October 29, 2025 – Google announced yesterday that starting with Chrome version 154, to be released in October 2026, the Chrome browser will request user permission by default before connecting to public, unencrypted HTTP websites.
This means that when a user visits a public website that does not support HTTPS for the first time, Chrome will prompt the user to confirm whether to continue.
In other words, the era of "HTTPS by default" is truly coming.
In fact, back in 2021, Google introduced an optional "HTTPS-First Mode" in Chrome and added an "Always Use Secure Connections" setting. This mode prioritizes attempting to establish a connection via HTTPS (Hypertext Transfer Protocol Secure) when accessing websites, and displays a bypassable security warning when HTTPS is unavailable.
However, Google states that this option will be enabled by default starting in 2026 to ensure that users only access websites via HTTPS, thereby preventing man-in-the-middle (MITM) attacks and preventing attackers from eavesdropping on or tampering with data transmitted via unencrypted HTTP.
The team further explained: "When links do not use HTTPS, attackers may hijack page navigation, forcing Chrome users to load arbitrary resources controlled by the attacker, thereby exposing users to the risk of malware, targeted attacks, or social engineering attacks."
Google added that in all variations of the "Always use secure connections" setting (regardless of whether it's for public or private websites), Chrome will not frequently warn users about visiting the same insecure website. As long as a user regularly visits an HTTP website, Chrome will not repeatedly issue warnings.
This means that, unlike the previous scenario where a warning might appear once every 50 navigations, Chrome will only warn users when visiting new or rarely visited non-HTTPS websites.
Furthermore, users can choose to enable "Insecure Connection Warnings" only for public websites, or enable it for both public and private websites (including corporate intranets).
It's worth noting that while private websites also pose some risks, they are generally considered less threatening than public websites because attackers have fewer exploitable vulnerabilities. HTTP in these scenarios is typically only abused by attackers within a local area network or corporate network environment, such as home Wi-Fi or corporate network environments.
Even if both types of warnings are enabled at the same time, users will not be overwhelmed by notifications—currently, about 95% to 99% of websites worldwide have adopted HTTPS, a significant increase compared to the adoption rate of about 30% to 45% in 2015.
Before enabling the feature by default across the board, Google will first enable the "Always use a secure connection" feature for public websites for over 1 billion users who have enabled Enhanced Safe Browsing in April 2026 (Chrome version 147).
"If you are a website developer or IT professional, and your users may be affected by this feature, we strongly recommend that you enable the 'Always use secure connection' setting immediately to identify sites that need to be migrated in advance."
