Google has announced that it plans to make HTTPS the default on Chrome. Over 90 percent of traffic on Chrome is already to HTTPS sites, but between 5 and 10 percent of traffic remains 'stubbornly' on HTTP, according to the Chromium blog. It this a good move?

The HTTPS traffic is encrypted and authenticated, and thus safe from network attackers, says Joe DeBlasio of the Chrome Security team, but the HTTP traffic allows attackers to eavesdrop on or change that data. Chrome shows a warning in the address bar when a connection to a site is not secure, but Google thinks people don't notice it, or only react after damage has already been done.

The plan is to move to an HTTPS-First Mode in which the user will need to provide explicit permission before the browser connects to a site insecurely. Google acknowledges that this wouldn't be workable yet, but the latest plan moves closer to that goal via automatic upgrades.

What will happen is that Chrome will automatically upgrade all http:// navigations to https://, even when you click on a link that explicitly declares http://. DeBlasio says this works very similarly to HSTS upgrading, but Chrome will detect when these upgrades fail (e.g. due to a site providing an invalid certificate or returning a HTTP 404), and will automatically fallback to http://.

This means Chrome will use HTTP when HTTPS truly isn't available rather than because a user clicked on an old link. The change is being tested in Chrome version 115, and the plan is to roll out the feature to all users soon.

The second move is that Chrome will also start showing a warning before downloading any high-risk files over an insecure connection. The thinking is that downloaded files can contain malicious code that bypasses Chrome's sandbox and other protections. The warning will inform people of the risk they're taking, but users can still choose to download the file if they're comfortable with the risk.

The HTTPS-First Mode is being rolled out in several areas, starting with users enrolled in Google's Advanced Protection Program who are also signed-in to Chrome. Users who are browsing in Incognito Mode will also get the HTTPS-First mode "soon", and Google is experimenting with automatically enabling HTTPS-First-Mode protections on sites that Chrome knows you typically access over HTTPS.

The Chrome team says developers should make sure they use HTTPS and that sites they're developing don't host content only accessible over HTTP.  Google is also looking into options such as reducing the lifetime of cookies accessible over HTTP, so switching to HTTPS ensures that your users' experience will not be impacted by these future changes.

Secure is better than insecure but I'm not sure Google should be enforcing the principle. There are lots of times when a device will only connect using HTTP - in particular, small devices that don't really have the processing power to encrypt or host a certificate and these are going to be with us for some time. Even making HTTPS first is going to slow down a lot of standard and harmless interactions. If we swallow Google being in charge of security who knows what comes next.

More Information

Google Advanced Protection Program

Related Articles

Chrome 99 Rushes Ahead With New Features

Google Adds New Chrome Extension Badges

Google's Ban On Paid Chrome Extensions Now Permanent

Chrome Apps Are No More - End Of An Era  

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info