Chrome to warn about HTTP connections by default from 2026
From October 2026, Chrome will warn about every access to unencrypted websites. Google will activate the security feature by default for all users.
(Image: heise medien)
Google will activate the “Always Use Secure Connections” feature by default for all users with Chrome 154 in October 2026. Consequently, the browser will have to ask for permission for every first access to a public website without HTTPS encryption in the future. The warning message can be bypassed but is intended to protect users from man-in-the-middle attacks.
Function included for a long time
The security feature has existed for a longer time as an optional setting. Chrome first attempts to establish every connection via HTTPS automatically. If this fails, a warning appears. Google justifies the step by stating that a single unencrypted HTTP connection is sufficient to provide attackers with an entry point. These could hijack navigation and redirect users to manipulated pages to distribute malware or execute targeted exploits.
According to Google's Security Blog, between 95 and 99 percent of all Chrome page views currently use HTTPS. However, this rate has stagnated since around 2020, after continuously increasing between 2015 and 2020, starting at 30 to 45 percent. The few remaining HTTP connections still represent a significant security risk, as many users regularly access unencrypted pages.
HTTP connections that remain invisible to users because websites immediately redirect to HTTPS are particularly problematic. In these cases, users might only see the “Not secure” warning in the address bar after the risk has already existed.
Videos by heise
Different treatment of public and private sites
Chrome will differentiate between public websites such as example.com and private addresses such as local IP addresses (192.168.0.1), single-label hostnames, or intranet shortcuts. The new default setting will only warn for public sites without HTTPS. For private addresses, HTTP will remain usable without a warning.
This differentiation has technical reasons: While HTTPS certificates are free and easily available for public domains, obtaining them for private networks is significantly more complicated. Private names are not unique; different networks use identical addresses like 192.168.0.1, so no central certification authority can verify a unique owner.
Furthermore, Google considers HTTP connections to private pages less dangerous, as attackers would require physical or virtual access to the local network. For public websites, however, attacks can already occur via compromised WLAN hotspots or manipulated network infrastructure.
User-friendliness through intelligent warning threshold
To avoid excessive disruptions, Chrome saves user decisions for regularly visited HTTP sites. Users who frequently access a specific unencrypted website will not be warned again with every visit; the warning will only appear for first-time or infrequently visited HTTP pages. According to Google, this strategy is intended to prevent users from becoming “warning-weary” during frequent visits to the same pages.
HTTPS usage varies greatly between platforms. Excluding private sites from consideration, the HTTPS rate increases from 84 to 97 percent on Linux and from 95 to 98 percent on Windows. Android and macOS even reach over 99 percent. According to Google, these figures show that HTTPS has now matured and is widespread enough to justify stronger protective measures against remaining HTTP.
Website operators without HTTPS encryption still have one year to adapt their infrastructure. Free certificates are available through services like Let's Encrypt.
(fo)
