Chrome is set to stop loading plain‑HTTP pages by default next October.
In Chrome 154, released in October 2026, the browser will turn on the “Always Use Secure Connections” setting for every user. When a user clicks a link that can’t be reached over HTTPS, Chrome will pause and ask for permission before loading the insecure version. The feature first appeared as an opt‑in in 2022 and was trialed on a small user slice in Chrome 141, where median users saw fewer than one warning per week. A public‑sites‑only variant will roll out in Chrome 147 for users with Enhanced Safe Browsing, and the full default will follow a year later.
The move matters because a single insecure navigation can hand an attacker a foothold, even if the rest of the web is HTTPS. While public‑site traffic is already 95‑99% encrypted, private‑network sites (e.g., 192.168.x.x) still use HTTP and are harder to secure with certificates. By warning only on new public sites, Chrome hopes to keep the user experience smooth while nudging the remaining 1‑5% of risky sites toward TLS. Enterprises and developers get a heads‑up to migrate legacy devices before the default lands.
For now, the setting can be disabled, but Google urges admins to enable it early and audit their internal tools. If the rollout goes as planned, the web’s last pockets of plaintext traffic may finally disappear—though users on private networks will still need workarounds.