Google Chrome will enable “Always Use Secure Connections” by default with the release of Chrome 154 in October 2026, the company announced.
The change means Chrome will ask for user permission before loading any public website that doesn’t use HTTPS encryption. Users will see a bypassable warning explaining the security risks of unencrypted connections.
Google is rolling out the feature in stages. Chrome 147 will enable it for over 1 billion Enhanced Safe Browsing users in April 2026. All Chrome users will get it by default six months later.
What’s Changing
Public Site Warning
The warning system applies exclusively to public websites. Chrome excludes private sites including local IP addresses, single-label hostnames, and internal shortlinks.
Chris Thompson and the Chrome Security Team wrote:
“HTTP navigations to private sites can still be risky, but are typically less dangerous than their public site counterparts because there are fewer ways for an attacker to take advantage of these HTTP navigations.”
Here’s an example of what the warning will look like:
Image Credit: GoogleWarning Frequency
Chrome limits how often users see warnings for the same sites. The browser won’t repeatedly warn about regularly visited insecure sites.
Testing data shows the median user sees fewer than one warning per week. The 95th percentile user sees fewer than three warnings per week.
Current HTTPS Adoption
HTTPS usage has plateaued at 95-99% of Chrome navigations across platforms. When excluding private sites, public HTTPS usage reaches 97-99% on most platforms.
Windows shows 98% HTTPS on public sites. Android and Mac exceed 99%. Linux reaches nearly 97%.
Why This Matters
You face security risks when clicking HTTP links. Attackers can hijack unencrypted navigations to load malware, exploitation tools, or phishing content.
Google’s transparency report shows HTTPS adoption stalled after rapid growth from 2015-2020. The remaining 1-5% of insecure traffic represents millions of navigations that create attack opportunities.
Website owners running HTTP-only sites have one year to migrate before Chrome warns their visitors.
You can enable “Always Use Secure Connections” today at chrome://settings/security to test how the warnings affect your site traffic.
Looking Ahead
Google continues outreach to companies responsible for the highest HTTP traffic volumes. Many sites use HTTP only for redirects to HTTPS destinations, creating an invisible security gap the new warnings will close.
Chrome plans additional work to reduce HTTPS adoption barriers for local network sites. The company introduced a local network access permission that allows HTTPS pages to communicate with private devices once users grant permission.
Users can disable warnings by turning off the “Always Use Secure Connections” setting. Enterprise and educational institutions can configure Chrome to meet their specific warning requirements.
Featured Image: Philo Athanasiou/Shutterstock
