites over the more secure protocol whenever it’s possible. The mode also warns users before they attempt to connect to a site over the less secure HTTP.
Google is still evaluating whether or not HTTPS-First will be enabled by default. Mozilla has been testing a similar HTTPS-only mode since the release of Firefox 83 late last year, and the company states that the mechanism successfully upgraded top-level loads for more than 73% of legacy addresses. Given the sheer number of users on Google Chrome, we expect to see similar improvements as many users are unaware of the difference between HTTP and HTTPS.
Speaking of which, Chrome is experimenting with a change to the browser’s lock icon in order to reduce confusion on what HTTPS actually means for security. Research conducted by Google indicates that users frequently associate the lock icon with the actual trustworthiness of a website when in fact the icon only denotes the security of the connection. To reduce this confusion, Google is running an experiment in Chrome 93 that replaces the lock icon in the address bar with a more neutral dropdown arrow that otherwise shows the same page load info. However, a “not secure” indicator will still show on sites without HTTPS support, and enterprises will also be able to opt out of this experiment entirely.
Lastly, Google states that Chrome will continue to support legacy HTTP connections, but they will evaluate whether new web platform features will be limited or restricted on HTTP webpages.