Major Shift: Chrome 154 Will Default to “Always Use Secure Connections,” Warning Users Before Insecure HTTP Sites
Ddos 
Google has announced that starting with Chrome 154, releasing in October 2026, the browser will automatically enable “Always Use Secure Connections” by default, marking one of the most significant shifts in web security since HTTPS first became the standard.
According to Google’s announcement, “One year from now, with the release of Chrome 154 in October 2026, we will change the default settings of Chrome to enable ‘Always Use Secure Connections.’ This means Chrome will ask for the user’s permission before the first access to any public site without HTTPS.”
The decision aims to protect users from man-in-the-middle (MitM) attacks, malware injections, and targeted exploitation that remain possible through unencrypted HTTP traffic.
While over 95% of global web traffic already uses HTTPS, Google’s data shows that the remaining insecure fraction still presents a significant threat. Attackers only need a single unencrypted navigation to intercept or modify content.
As the Chrome Security Team explains, “When links don’t use HTTPS, an attacker can hijack the navigation and force Chrome users to load arbitrary, attacker-controlled resources, and expose the user to malware, targeted exploitation, or social engineering attacks.”
In practice, this means that even one HTTP redirect or embedded resource can compromise the integrity of a user’s session — and until now, many users never saw any warning.
Google notes that most insecure requests go unnoticed: “Many plaintext HTTP connections today are entirely invisible to users, as HTTP sites may immediately redirect to HTTPS sites. That gives users no opportunity to see Chrome’s ‘Not Secure’ URL bar warnings after the risk has occurred.”
Google first introduced “Always Use Secure Connections” as an opt-in feature in 2022. This optional mode instructed Chrome to upgrade all navigations to HTTPS, showing a warning only if a site lacked encryption.
Now, after years of global HTTPS adoption and internal testing, Chrome engineers believe the ecosystem is ready for a mandatory rollout.
While enforcing HTTPS is a major security upgrade, Google acknowledges that abrupt warnings for all HTTP sites could cause unnecessary friction.
To avoid this, Chrome will implement smart warning logic. Users who regularly access the same HTTP site won’t see repetitive alerts — only first-time or infrequent visits will trigger warnings.
Google clarified that the majority of remaining HTTP traffic involves private network addresses — for example, router setup pages or local IPs such as 192.168.0.1. Because these are not publicly routable domains, they will be exempt from the default warning behavior.
However, public websites using HTTP will face strict enforcement.
In April 2026, Chrome 147 will enable the feature by default for users with Enhanced Safe Browsing, before expanding globally six months later.
Related Posts:
- CISA Warns of F5 BIG-IP Cookie Exploitation
- Warning: Popular Apps Leaking Your Private Data
- Chrome will no longer flag HTTPS pages as secure sites
- Google Chrome 68 officially mark all HTTP sites as “Not Secure”
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
