Chrome to Enforce HTTPS by Default in 2026, Raising Pressure on HTTP-Only Sites

Google has announced that Chrome 154, scheduled for release in October 2026, will enable "Always Use Secure Connections" by default—marking a decisive shift in how the world's most widely used browser handles unencrypted web traffic. Under the new default settings, Chrome will require explicit user permission before allowing the first access to any public site that lacks HTTPS encryption. The move effectively ends the era of passive tolerance for HTTP connections on the open web.

The policy change is grounded in documented attack patterns rather than theoretical risk. Google's security team notes that navigation hijacking software is readily available to attackers, and insecure HTTP has already been exploited to compromise user devices in targeted operations. When a connection lacks encryption, attackers positioned on the network can intercept and redirect users to attacker-controlled resources—exposing them to malware delivery, exploitation frameworks, or social engineering lures. The Chrome Security mission frames this as a fundamental question of intent: ensuring users arrive at the destinations they chose, not where an attacker sends them.

For website operators still serving content over HTTP, the announcement signals a clear deadline for migration. While users will retain the ability to proceed to HTTP sites after acknowledging the warning, the friction introduced at first access could significantly reduce traffic to non-compliant destinations. The change also raises questions about legacy infrastructure, internal tools, and regions where certificate deployment remains challenging. As the October 2026 milestone approaches, organizations with unencrypted public-facing assets face growing pressure to adopt HTTPS or risk user attrition and security scrutiny.