Chrome’s New Security Feature: Mandatory HTTPS for Public Sites
In a significant move to bolster online security, Google has announced that starting October 2026, Chrome version 154 will automatically enable the Always Use Secure Connections feature. This update mandates user approval before accessing any public website that lacks HTTPS encryption, marking a pivotal shift in how the browser handles unsecured web connections.
Addressing Persistent Vulnerabilities
Despite concerted efforts over the past decade to promote HTTPS adoption, a small yet notable fraction of web traffic remains unencrypted. Currently, between 95% to 99% of Chrome navigations utilize secure connections, leaving the remaining percentage susceptible to interception and manipulation by malicious actors. Unencrypted HTTP connections are particularly vulnerable to man-in-the-middle attacks, where adversaries can hijack sessions and redirect users to harmful resources without detection.
The Mechanics of the Threat
Man-in-the-middle attackers exploit HTTP connections by intercepting and potentially altering the communication between a user and a website. This method has been effectively employed in real-world scenarios, with documented instances of both commercial surveillance vendors and state-sponsored entities using HTTP interception to deliver zero-day exploits, thereby compromising targeted devices. Unlike HTTPS sites that display Not Secure warnings, many HTTP sites automatically redirect to HTTPS, often leaving users unaware of potential security risks.
Google’s Strategic Rollout
Recognizing the critical nature of this vulnerability, Google’s Chrome Security team emphasizes that even a minimal percentage of unencrypted traffic poses significant risks. To mitigate these threats, Google plans a phased implementation of the Always Use Secure Connections feature. In April 2026, Chrome version 147 will introduce this feature exclusively for users who have opted into Enhanced Safe Browsing protections, providing a controlled environment to assess warning frequency and user behavior.
Data from a pilot program conducted with Chrome version 141 revealed that the median user encountered fewer than one warning per week, with heavy internet users experiencing fewer than three. This suggests that the new feature will not significantly disrupt user experience while enhancing security.
Differentiating Public and Private Sites
A key aspect of this initiative is the distinction between public and private sites. While strict HTTPS requirements will be enforced for public websites, Google acknowledges that private sites, such as local network devices and internal corporate systems, present a reduced attack surface. Statistics indicate that when excluding private site traffic, HTTPS adoption rates approach 97% to 99% across all platforms. This suggests that most remaining HTTP usage is concentrated on private infrastructure, where obtaining trusted HTTPS certificates can be more complex.
Recommendations for Developers and IT Professionals
Website developers and IT professionals are encouraged to proactively enable the Always Use Secure Connections setting to identify and address potentially affected sites. Organizations managing Chrome deployments can refer to Google’s comprehensive adoption guide to understand warning conditions and implement effective mitigation strategies. While users retain the option to disable warnings through settings if necessary, Google strongly advocates for the adoption of secure connections as a standard practice moving forward.
