Google has taken a significant step towards enhancing Chrome internet security by automatically upgrading insecure HTTP requests to HTTPS requests for 100% of users.
This feature is called HTTPS-Upgrades and will secure old links that utilize the http:// by automatically attempting to first connect to the URL over the encrypted https:// protocol.
A limited rollout of this feature in Google Chrome began in July, but as of October 16th, Google has now rolled it out to all users on the Stable channel.
“We enabled HTTPS-Upgrades by default on trunk last week, and are currently rolling out to 100% Stable,” reads an update from Google Engineering Program Management Leader Chris Thompson.
What are HTTPS-Upgrades?
HTTPS-upgrades is a Google Chrome feature that automatically upgrades all main-frame navigations to HTTPS, the secure version of the HyperText Transfer Protocol while ensuring a quick fallback to HTTP if needed.
Historically, browsers often made insecure HTTP requests to sites that were capable of supporting HTTPS.
Whether that be due to users clicking on old links or because content on websites has not been upgraded to use the new protocol, connections over the HTTP protocol are not encrypted and can be snooped on to steal credentials or other sensitive data.
Google says this could also happen by loading HTTP resources from:
- A user navigating to a site using HSTS (HTTP Strict Transport Security) for the first time,
- Accessing a site that defaults to HTTPS but doesn’t employ HSTS, or
- Visiting a site that supports both HTTPS and HTTP without automatic redirection to HTTPS.
In each case, users’ privacy and security are compromised through unnecessary insecure connections. This issue persisted across various configurations, potentially affecting many requests.
Existing methods to enforce HTTPS, such as the HSTS preload list or manually curated upgrade lists, have limitations. They either involve complex and risky setups or cater to a limited range of sites.
Additionally, maintaining an up-to-date list of HTTPS-supported sites can be challenging and bandwidth-intensive, often leading to outdated information reaching users.
Google is fixing security issues with HTTPs-upgrades
With this update, Chrome aims to automatically upgrade in-page HTTP links to HTTPS, implementing a swift fallback mechanism to HTTP if required.
The browser may also respect an opt-out header, allowing web servers that serve different content on HTTP and HTTPS to prevent auto-upgrades.
This behavior will necessitate modifications to the Fetch specification, particularly concerning the upgrade of main-frame navigation requests and the handling of network errors in upgraded requests.
The upgrade impacts various aspects of browsing:
- It’s confined to main-frame navigations, with subresource upgrades governed by existing mixed content policies.
- The upgrade affects only idempotent requests like GET, aligning with current mixed content policies for forms on upgraded pages.
- Redirects to HTTP from initial HTTPS navigations are also upgraded.
While this automatic upgrade doesn’t prevent downgrades, it offers no less security than the current norm.
It limits exposure to passive attackers, although active attackers could hinder the upgrade process. Importantly, this change might reduce developers’ motivation to rectify HTTP references.
However, given the current trend of marking HTTP pages as “Not secure,” this upgrade is a proactive measure to protect users, especially on sites unlikely to be updated to HTTPS.