Chrome Will Alert You Before Loading Unsafe Websites
▼ Summary
– Google Chrome will enable “Always Use Secure Connections” by default starting with Chrome 154 in October 2026, requiring permission to load unencrypted public websites.
– The feature will roll out in stages, first for Enhanced Safe Browsing users in April 2026 and for all users six months later, with bypassable warnings for HTTP sites.
– Warnings apply only to public websites, excluding private sites like local IP addresses, and will not be shown repeatedly for the same regularly visited insecure sites.
– HTTPS adoption has plateaued at 95-99% of Chrome navigations, with the remaining insecure traffic representing millions of navigations vulnerable to attacks like malware or phishing.
– Website owners have one year to migrate to HTTPS before warnings begin, and users can currently enable the feature in settings or disable warnings if needed.
Beginning in October 2026, Google Chrome will automatically activate the “Always Use Secure Connections” feature for all users, marking a major step forward in web security. This default setting means Chrome will display a bypassable security alert before loading any public website that lacks HTTPS encryption, giving users a clear warning about potential risks.
Google plans to introduce this change in phases. Starting with Chrome 147 in April 2026, the feature will first roll out to more than one billion users enrolled in Enhanced Safe Browsing. Six months later, it will become the standard for everyone using Chrome.
The new warning system will only apply to public websites. It will not affect private sites such as those using local IP addresses, single-label hostnames, or internal shortlinks. According to Chris Thompson and the Chrome Security Team, while HTTP connections to private sites can still pose risks, they are generally less dangerous than public ones because attackers have fewer opportunities to exploit them.
Chrome will also limit how often users see these warnings for the same insecure site. Testing indicates that the typical user will encounter fewer than one alert per week, and even heavy users in the 95th percentile will see fewer than three weekly warnings.
Current data shows that HTTPS adoption has leveled off, with 95–99% of Chrome page loads across platforms now using secure connections. When private sites are excluded, public site HTTPS usage is even higher, 98% on Windows, over 99% on Android and Mac, and close to 97% on Linux.
The importance of this update cannot be overstated. Visiting HTTP-only websites exposes users to significant security threats, including potential hijacking by attackers who can inject malware, exploitation tools, or phishing content. Although HTTPS usage grew quickly between 2015 and 2020, progress has since stalled. The remaining 1–5% of insecure traffic still represents millions of navigations that create openings for cyberattacks.
Website operators who still rely on HTTP have roughly one year to transition to HTTPS before Chrome begins notifying their visitors. Those who want to preview the impact can enable the “Always Use Secure Connections” setting now by visiting chrome://settings/security.
Looking forward, Google is actively contacting organizations responsible for the largest volumes of HTTP traffic. Many of these sites only use HTTP for redirecting visitors to HTTPS pages, a hidden vulnerability that the new warnings will help eliminate. Chrome is also developing solutions to ease HTTPS adoption for local network sites, having already introduced a local network access permission that allows secure pages to interact with private devices after receiving user approval.
Users who prefer not to see these alerts can disable the feature in settings, while enterprises and educational institutions will have options to customize Chrome’s warning behavior to fit their specific needs.
(Source: Search Engine Journal)
