Full Report
One year from now, with the release of Chrome 154 in October 2026, we will change the default settings of Chrome to enable “Always Use Secure Connections”. This means Chrome will ask for the user's permission before the first access to any public site without HTTPS. The “Always Use Secure Connections” setting warns users before accessing a site without HTTPS Chrome Security's mission is to make it safe to click on links. Part of being safe means ensuring that when a user types a URL or clicks on a link, the browser ends up where the user intended. When links don't use HTTPS, an attacker can hijack the navigation and force Chrome users to load arbitrary, attacker-controlled resources, and expose the user to malware, targeted exploitation, or social engineering attacks. Attacks like this are not hypothetical—software to hijack navigations is readily available and attackers have previously used insecure HTTP to compromise user devices in a targeted attack. Since attackers only need a single insecure navigation, they don't need to worry that many sites have adopted HTTPS—any single HTTP navigation may offer a foothold. What's worse, many plaintext HTTP connections today are entirely invisible to users, as HTTP sites may immediately redirect to HTTPS sites. That gives users no opportunity to see Chrome's "Not Secure" URL bar warnings after the risk has occurred, and no opportunity to keep themselves safe in the first place. To address this risk, we launched the “Always Use Secure Connections” setting in 2022 as an opt-in option. In this mode, Chrome attempts every connection over HTTPS, and shows a bypassable warning to the user if HTTPS is unavailable. We also previously discussed our intent to move towards HTTPS by default. We now think the time has come to enable “Always Use Secure Connections” for all users by default. Now is the time. For more than a decade, Google has published the HTTPS transparency report, which tracks the percentage of navigations in Chrome that use HTTPS. For the first several years of the report, numbers saw an impressive climb, starting at around 30-45% in 2015, and ending up around the 95-99% range around 2020. Since then, progress has largely plateaued. HTTPS adoption expressed as a percentage of main frame page loads This rise represents a tremendous improvement to the security of the web, and demonstrates that HTTPS is now mature and widespread. This level of adoption is what makes it possible to consider stronger mitigations against the remaining insecure HTTP. Balancing user safety with friction While it may at first seem that 95% HTTPS means that the problem is mostly solved, the truth is that a few percentage points of HTTP navigations is still a lot of navigations. Since HTTP navigations remain a regular occurrence for most Chrome users, a naive approach to warning on all HTTP navigations would be quite disruptive. At the same time, as the plateau demonstrates, doing nothing would allow this risk to persist indefinitely. To balance these risks, we have taken steps to ensure that we can help the web move towards safer defaults, while limiting the potential annoyance warnings will cause to users. One way we're balancing risks to users is by making sure Chrome does not warn about the same sites excessively. In all variants of the "Always Use Secure Connections" settings, so long as the user regularly visits an insecure site, Chrome will not warn the user about that site repeatedly. This means that rather than warn users about 1 out of 50 navigations, Chrome will only warn users when they visit a new (or not recently visited) site without using HTTPS. To further address the issue, it's important to understand what sort of traffic is still using HTTP. The largest contributor to insecure HTTP by far, and the largest contributor to variation across platforms, is insecure navigations to private sites. The graph above includes both those to public sites, such as example.com, and navigations to private sites, such as local IP addresses like 192.168.0.1, single-label hostnames, and shortlinks like intranet/. While it is free and easy to get an HTTPS certificate that is trusted by Chrome for a public site, acquiring an HTTPS certificate for a private site unfortunately remains complicated. This is because private names are "non-unique"—private names can refer to different hosts on different networks. There is no single owner of 192.168.0.1 for a certification authority to validate and issue a certificate to. HTTP navigations to private sites can still be risky, but are typically less dangerous than their public site counterparts because there are fewer ways for an attacker to take advantage of these HTTP navigations. HTTP on private sites can only be abused by an attacker also on your local network, like on your home wifi or in a corporate network. If you exclude navigations to private sites, then the distribution becomes much tighter across platforms. In particular, Linux jumps from 84% HTTPS to nearly 97% HTTPS when limiting the analysis to public sites only. Windows increases from 95% to 98% HTTPS, and both Android and Mac increase to over 99% HTTPS. In recognition of the reduced risk HTTP to private sites represents, last year we introduced a variant of “Always Use Secure Connections” for public sites only. For users who frequently access private sites (such as those in enterprise settings, or web developers), excluding warnings on private sites significantly reduces the volume of warnings those users will see. Simultaneously, for users who do not access private sites frequently, this mode introduces only a small reduction in protection. This is the variant we intend to enable for all users next year. “Always Use Secure Connections,” available at chrome://settings/security In Chrome 141, we experimented with enabling “Always Use Secure Connections” for public sites by default for a small percentage of users. We wanted to