Image: Google
Google engineers have been among the most ardent promoters of browser security features over the past few years and, along with the teams behind the Firefox and Tor browsers, have often been behind many of the changes that have shaped browsers into what they are today.
From the groundbreaking features such as site isolation and behind-the-scenes work at the CA / B forum to improve the state of the TLS certificate industry, we are all very grateful to the Chrome team.
But one of the biggest areas of interest for Chrome engineers over the past few years has been to encourage and promote the use of HTTPS, both within their browser but also among website owners.
As part of these efforts, Chrome is now trying to upgrade websites from HTTP to HTTPS when HTTPS is available.
Chrome also warns users when they are about to enter passwords or payment card data on insecure HTTP pages, from which it can be sent in plain text by a network.
And Chrome also blocks downloads from HTTP resources if the URL of the page is HTTPS – to prevent users from being misled into thinking that their download is secure, but not actually.
Chrome omnibox changes coming in v90
But even though about 82% of all sites work on HTTPS, these efforts are far from over. The latest of these HTTPS first changes will appear in Chrome 90, which is expected to be released in mid-April this year.
The change will affect the Chrome omnibox – the name that Google uses to describe the Chrome address (URL) bar.
In the current versions, when users type a link in the Omnibox, Chrome loads the typed link, regardless of the protocol. But if users forget to type the protocol, Chrome will add “http: //” in front of the text and try to load the domain via HTTP.
For example, if you type something like “domain.com” into the current Chrome, download “http://domain.com”.
According to Chrome security engineer Emily Stark, this will change to Chrome 90. From v90, the Omnibox loads all domains where the domain was omitted via HTTPS with the prefix “https: //”.
“Currently, the plan is to run an experiment for a small percentage of users in Chrome 89 and start in full in Chrome 90, if all goes according to plan,” Stark explained on Twitter this week.
Users who want to test the new mechanism can already do so in Chrome Canary. They can visit the following Chrome flag and enable the feature:
chrome: // flags / # omnibox-default-typed-navigations-to-https
Image: ZDNet