Let\u2019s hash it out.<\/span><\/p>\n\n\n\n In the Chromium Project blog\u2019s March 23 update<\/a>, Google announced many updates that they\u2019ll be rolling out as part of their Chrome 90 update. The one in particular that we\u2019d like to highlight is their shift to making HTTPS the default protocol when loading websites for most users.<\/p>\n\n\n\n When users manually type in URLs without specifying the scheme (http:\/\/ vs https:\/\/) in Chrome 90, the browser will try to load the site using HTTPS automatically. This means that if someone just types yoursite.com<\/strong> into their browser, Google will load the site as https:\/\/yoursite.com<\/strong> instead of the usual http:\/\/yoursite.com<\/strong> by default. So, instead of trying to connect first using the insecure HTTP protocol, it will make the secure HTTPS protocol the go-to instead.<\/p>\n\n\n\n Historically, Google (and other browsers) would initially try to load all web pages using HTTP by default because it was the most widely used scheme for years. In recent years, this would result in the ugly \u201cNot Secure\u201d warnings displaying on your site \u2014 which likely drove away some potential customers for many businesses.<\/p>\n\n\n\n But now that HTTPS is the heavyweight champion on virtually all major platforms, they\u2019re now making the official switch to the secure protocol by default for all incomplete user queries rather than using it as a redirect.<\/p>\n\n\n\n Of course, there are a few specific exceptions that Google won\u2019t<\/em> use HTTPS for automatically \u2014 and we\u2019ll address those items in a minute. But first, let\u2019s talk about the advantages of Chrome using HTTPS by default.<\/p>\n\n\n\n Google\u2019s move to using HTTPS as the default method for loading websites is good because it assumes that most sites are using SSL\/TLS (which they are). Will this have a big or negative impact for loading sites that aren\u2019t using SSL\/TLS certificates? Nope. Those sites will still load \u2014 it\u2019s just that the browser is going to try loading them using HTTPS first. Then, when that fails, it\u2019ll fall back to using HTTP to load the site.<\/p>\n\n\n\n I think Google\u2019s likely doing this for a few key reasons:<\/p>\n\n\n\n This move by the tech giant is a positive one that benefits everyone except the cybercriminals who want to exploit us. <\/p>\n\n\n<\/span><\/span>\n\n\n Cybercriminals use man-in-the-middle attacks<\/a> to intercept data while it\u2019s in transit between users\u2019 browsers and your web server. When data transmits via HTTP, it\u2019s moving in plaintext format that bad guys can intercept, read, modify or steal. Depending on the types of data they get their hands on, bad guys can use this information to carry out identity theft, financial fraud, or a variety of other cybercrimes.<\/p>\n\n\n\n But when you use HTTPS, you\u2019re protecting that data using encryption so that no one but your intended party can access the readable information. You\u2019re also asserting your organizational identity as well at the beginning of the connection so that users\u2019 clients know that they\u2019re connecting to your legitimate site. Here\u2019s a quick look at what HTTPS does:<\/p>\n\n\n\n We\u2019re not going to get into all of the details about HTTPS here. (That\u2019s another big topic!) If you want to read more about how HTTPS works<\/a> from a technical perspective, check out my colleague\u2019s blog that really dives in on the topic.<\/p>\n\n\n\n By opting to load websites first using the secure scheme right off the bat, Chrome eliminates an unnecessary step for HTTPS-enabled websites \u2014 waiting for the server to redirect from HTTP to HTTPS. Using HTTPS to load HTTPS-enabled sites results in faster initial load speeds, which makes for a better user experience.<\/p>\n\n\n\n Now, what does this mean for websites that don\u2019t yet support HTTPS? The browser will try to load the website using HTTPS by default. But when that doesn\u2019t work, it will redirect back to HTTP. This process will kick in regardless of why HTTPS connection failed \u2014 no SSL\/TLS certificate installed on your website, server misconfigurations, or other issues throwing up SSL certificate errors.<\/p>\n\n\n\n It\u2019s important to note that Google isn\u2019t implementing this HTTPS-by-default move unilaterally; they\u2019ll do it in most but not all cases. In some situations, the browser will still default to use HTTP when loading specific items:<\/p>\n\n\n\n In the case of the first two items, they\u2019re not public parts of the internet as they exist on your local network and on your computer, respectively. As such, they wouldn\u2019t have publicly trusted SSL certificates \u2014 only self-signed or private SSL certificates, which wouldn\u2019t matter here since they wouldn\u2019t be trusted by default anyhow. And while IP addresses can be secured using SSL\/TLS certificates, it\u2019s infrequently done and some CAs don\u2019t issue certificates for IP addresses.<\/p>\n\n\n\n But what if you want to redirect Google and other major browsers to always load your public-facing website using HTTPS (even if the http:\/\/ protocol is provided in the link or user input)? There are a few ways you can do that.<\/p>\n\n\n\n Of course, Google\u2019s update isn\u2019t the only way to use HTTPS for all of your site\u2019s incoming traffic. If you have a valid and properly configured SSL\/TLS certificate installed on your server, then there are a few ways you\u2019ve been able to achieve this:<\/p>\n\n\n\n You can configure your web server to automatically redirect all HTTP URLs to the same URL but using HTTPS instead. This is a simple, foolproof way to ensure that users end up on the HTTPS version of your website.