Google Chrome will switch to choosing HTTPS as the default protocol for all URLs typed in the address bar, starting with the web browser's next stable version.
This feature entered testing last month, and it rolled out as part of a limited experiment for users of Chrome Canary, Dev, or Beta.
The change will be rolling out to Chrome Desktop and Chrome for Android stable versions after updating to version 90 (to be released on April 13), with an iOS rollout scheduled for later this year.
This move is part of a larger effort to defend users from attackers attempting to intercept their unencrypted web traffic and speed up the loading of websites served over HTTPS.
"Chrome will now default to HTTPS for most typed navigations that don't specify a protocol," Chrome team's Shweta Panditrao and Mustafa Emre Acer said.
"In addition to being a clear security and privacy improvement, this change improves the initial loading speed of sites that support HTTPS, since Chrome will connect directly to the HTTPS endpoint without needing to be redirected from http:// to https://.
"For sites that don't yet support HTTPS, Chrome will fall back to HTTP when the HTTPS attempt fails (including when there are certificate errors, such as name mismatch or untrusted self-signed certificate, or connection errors, such as DNS resolution failure)."
How to test it right now
Google Chrome users who want to test this new feature before it reaches the stable channel can do so by enabling an experimental flag.
To do that, you will have to go to chrome://flags/#omnibox-default-typed-navigations-to-https and enable HTTPS as the default navigation protocol.
You also have the option to choose a 3 or 10-second timeout to give the browser enough time to determine the availability of the HTTPS URL.
If Chrome cannot find an HTTPS version for the website you entered in the address bar, it will automatically fall back to the HTTP URL.
"For sites that don’t yet support HTTPS, Chrome will fall back to HTTP when the HTTPS attempt fails (including when there are certificate errors, such as name mismatch or untrusted self-signed certificate, or connection errors, such as DNS resolution failure)," they said.
"HTTPS protects users by encrypting traffic sent over the network, so that sensitive information users enter on websites cannot be intercepted or modified by attackers or eavesdroppers," Panditrao and Acer added.
"Chrome is invested in ensuring that HTTPS is the default protocol for the web, and this change is one more step towards ensuring Chrome always uses secure connections by default."
Comments
Mike_Walsh - 3 years ago
O-kay. So; how does this work if you're using an internal application - running as 'localhost' - that utilises an HTML page for its GUI? I've always used "http" for this......after all, it's not like it's going out over the web, because it's NOT.
It doesn't even make it as far as DNS resolution, since 'localhost' SHOULD keep it purely internal.
CJatWork - 3 years ago
Mike, in the article it states "...when the user types a URL without the protocol in the omnibox such as 'example.com' ". I would assume that if you are already including "http", it'll take you right to where you told it to go since there is no guesswork involved on the part of the browser. I think this is just a change from most sites being http in the past to most sites being https these days. With most (all?) browsers not requiring the protocol for many years now, most users haven't got a clue as to what those letters even mean. Actually, I'd wager the average user NEVER knew or cared, heh.
Brenza - 3 years ago
If you type http:// at the beginning of the url Chrome will use the protocol you specified.
This only means that if you type google.com in the address bar the browser will assume you're trying to open an https connection.