HTTPS) is the secure version of HTTP, which is the main protocol used to send data between a web browser and a website.
Recently Google Developers, who are in charge of the Chromium project, they made known via a blog post their intentions to implement several steps to increase the use of HTTPS by default.
Among their main concerns, they mention that despite the fact that about 90% of Chrome/Chromium user traffic comes from HTTPS sites, the other 5-10% of the remaining traffic is from HTTP sites, which translates into browsing « Not sure".
The developers mention in the post thate Google's ultimate goal is to enable HTTPS-First for all users, which automatically redirects HTTP requests to HTTPS and although not all sites support HTTPS yet and there are configurations where different content is returned when accessing HTTP and HTTPS, it was decided to implement a series of intermediate measures before the widespread introduction of forwarding automatic to HTTPS.
We believe that the web should be secure by default. HTTPS-First mode allows Chrome to deliver exactly that promise, by getting your explicit permission before connecting to a site in an insecure way. Our goal is to eventually enable this mode for everyone by default. While the web is not yet ready to universally enable HTTPS-First mode today, we are announcing several important steps toward that goal.
And is that as of Chrome 115, HTTPS-First mode was enabled ggradually by default for a small percentage of users. To ensure work with sites that do not support HTTPS, a fallback to HTTP has been implemented if, after forwarding, it is not possible to complete a request via HTTPS or if there are problems with certificates.
For those who are unaware of HTTPS-First, I can tell you that it solves the problem of serving different content over HTTP and HTTPS. For example, when HTTPS is enabled, but not configured on the server, HTTPS-First mode will be applied automatically for now only if previous HTTPS hits are logged in the browsing history for the current site.
Downloaded files may contain malicious code that bypasses Chrome's sandbox and other protections, giving a network attacker a unique opportunity to compromise your computer when unsafe downloads occur. This warning is intended to inform people about the risk they are taking.
You will still be able to download the file if you are comfortable with the risk. Unless HTTPS-First mode is enabled, Chrome will not display warnings when files such as images, audio, or video are downloaded insecurely, as these file types are relatively safe. We hope to implement these warnings from mid-September.
At this stage, HTTPS-First mode is enabled for users who are signed in to their account and have agreed to participate in Google's Advanced Protection program.
Furthermore, it is mentioned that Chrome 117 plans to implement warnings when trying to download files over an insecure connectionto. Warnings will be displayed for files with some dangerous extensions (.exe, .zip) and inform the user about the risk of these files being forged due to the use of an unencrypted communication channel. This will allow the user to dismiss the warning and continue downloading via HTTP. Image, video, and music files will not receive these warnings.
For those who are interested in being able to enable the HTTPS-First mode without waiting for its activation by default in the browser, they can do so in the configurator (chrome://settings/security), by enabling the “Always use secure connections” setting or using the experimental “chrome:/ /flags/#https-upgrades” and “chrome://flags/#insecure-download-warnings”.
Finally, it is mentioned that in a future version of Chrome, it is planned to enable HTTPS-First by default for pages opened in incognito mode, as experiments are currently underway to automatically enable HTTPS-First for sites known to support HTTPS, as well as enable HTTPS-First for users who rarely use HTTP in their browser.
If you are interested in knowing more about it, you can consult the details in the following link