Seattle | November 28, 2023 – Google has taken a crucial step in boosting Chrome’s internet security by automatically switching insecure HTTP requests to HTTPS requests for all users.
This new feature, known as HTTPS-Upgrades, aims to secure outdated links still using the http:// format by automatically trying to connect to the URL using the encrypted https:// protocol.
Initially introduced in a limited capacity in July, Google has now rolled out this feature to all users on the Stable channel as of October 16th.
What do HTTPS-Upgrades entail?
HTTPS-Upgrades is a feature in Google Chrome designed to automatically upgrade primary page navigations to HTTPS, the secure version of the HyperText Transfer Protocol, while ensuring a swift fallback to HTTP if necessary.
In the past, browsers often made insecure HTTP requests to websites capable of supporting HTTPS. This could occur when users clicked on outdated links or when website content hadn’t been updated to use the secure protocol. Connections made over HTTP are unencrypted and susceptible to snooping, potentially compromising sensitive data like credentials.
Google notes that this vulnerability could occur when loading HTTP resources in various scenarios:
- A user visits a site using HSTS (HTTP Strict Transport Security) for the first time.
- Accessing a site that defaults to HTTPS but doesn’t use HSTS.
- Visiting a site that supports both HTTPS and HTTP without automatic redirection to HTTPS.
Each of these scenarios jeopardizes user privacy and security through unnecessary insecure connections, affecting numerous requests across different configurations.
Traditional methods to enforce HTTPS, like the HSTS preload list or manual upgrade lists, have limitations. They either involve complex setups or cater to a limited set of sites. Additionally, maintaining an updated list of HTTPS-supported sites can be challenging and resource-intensive, leading to outdated information reaching users.
Google’s solution with HTTPS-Upgrades
With this update, Chrome aims to automatically convert in-page HTTP links to HTTPS, implementing a rapid fallback mechanism to HTTP when necessary.
The browser may also respect an opt-out header, allowing web servers serving different content on HTTP and HTTPS to prevent automatic upgrades.
This update necessitates adjustments to the Fetch specification, particularly in upgrading main-frame navigation requests and managing network errors in upgraded requests.
Impacts on browsing:
- Restricted to main-frame navigations, with subresource upgrades governed by existing mixed content policies.
- The upgrade affects only idempotent requests like GET, aligning with current mixed content policies for forms on upgraded pages.
- Redirects from HTTPS to HTTP during initial navigations are also upgraded.
While this automatic upgrade doesn’t prevent downgrades, it provides security equivalent to the current standard. It limits exposure to passive attackers, although active attackers could disrupt the upgrade process. Notably, this change might decrease developers’ motivation to correct HTTP references.
Considering the trend of marking HTTP pages as “Not secure,” this proactive upgrade aims to protect users, particularly on sites less likely to transition to HTTPS.