<\/p>\n\n\n\n HTTP strict transport security<\/a>, or HSTS for short, is another way that site owners can force browsers to use secure HTTPS connections to load their websites. When a browser visits an HSTS-enabled site for the first time, it will receive the header information and know that it has to load the site using a secure, encrypted connection.<\/p>\n\n\n\n Historically, this presented a big catch-22. In order for a client to know it\u2019s always supposed to connect using a secure connection, it first must download the header. But for the site to download the header, it first has to connect using an insecure connection. Thankfully, there\u2019s a way to avoid this issue\u2026<\/p>\n\n\n\n The HSTS preload list is a record of preloaded websites that tells browsers which sites use HSTS. All major browsers, including Chrome, consult this list when loading websites for the first time. And since they know ahead of time that specific sites have HSTS enabled, then they know to only make secure connections with those sites.<\/p>\n\n\n\n Last year, the U.S. government announced<\/a> its intention to start adding new .gov domains to the HSTS preload list<\/a> starting in September 2020. <\/p>\n\n\n\n But what if you don\u2019t have an SSL\/TLS enabled on your site? If your site doesn\u2019t have an SSL\/TLS certificate yet, then now\u2019s a great time to get one. In addition to securing your data, business and extended validation SSL\/TLS certificates also help you assert your site’s organizational identity. This lets users know your site is legitimate and that they can trust it with their sensitive data.<\/p>\n\n\n\n And since Chrome is defaulting to loading almost all websites via HTTPS in version 90, it means that sites using HTTP will load slower because they\u2019ll require a redirect from HTTPS to HTTP.<\/p>\n\n\n\n Techradar reports<\/a> that Google tested this functionality with select Chrome Beta users via their version 89 update, which rolled out earlier this year. However, Google\u2019s Chrome Platform Status page<\/a> says that the \u201cstable\u201d (full) version of Chrome 90 was expected to roll out to the public on Tuesday, April 13, 2021. (The Chrome Beta 90 is available for Windows and Android users.) However, this was delayed, according to Google Developer Advocate Pete LePage, who says it should be out “shortly”:<\/p>\n\n\n\n I was getting ready to publish this article yesterday (April 15) to state that the update still hadn\u2019t rolled out. I checked the browser first thing and saw there was no update available to my version 89 Chrome. So, I updated the article draft. But just before I was going to press the \u201cPublish\u201d button, I decided to check the browser again and, low and behold, my Chrome browser updated then to version 90. Great! So, I decided to try testing the functionality to make sure it would load websites using HTTPS by default. <\/p>\n\n\n\n The interesting part, though, is that the HTTPS functionality update didn\u2019t seem to roll out with it (or, at least, it didn’t appear to be enabled). So, I tested multiple websites by manually typing in a few domains without specifying \u201cHTTPS\u201d and they still loaded using the insecure HTTP protocol automatically (although there are HTTPS versions of those sites available when you specify “HTTPS” when manually typing those URLs). I asked a couple of colleagues to test some URLs as well in their Chrome 90 browsers and they had the same results: it defaults to HTTP instead of HTTPS.<\/p>\n\n\n\n Here are two examples that I tested:<\/p>\n\n\n\n This led me to send a follow-up tweet to Chromium and Pete Le Page to ask when we can expect to see the HTTPS-by-default functionality roll out, assuming that there might be a delay in rolling out specific functions for some reason. However, I\u2019ve not yet heard back:<\/p>\n\n\n\n So, Chrome 90 is now available, but the HTTPS-by-default feature may or may not be active in your individual browser at this time. Guess we\u2019ll just have to wait and see if they enable that function soon as the 90 update rolls out to more users. And, of course, if I hear back from either the Chromium Developer team or Pete LePage, I’ll go ahead and update this article to reflect their responses. <\/p>\n\n\n\nIs Chrome Forcing HTTPS? Not Exactly\u2026<\/h2>\n\n\n\n
![\"\"](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/03\/not-secure-warning-web-address-bar.png\")
Why This Move to HTTPS as a Default Matters<\/h2>\n\n\n\n
\n
Defaulting to HTTPS Automatically Improves Site Security and User Data Privacy<\/h3>\n\n\n\n
![\"\"](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/04\/what-https-does-outline.png\")
Connecting via HTTPS Automatically Improves Site Load Speeds<\/h3>\n\n\n\n
Of Course, There Are Exceptions to the Rule\u2026<\/h2>\n\n\n\n
\n
How to Tell Clients to Load Your Website Using HTTPS By Default<\/h3>\n\n\n\n
Via URL Redirect<\/h4>\n\n\n\n
Employing HSTS in Your Site\u2019s Header<\/h4>\n\n\n\n
Adding Your Site to the HSTS Preload List<\/h4>\n\n\n\n
When Will the Chrome HTTPS Update Roll Out?<\/h2>\n\n\n\n
![\"A](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/04\/chrome-90-https-update-delay-twitter-1-640x1024.png\")
![\"A](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/04\/myshopify-side-by-side-comparison-http-vs-https2.jpg\")
![\"Another](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/04\/gnu-http-vs-https2-1024x89.jpg\")
![\"A](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/04\/chrome-90-https-update-delay-twitter-follow-up-1.png\")