In a recent blog, Google explained that the company aims for Chrome to always use secure connections by default. HTTPS protects users by encrypting traffic sent over the network so sensitive information entered on websites cannot be intercepted or modified by attackers.
The move will improve privacy and even loading speeds for users who visit websites that support HTTPS, Google claims. For sites that don’t yet support HTTPS, Chrome will fall back to HTTP when the HTTPS attempt fails.
The new HTTPS feature will roll out initially on Chrome Desktop and Chrome for Android in Version 90, with a release for Chrome on iOS following soon after.
“If a company has implemented best practices for their web resources traffic, the traffic should be forced to HTTPS by default,” said Josh Angell, application security consultant at nVisium. “However, this news does demonstrate a strong position by Google to lead by example and further encourage stronger controls around web traffic encryption in its products.”
Zach Jones, senior director of detection research at WhiteHatSecurity, added that the use of Transport Layer Security as the foundational security layer in HTTPS has become widely accepted by leading browser makers, most of which have improved their support, enforcement, and default protection of their users.
“As a website and application scanning provider we continue to see a lack of transport layer protection and insufficient transport layer protection as one of the most prevalent risks to applications,” Jones said. “Unfortunately, our data shows that robust thinking about appropriate transport layer protection often takes a lower priority or falls through the gaps for organizations trying to deliver their applications and features at high velocity. I believe this measure will continue the encouraging trend of driving consumers to more secure behaviors and increase the demand on development organizations to implement strong Transport Layer Security when delivering their applications to those consumers.”