Google has announced that Chrome 154, scheduled for release in October 2026, will enable the browser’s “Always Use Secure Connections” mode by default for all users. Under the new behavior, Chrome will display a bypassable warning and request user permission before making the first connection to any public site that lacks HTTPS.

Why Now

Google’s HTTPS Transparency Report shows that the share of Chrome navigations using HTTPS climbed from roughly 30-45% in 2015 to the 95-99% range by around 2020, then plateaued. Google’s security team argues that this plateau demonstrates both that HTTPS is mature enough to enforce more broadly, and that voluntary adoption alone will not close the remaining gap. Critically, the team notes that attackers require only a single insecure navigation to gain a foothold: ready-made software for hijacking HTTP connections exists, and has been used in real targeted attacks against user devices.

An additional concern is visibility. Many HTTP pages immediately redirect to HTTPS, meaning Chrome’s “Not Secure” indicator appears only after the insecure request has already been made, giving users no opportunity to protect themselves in advance.

Public Sites First, Private Sites Excluded

The variant Google intends to roll out by default targets public sites only. Navigations to private addresses, including local IP ranges, single-label hostnames, and intranet shortlinks, are excluded from the warning. Google explains that private-site HTTP carries a reduced risk profile because an attacker must already be on the same local network to exploit it. Obtaining a trusted certificate for a private hostname also remains technically complicated, since private names are non-unique and cannot be validated by a public certificate authority in the conventional way.

Excluding private sites has a meaningful effect on warning volume. On Linux, for example, limiting analysis to public sites raises the measured HTTPS rate from 84% to nearly 97%. Windows moves from 95% to 98%, and Android and Mac both exceed 99% when private sites are excluded.

Designed to Limit Friction

To avoid warning fatigue, Chrome will suppress repeated warnings for sites a user visits regularly over HTTP. The warning is intended to surface primarily when a user navigates to a new or infrequently visited site that does not support HTTPS, rather than flagging every single insecure load.

Google began testing this configuration in Chrome 141, enabling the public-site-only mode for a small percentage of users to validate assumptions about warning volume and user experience before a full rollout.

What Security Teams Should Do

  • Audit any internally or externally facing web properties that still serve content over HTTP and prioritize certificate deployment.
  • Enterprise administrators who manage fleets with frequent intranet access should review Chrome policy settings, as private-site navigations are excluded from warnings by default but enterprise configurations may differ.
  • Web developers running local HTTP test environments should expect warnings when accessing those environments from Chrome 154 onward if the hostnames resolve as public.

The setting can be reviewed today at chrome://settings/security under “Always Use Secure Connections.”