Google is working on an HTTPS-Only Mode for Chrome
Image: The Record
Catalin Cimpanu June 30, 2021

Google is working on an HTTPS-Only Mode for Chrome

Google is working on an HTTPS-Only Mode for Chrome

Following in the footsteps of browsers like Mozilla Firefox and Microsoft Edge, Google Chrome is also in line to receive an HTTPS-Only Mode that will upgrade all unencrypted HTTP connections to encrypted HTTPS alternatives, where possible.

Currently, the new Chrome HTTPS-Only Mode is still under development in Chrome Canary distributions.

Work is being done to add specific settings in the browser’s interface, and no actual HTTP-to-HTTPS functionality is currently present.

While work on this new feature is being done in Chrome Canary 93, it is unclear if the new HTTPS-Only Mode will ship with the stable version of Chrome 93, set to go live in August this year.

Currently, Chrome 93 includes a new flag located at chrome://flags/#https-only-mode-setting that, when enabled, adds a new option named “Always use secure connections” in the Chrome browser security settings.

Chrome-HTTPS-Mode-flags
Image: The Record
Chrome-HTTPS-Mode-settings
Image: The Record

Chrome’s work on adding an HTTPS-Only Mode comes after Mozilla added a similarly named feature to Firefox in v83.

Earlier this month, Microsoft also added a feature named Automatic HTTPS to its Edge flagship browser.

Currently, around 82.2% of all internet sites support HTTPS connections. Browser makers such as Chrome and Mozilla previously reported that HTTPS traffic usually accounts for 90% to 95% of their daily user traffic.

In a report last month analyzing the rollout of its HTTP-Only Mode, Mozilla said Firefox upgraded HTTP traffic to HTTPS only for 3.5% of web pages, as 92.8% were loading via HTTPS connections already.

Mozilla-study
Image: Mozilla

In previous years Google has taken similar steps to promote the use of HTTPS technology, including:

  • making HTTPS the default protocol in its address/search bar [see announcement here]
  • auto-updating mixed content from HTTP to HTTPS [see announcement here]
  • blocking HTTP downloads initiated from seemingly secure HTTPS pages [see announcement here]

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.