validate our expectations that this setting keeps users safer without burdening them with excessive warnings. Analyzing the data from the experiment, we confirmed that the number of warnings seen by any users is considerably lower than 3% of navigations—in fact, the median user sees fewer than one warning per week, and the ninety-fifth percentile user sees fewer than three warnings per week.. Understanding HTTP usage Once “Always Use Secure Connections” is the default and additional sites migrate away from HTTP, we expect the actual warning volume to be even lower than it is now. In parallel to our experiments, we have reached out to a number of companies responsible for the most HTTP navigations, and expect that they will be able to migrate away from HTTP before the change in Chrome 154. For many of these organizations, transitioning to HTTPS isn't disproportionately hard, but simply has not received attention. For example, many of these sites use HTTP only for navigations that immediately redirect to HTTPS sites—an insecure interaction which was previously completely invisible to users. Another current use case for HTTP is to avoid mixed content blocking when accessing devices on the local network. Private addresses, as discussed above, often do not have trusted HTTPS certificates, due to the difficulties of validating ownership of a non-unique name. This means most local network traffic is over HTTP, and cannot be initiated from an HTTPS page—the HTTP traffic counts as insecure mixed content, and is blocked. One common use case for needing to access the local network is to configure a local network device, e.g. the manufacturer might host a configuration portal at config.example.com, which then sends requests to a local device to configure it. Previously, these types of pages needed to be hosted without HTTPS to avoid mixed content blocking. However, we recently introduced a local network access permission, which both prevents sites from accessing the user’s local network without consent, but also allows an HTTPS site to bypass mixed content checks for the local network once the permission has been granted. This can unblock migrating these domains to HTTPS. Changes in Chrome We will enable the "Always Use Secure Connections" setting in its public-sites variant by default in October 2026, with the release of Chrome 154. Prior to enabling it by default for all users, in Chrome 147, releasing in April 2026, we will enable Always Use Secure Connections in its public-sites variant for the over 1 billion users who have opted-in to Enhanced Safe Browsing protections in Chrome. While it is our hope and expectation that this transition will be relatively painless for most users, users will still be able to disable the warnings by disabling the "Always Use Secure Connections" setting. If you are a website developer or IT professional, and you have users who may be impacted by this feature, we very strongly recommend enabling the "Always Use Secure Connections" setting today to help identify sites that you may need to work to migrate. IT professionals may find it useful to read our additional resources to better understand the circumstances where warnings will be shown, how to mitigate them, and how organizations that manage Chrome clients (like enterprises or educational institutions) can ensure that Chrome shows the right warnings to meet those organizations' needs. Looking Forward While we believe that warning on insecure public sites represents a significant step forward for the security of the web, there is still more work to be done. In the future, we hope to work to further reduce barriers to adoption of HTTPS, especially for local network sites. This work will hopefully enable even more robust HTTP protections down the road. Posted by Chris Thompson, Mustafa Emre Acer, Serena Chen,Joe DeBlasio, Emily Stark and David Adrian, Chrome Security Team
Analysis Summary
# Best Practices: Migrating to HTTPS by Default and Mitigating Insecure Navigation Risks
## Overview
These recommendations focus on accelerating and ensuring the universal adoption of HTTPS for all web navigation to mitigate risks associated with Man-in-the-Middle (MITM) attacks, navigation hijacking, malware injection, and social engineering that exploit insecure HTTP connections. The core strategy involves proactively enabling Chrome’s "Always Use Secure Connections" setting across the organization and migrating internal/private site traffic to be secure where possible.
## Key Recommendations
### Immediate Actions
1. **Enable "Always Use Secure Connections" Immediately:** For all users and devices utilizing Google Chrome, manually enable the **"Always Use Secure Connections"** setting (`chrome://settings/security`) today. This mirrors the upcoming default change and allows immediate identification of risks.
2. **Identify and Migrate Public HTTP Dependencies:** Audit all organizational web assets and applications currently using HTTP, particularly those accessible via means external to the local network (public sites). Prioritize migrating these public-facing services to HTTPS immediately to eliminate the risk of navigation hijacking.
3. **Test Local Network Access Permissions:** For devices or applications that rely on HTTP to communicate with local network resources (e.g., configuration portals, IoT devices), begin implementing the **Local Network Access Permission** feature in development environments to secure these pathways with HTTPS without triggering mixed content blocking.
### Short-term Improvements (1-3 months)
1. **Test the Public Sites Only Variant:** For configurations involving frequent access to internal, non-web-accessible resources (e.g., development environments, legacy internal tools), configure Chrome in a pilot group to use the **"Always Use Secure Connections" public sites only variant**. This reduces the anticipated warning volume while maintaining protection for external traffic.
