Google is taking a major step to enhance the online safety of its users by defaulting to secure HTTPS connections in the Chrome browser. This change, which makes secure navigation the norm, is a key move to mitigate security risks like navigation hijacking and exposure to malware. While the ‘Always Use Secure Connections’ setting was initially introduced as an opt-in feature in 2022, it was recently tested by being enabled by default for a small fraction of users with the release of Chrome 141. Based on positive results from this trial, Google plans a full rollout.
Starting in October 2026, coinciding with the projected arrival of Chrome 154, the ‘Always Use Secure Connections’ setting will be activated by default for all users navigating to all public websites. The goal is to make the browsing experience more trustworthy, as encrypted connections prevent attackers from intercepting navigation requests. Google emphasizes that when a connection isn’t using HTTPS, an attacker can “hijack the navigation” to force the loading of “arbitrary, attacker-controlled resources,” which could expose users to malware, targeted exploitation, or social engineering attacks.
When a user attempts to visit a site that does not support a secure connection, Chrome will not automatically proceed. Instead, it will display a warning message and require the user’s explicit permission before navigating to the unsecure site. Furthermore, even websites that have adopted HTTPS can pose a risk if they serve even a single HTTP element. Users may not notice these insecure connections, especially if the site quickly redirects to an HTTPS domain without Chrome showing the standard ‘Not Secure’ URL warning. Google is proactively working with organizations to push for a full transition to HTTPS over the next year, noting that most existing HTTP navigations currently originate from sites that immediately redirect to their secure counterparts.
The internet is already largely secure; more than 95% of websites already rely on encrypted connections. Google’s recent experiment showed that the unsecure connection warning appeared in less than 3% of navigations. The internet giant expects this volume to drop even further once the ‘Always Use Secure Connections’ feature becomes the default and more sites complete their migration away from HTTP. A newly introduced local network access permission is also expected to help in this transition by allowing websites that serve a mix of secure and insecure content to bypass certain mixed content checks once the feature is enabled.
Before the full default activation in Chrome 154, Google will first enable the setting in April 2026 with Chrome 147 for users who have opted into Chrome’s Enhanced Safe Browsing protections. For users who may need to visit an HTTP site without repeated warnings, the option to completely disable the ‘Always Use Secure Connections’ setting will remain available in Chrome’s configuration, allowing them to bypass the warnings for unsecure connections entirely.
Reference:
