For over a decade, Google has been on a mission to make the web a safer place by pushing for the adoption of HTTPS. This week, they’ve officially set the deadline for the final step. In a new post on the Google Security Blog, the company announced that one year from now, with the release of Chrome 154 in October 2026, Chrome will change its default settings to “Always Use Secure Connections.” This is a massive and long-overdue move that will fundamentally enhance security for all Chrome users. Here’s what it means for you.
Even one insecure link is a risk
This change is designed to close a persistent and often invisible security loophole. When you click on a link that uses insecure HTTP (without the ‘S’), an attacker can hijack that connection to redirect you to a malicious site, exposing you to malware or phishing attacks.
The real problem is that attackers only need a single insecure link to get a foothold. What’s worse, many of these insecure navigations are invisible to users. An HTTP site might instantly redirect to an HTTPS site, meaning you never even see Chrome’s “Not Secure” warning in the URL bar, even though you were briefly exposed to risk.
The web is finally ready
Google’s HTTPS transparency report shows that web encryption has matured. After climbing from around 40% in 2015 to over 95% by 2020, adoption has largely plateaued. That massive adoption rate proves the web is ready for this change, but the plateau shows that without a push, the remaining insecure sites might stay that way indefinitely.
How Google will avoid “Warning Fatigue”
If you’re worried that this will lead to a constant barrage of annoying warnings, don’t be. This is where Google’s plan gets very smart. They are tackling this in two key ways:
- It won’t bug you repeatedly: Chrome will only warn you when you visit a new or not recently visited insecure public site. If you have an old HTTP-only site you visit regularly, Chrome will learn that and won’t warn you about it over and over.
- It will ignore private sites: This is the most important part. A huge chunk of the remaining HTTP traffic is to private sites, like your router’s admin page (e.g., 192.168.0.1) or internal company websites. Getting a trusted HTTPS certificate for these “non-unique” names is very complicated. By enabling the “public sites only” variant of this feature, Google avoids warning you about this much lower-risk traffic, dramatically reducing the number of warnings you’ll see.
Google already tested this with a small percentage of users and found that the median user saw fewer than one warning per week. Most people will barely notice the change, but they will be significantly safer.
The Timeline
This change won’t happen all at once. Here’s the rollout plan:
- April 2026 (Chrome 147): “Always Use Secure Connections” (for public sites) will be enabled by default for all users who have opted into Enhanced Safe Browsing.
- October 2026 (Chrome 154): The feature will be enabled by default for all Chrome users.
If you’re a website developer or IT professional, the message is clear: the clock is ticking. You have one year to identify and migrate any remaining public-facing HTTP sites to HTTPS.
Join Chrome Unboxed Plus
Introducing Chrome Unboxed Plus – our revamped membership community. Join today at just $2 / month to get access to our private Discord, exclusive giveaways, AMAs, an ad-free website, ad-free podcast experience and more.
Plus Monthly
$2/mo. after 7-day free trial
Pay monthly to support our independent coverage and get access to exclusive benefits.
Plus Annual
$20/yr. after 7-day free trial
Pay yearly to support our independent coverage and get access to exclusive benefits.
Our newsletters are also a great way to get connected. Subscribe here!
Click here to learn more and for membership FAQ
