Chrome HTTPS-First Mode will show a full-page warning on insecure connections

By JC Torres/July 14, 2021 10:13 pm EST

Google has been driving a crusade against elements that make the Web insecure and dangerous. Knowing that not all users might be aware of or want to make an effort to change their bad security practices, Google is trying to enforce security on its end using Chrome as its carrot and stick for website owners and administrators. For years, it has been pushing HTTPS as the one and only way for websites to serve content, but it hasn't been 100% successful. Now it is announcing upcoming features and changes to the Chrome browser that will deal with those HTTPS holdouts while still letting users decide their own fate at their own risk.

Google says that more than 90% of pages loaded in Chrome already use HTTPS, but there's no denying that there are still hundreds that don't. Chrome currently indicates which pages use HTTPS and which don't, but that's pretty much it. If users don't pay attention to those markings, they won't be immediately aware of the dangers lurking around the corner.

In Chrome 94, due in September, Google will test an HTTPS-First Mode option that will try to load all pages as HTTPS. The more important detail about this mode is that Chrome will display a full-page warning if the page can't be upgraded to HTTPS, letting users decide if they want to risk proceeding or not. The mode will be optional, but Google might make it the default if the feature receives enough positive feedback.

HTTPS pages can still be a bit of a mystery for some people. They might presume that a site is trustworthy simply because it delivers content over HTTPS when, in fact, it is only the connection between browser and server that can be considered secure. It doesn't help that Chrome uses a lock icon to indicate an HTTPS connection, furthering the misconception.

Google will be experimenting with that indicator, starting with Chrome 93. Instead of a lock, it will simply show a downward-pointing arrow that users can click to verify that the connection is secure. Pages loaded using HTTP will still get a "Not Secure" label to clearly indicate the fact. Google hopes it will lessen the confusion, though it could use a different implementation if that experiment doesn't work out as expected.