2. **Engage with High-Volume HTTP Partners:** Identify any third-party services or regularly accessed external links still relying on HTTP (especially those redirecting immediately). Contact these vendors immediately to establish timelines for their migration to HTTPS, as these sites represent current user risk vectors.
3. **Review HTTP Redirects:** Systematically remove any instances where an HTTP URL immediately redirects to an HTTPS URL. These transient HTTP navigations are currently invisible attack vectors that should be eliminated entirely by setting the initial entry point to HTTPS.
### Long-term Strategy (3+ months)
1. **Achieve 100% Public Site HTTPS Coverage:** Mandate that all public-facing web resources deployed by the organization must use HTTPS, ensuring no HTTP entry points remain.
2. **Develop Strategy for Private/Local Hostnames:** Formulate a long-term plan to secure internal (private) hostnames (e.g., `192.168.x.x`, single-label hostnames like `intranet/`) with certificates, utilizing internal Certificate Authorities (CAs) or leveraging mechanisms like the Local Network Access Permission to allow HTTPS initiation.
3. **Monitor and Validate User Experience:** After enabling the setting (especially the public-sites variant), actively monitor help desk tickets and user feedback to ensure the warning frequency remains low (ideally median user seeing fewer than one warning per week, as per testing data). Adjust configurations if user disruption significantly exceeds anticipated levels.
## Implementation Guidance
### For Small Organizations
* **Prioritize Quick Wins:** Immediately enable *Always Use Secure Connections* globally. Since administrative overhead is lower, the focus should be on ensuring all organizational web properties are immediately HTTPS-ready.
* **Leverage Easy Certificate Providers:** For any internet-facing server, immediately secure it using free and low-friction certificate providers (like Let's Encrypt) to obtain trusted certificates.
### For Medium Organizations
* **Phased Rollout for User Settings:** Begin testing the *Always Use Secure Connections* setting via Group Policy or endpoint management tools on a small administrative group first, validating impact before a wider deployment targeted for Chrome 147 (April 2026).
* **Inventory Internal Traffic:** Create a clear inventory of all internal IP addresses or hostnames accessed over HTTP to prioritize which ones require certificate issuance vs. which can rely on the "public sites only" setting variant initially.
### For Large Enterprises
* **Utilize Enterprise Management Tools:** Use administrative templates (Group Policy Objects for Windows, configuration profiles for macOS/Linux) to **enforce** the "Always Use Secure Connections" setting or the specific "public sites only" variant, aligning with the expected default in Chrome 154 (October 2026).
* **Consult Enterprise Mitigation Resources:** Review specific documentation for IT professionals managing Chrome clients to configure the right warning behavior that meets organizational security needs without excessive disruption across complex internal environments.
* **Address Local Network Access in Device Configuration:** Ensure network device configuration portals utilize the Local Network Access permission workflow to permit HTTPS connections from secure origin pages, thus mitigating reliance on HTTP for device management.
## Configuration Examples
* **Enabling "Always Use Secure Connections (Public Sites Variant)" via GPO (Conceptual):**
* **Policy Name:** Configure "Always Use Secure Connections"
* **Setting:** Enabled
* **Mode Selection:** Select "Only use HTTPS for public sites" (This configuration mirrors the behavior intended for the default setting in Chrome 154).
* **Note:** Actual policy names/values should be verified against the current Chrome Enterprise policy list.
## Compliance Alignment
* **NIST SP 800-53 (Rev. 5):**
* **SC-8 (Transmission Confidentiality and Integrity):** Use of HTTPS satisfies controls requiring encryption of transmitted non-public information.
* **CM-7 (Configuration Settings):** Enforcing browser settings (like Always Use Secure Connections) aligns with managing secure baseline configurations.
* **CIS Critical Security Controls (v8):**
* **Control 14 (Security Awareness and Skills Training):** Informing users about the change and security implications of HTTP reduces the risk associated with enabling users to bypass warnings.
## Common Pitfalls to Avoid
1. **Ignoring Internal/Private Hostnames:** Assuming the transition only affects public websites. Localhost and intranet addresses are currently a significant source of HTTP traffic and must be addressed, either by securing them or configuring exceptions.
2. **Assuming Invisible Risk is Low Risk:** Do not trust HTTP connections that immediately redirect to HTTPS. Attackers can exploit the initial insecure step before the redirect occurs.
3. **Failing to Test Warning Volume:** Relying solely on external reports without testing the mandated setting internally. Excessive warnings can lead to user complaints and users attempting to disable the security feature entirely.
## Resources
* Chrome Security Team documentation on "Always Use Secure Connections" setting (Search for `chrome://settings/security` configuration guidance).
* Chrome Enterprise documentation (Search for organizational management guides related to Security policies).
* HTTPS Transparency Report (To benchmark current organizational vs. global HTTPS adoption).