Most of the web is now encrypted in transit with HTTPS, which has been a substantial improvement for privacy and security over regular HTTP websites. Now, Google Chrome is gearing up to take the next step: warning people when they try to visit non-secure websites.
Google introduced the ‘Always Use Secure Connections’ setting in Chrome back in 2022, which attempts all connections over HTTPS and shows a warning to bypass the restriction if HTTPS is unavailable. Starting with Chrome 154 in October 2026, this setting will be enabled by default for everyone.
When this change rolls out, or if you enable the setting today, you’ll see a warning when you visit a site that doesn’t support HTTPS. You can still bypass it, but Chrome will let you know that attackers and see and change the website’s data. If you do need to visit the site, Chrome recommends you at least wait until you’re on a trusted network, like your home’s Wi-Fi connection.
Before support for HTTPS became common, it was easy for internet service providers, public Wi-Fi networks, and third-party attackers to monitor your web traffic and inject code. For example, AT&T and Comcast were injecting advertisements into web pages around a decade ago. When you visit a site with HTTPS support, the data is encrypted along the entire journey. Internet service providers and anyone with network access might still see some basic data about your web usage, like the domains you visit, but HTTPS prevents detailed scanning and modification of web traffic.
Chrome on Windows, Android, Mac, and ChromeOS already load 95-99% of all web pages over HTTPS. Chrome on Linux is further behind, at around 85% of all web pages. That’s largely due to Linux users being more likely to try self-hosted web services, where setting up HTTPS is a rarity. Google said today that HTTPS usage on Linux is closer to 97% when only analyzing public site usage.
Google has carved out a few exceptions to the warnings, though. You’ll only see the popup when visiting an HTTP site for the first time, or the first time in a while. The warning will also not appear for local and private sites, like the web panels for your router or NAS. You can enable warnings for private sites in the browser settings, but Google won’t flip that switch for everyone.
Google explained, “HTTP navigations to private sites can still be risky, but are typically less dangerous than their public site counterparts because there are fewer ways for an attacker to take advantage of these HTTP navigations. HTTP on private sites can only be abused by an attacker also on your local network, like on your home wifi or in a corporate network.”
This change will roll out to everyone starting in October 2026, with the release of Chrome 154 on all platforms. However, you can enable it right now by opening Chrome settings (chrome://settings) and navigating to Privacy and Security > Security > Always use secure connections.
Source: Google