Chrome will soon have HTTPS as the default

Gregory Zuckerman
By Gregory Zuckerman
Technology
8 Min Read

A sweeping security change soon to be implemented by Google in its Chrome browser represents a chance for the company to address one of the most common complaints about using browsers: who is looking over your shoulder while you surf? The firm intends to make the Always use secure connections default toggle, so that when transitioning to HTTPS, users will not see a prompt unless they are visiting a public site that cannot be loaded securely. With Chrome’s commanding market share, this is the moment HTTPS-first browsing moves from optional for power users to a new security baseline.

What the new HTTPS-first default actually does

With the new HTTPS-first default, Chrome will try to load every site over secure encryption before anything else happens. If encryption is supported at the receiving end, no prompt appears and the connection remains private. If a site is public and serves only HTTP, Chrome will provide a more prominent warning, regardless of whether that HTTP page contains forms or login fields where users can enter personal information. The goal is to alert the user to this potential risk so actions can be initiated by choice (rather than through silent interception of requests) and to give ample advance notice before the page loads.

Table of Contents
Google Chrome browser showing HTTPS padlock as default in the address bar

Importantly, Chrome plans to make sure those warnings are smart, not noisy. Alerts are displayed only for new or rarely visited HTTP pages, so you are less likely to see this warning for sites that you frequently visit. Private hosts—such as the dashboards for routers or intranet portals—will not produce warnings by default because risk models for devices in your home are different, often requiring an attacker to be on the local network.

The setting can be turned off if you really need to go to public HTTP without prompts. But for most, the default “quietly secure” setting eliminates friction while making exposure a small fraction of what it used to be.

Why this shift to HTTPS-first browsing matters

Unencrypted HTTP leaves everything plain: the pages you ask for, what you get back in return, and sometimes cookies that give access to your session. It’s open to man-in-the-middle attacks, content tampering, and malicious redirects—especially over shared or compromised networks. Security researchers at Google contend that even a small percentage of insecure traffic is too much given Chrome’s size, because an attacker may need just one point to proliferate malicious code.

The trend line already favors encryption.

One leg of the encryption table is occupied by apps such as Telegram, Signal, and WhatsApp, whose encrypted messages cannot be read when intercepted; another leg comprises devices such as Apple’s iPhones, which can’t be unlocked against their owners’ wishes even with a valid warrant to do so. Chrome’s Transparency Report demonstrates that HTTPS usage has increased from minority to near ubiquity as platforms have continuously served 95–99% of page loads over HTTPS. Cloud providers, CDNs, and automated CAs have scaled for that transition by removing cost and complexity from managing certificates. The few isolated vulnerable edges that remain are unsafe exactly because they are unpredictable and, similarly, often targeted.

There’s also a subtle usability issue with “Not Secure” warnings: for many HTTP pages, the transition to HTTPS jumps without delay, leaving no opportunity to flag a warning before the transition takes place. By probing for HTTPS first, Chrome shuts that window and ensures the initial handshake is private when achievable.

The Google Chrome logo centered on a light blue background with a subtle hexagonal pattern.

Rollout and ripple effect across browsers

Google will roll it out in phases, first to users who opt in to Enhanced Safe Browsing and later to all Chrome users in a future stable release. There are versioned milestones, so this is not an unmeasured change, but a slow flip of the switch.

Given how much of the browser ecosystem is built on top of Chromium, this change will probably spread fast. Vendors that are based on Chromium—this includes popular alternatives—might end up including security defaults with very little tweaking. And when the engine flips to HTTPS-first by default, a significant slice of global web traffic does too.

How site owners can prepare for HTTPS-first defaults

Many public-facing sites will not experience disruption, as long as they are already using HTTPS consistently. But it’s definitely time to harden the base:

  • Get certificates from modern authorities like Let’s Encrypt or commercial providers.
  • Enforce HSTS and prevent protocol downgrades.
  • Audit for mixed content that can silently downgrade security.
  • Use CDNs or managed hosting with one-click HTTPS and automatic renewals.

For local devices and intranet services, Chrome’s roadmap also brings features that make cost-effective secure communication possible. The Local Network Access permission allows HTTPS pages accessed from a trusted context to talk to devices on the local network without colliding with mixed-content blocks, and does so in a way that helps make it easier for vendors transitioning away from HTTP to move their admin panels without breaking key workflows.

Privacy-focused browsers such as Tor, LibreWolf, and Mullvad have long taken the HTTPS-only mode approach by default. A strict mode is available during setup. Connections are automatically upgraded by Brave. I like it, and so does Firefox—it has an HTTPS-Only feature that just about every security expert I trust approves of. The Electronic Frontier Foundation even sunsetted its HTTPS Everywhere extension once it became possible to bake native upgrade logic into browsers. Chrome’s influence is far-reaching: when the largest browser does a thing, it becomes the standard for the web.

The bottom line for everyday Chrome users and consumers

Chrome making HTTPS-first the default is a pragmatic upgrade that unobtrusively blocks an entire class of attack while not being intrusive during normal browsing.

For most users, nothing will be affected except for less snooping and tampering. To the remaining corners of the web still hanging on to plain HTTP, this is what you will see: secure it or stand out like a sore thumb.

Gregory Zuckerman
ByGregory Zuckerman
Gregory Zuckerman is a veteran investigative journalist and financial writer with decades of experience covering global markets, investment strategies, and the business personalities shaping them. His writing blends deep reporting with narrative storytelling to uncover the hidden forces behind financial trends and innovations. Over the years, Gregory’s work has earned industry recognition for bringing clarity to complex financial topics, and he continues to focus on long-form journalism that explores hedge funds, private equity, and high-stakes investing.
Latest News