Chrome to Enforce HTTPS Web Protocol (Like It or Not) - Security Boulevard

Chrome to Enforce HTTPS Web Protocol (Like It or Not)

If you type in securityboulevard.com, Chrome version 90 will send you directly to the secure version of the site. Surprisingly, that’s not what it currently does—instead, Google’s web browser relies on the insecure site to silently redirect you.

That’s slow. And it’s a privacy problem, potentially. This seemingly unimportant change could have a big—if unseen—impact.

So long, cleartext web. In today’s SB Blogwatch, we hardly knew ye.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Making breakfast.

What a Difference an ‘s’ Makes

What’s the craic? Thomas Claburn reports—“Chrome 90 goes HTTPS by default”:

 Lack of security is currently the norm in Chrome. … The same is true in other browsers. … This made sense in the past when most websites had not implemented support for HTTP.

But these days, most of the web pages loaded rely on secure transport. … Among the top 100 websites, 97 of them currently default to HTTPS. [So] when version 90 of Google’s Chrome browser arrives in mid-April, initial website visits will default to a secure HTTPS connection.

Cool story, bro. Brian Fagioli gives it the beams—“Google Chrome 90 to use HTTPS by default”:

 As usual, humans are often ignorant or lazy when it comes to their own online safety. Ultimately, it is up to corporations to protect us. … This time, the wildly popular Chrome web browser is getting more secure thanks to a simple tweak.

Chrome 90 won’t be officially released as stable until April, so this is not a change users will see immediately. Thankfully, since Google is having the web browser fall back to http:// when https:// is not available, this should prove to be uneventful. [But] if you own or maintain a website that isn’t using https:// yet, it is time to make that change.

But perhaps you’ve already got it, as Joel Khalili explains—“a small but important upgrade”:

 Last month, the change took effect for a small proportion of users with the Chrome 89 update. With testing now complete, HTTPS will be made the default protocol for half-finished URLs with Chrome 90, which is currently set for a full public release on April 13 … (the change will not take effect for iOS users until a later date).

If an incomplete URL is typed … Chrome will automatically funnel all unfinished URL queries to the corresponding HTTPS address (e.g. https://example.com), provided the website supports the newer protocol. … The browser also blocks downloads from HTTP sources that sit underneath an HTTPS page, which prevents malicious actors from tricking victims into believing a download is coming from a secure source.

Use the source, Luke. #include Shweta Panditrao and Mustafa Emre Acer—“A safer default”:

 Starting in version 90, Chrome’s address bar will use https:// by default, improving privacy and even loading speed. … Chrome users who navigate to websites by manually typing a URL often don’t include “http://” or “https://”.

Users often type “example.com” instead of “https://example.com” in the address bar. In this case, if it was a user’s first visit to a website, Chrome would previously choose http:// as the default protocol … (one notable exception to this is any site in the HSTS preload list).

Chrome will now default to HTTPS for most typed navigations that don’t specify a protocol … (IP addresses, single label domains, and reserved hostnames such as test/ or localhost/ will continue defaulting to HTTP). … Chrome will fall back to HTTP when the HTTPS attempt fails (including when there are certificate errors, such as name mismatch or untrusted self-signed certificate, or connection errors).

This change is one more step towards ensuring Chrome always uses secure connections by default. … In addition to being a clear security and privacy improvement, this change improves the initial loading speed of sites that support HTTPS, since Chrome will connect directly to the HTTPS endpoint without needing to be redirected.

Sounds like a good idea. At least pornel can see the sense:

 That makes a lot of sense. HTTPS adoption is now very high, and this might push it a little bit further. … The web is quite usable without cleartext HTTP.

An interesting side effect of the change is that sites won’t have have a working HTTP redirect any more. Inevitably, there will be sites that let their HTTP versions rot and break, which will eventually force all other web clients to default to HTTPS for web-compatibility.

But Mike 137 feels a bit bullied:

 What I would really like would be to be allowed to make my own choices and decisions, rather than having some external party I can’t influence in any way tell me what I can and cannot do. … Enforced controls are no real substitute for informed users as they get progressively circumvented in the arms race. However keeping users uninformed generates a lot more dosh, so enforced controls are the sticking plaster.

Is Google not the benevolent dictator it makes itself out to be? People such as paganel think not:

 That is a stupid idea. Forcing https on people’s throats is a stupid idea generally speaking but it wouldn’t have been that bad if it hadn’t been forced on … people by what is basically a monopoly.

Looking back, isn’t the web complicated now? Elledan yearns for the good ol’ days:

 Sometimes I wonder how us old fogies ever made it through the internet of the 90s and 00s in one piece without the Invisible Hand of Privacy guiding our every move, or alternatively beating us into submission if we dare stray off the cordoned-off path. … I think they told us to not give out any personal information and always use a nickname online.

Don’t talk to strangers, basically.

But why are we focusing on the privacy angle? Ajedi32 feels the need—the need for speed: [Talk to me, Goose—Ed.]

 It seems like this is primarily a performance optimization. … One less round trip when navigating to a site by typing the domain name.

Meanwhile, Hubert Cumberdale sounds mildly conflicted:

 I still hate Google, and I still don’t think they should have this power. I’m just glad they’re doing something with it I approve of, for once.

And Finally:

How to make breakfa … wait, what?

Hat tip: Mark Frauenfelder

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Dennis Skley (cc:by-nd)

Featured eBook
7 Must-Read eBooks for Security Professionals

7 Must-Read eBooks for Security Professionals

From AppSec to SecOps, Security Boulevard eBooks deliver in-depth insights into hot topics that matter to the Cybersecurity and DevSecOps professionals. Our staff of writers are the best in the business, with decades of practical and award-winning experience and credentials. We are excited to share our 2019 favorites. Take a look and download some of ... Read More
Security Boulevard

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 234 posts and counting.See all posts by richi