latest
Chrome will nag you to stop visiting sites without HTTPS
Full-page warnings incoming for HTTP websites in Chrome 94
We may not like everything Google plans for its browser and the open web (FLOC, Manifest v3, and Chromium's dominance come to mind), but there's one thing everyone can agree on: Staying secure on the web is always important. Google and other browser makers have long been pushing webhosters and website owners to use the encrypted, more secure HTTPS standard over HTTP, and they've already managed to win more than 90% of regularly visited websites over. To get hold of the rest, Google wants to make HTTP sites an even less appealing place to visit starting in Chrome 94, slated to arrive in September.
Chrome 90 gets a speed and security boost with an overdue policy change
HTTPS coming to the fast lane
After years of propping up widespread adoption of the protocol, Google will release Chrome 90 as the first version of the web browser to transmit data to and from sites using HTTPS instead of HTTP by default.
After a short rollout delay, Chrome 79 is now widely available on desktop and mobile platforms. That means Chrome 80 has moved up to the beta channel, and while there are a few new features, there are far more removed features. Let's dive right in!
HTTPS has largely replaced its less secure predecessor HTTP as the default choice for sending resources over the internet. The key difference between the two is that HTTPS transmits data using an encrypted connection, while data loaded over HTTP is not. Google began marking all sites still utilizing HTTP connections as 'Not Secure' with the release of Chrome 68 last year, and today, Google announced additional plans to inform users when sites utilize an insecure connection. With these latest changes, the Chrome team hopes to address the problem of mixed content.
Read update
- As pointed out by Madis in the comments, you can try out the new indicator behavior already by enabling the following Chrome flag #simplify-https-indicator.
Earlier this year, the team behind Chrome stated that all HTTP pages will be marked as 'Not secure' later on this year, in a bid to encourage even more site owners to move to the more secure HTTPS standard. We now know a little bit more about planned changes to Chrome's security indicators, including how HTTPS pages will be shown as default pages going forward.
As anyone who uses apps that allow for fingerprint authentication will know, the UI for each app's prompt can differ wildly. Android P will attempt to combat this by providing a new API. Additionally, Google will be blocking cleartext (unencrypted HTTP) by default for apps that use Network Security Configurations.
Google has been planning to mark all HTTP sites as non-secure in Chrome for a while now, but the company is taking baby steps to ensure users (and owners of HTTP-only sites) don't freak out. Chrome already identifies HTTP sites with password or credit card fields as "Not Secure" in the address bar, and Chrome 62 will expand that to any HTTP site with any data entry fields.
Ever noticed how your Android Downloads folder easily gets cluttered with useless files and documents that you viewed once and never needed again? This is especially true of PDF files since Chrome can't open them natively and thus hands them over to other applications, the default being Google Drive's PDF viewer. Well, I noticed a strange thing recently: sometimes PDF files would just load in Drive directly and it seemed that my phone's Downloads folder clutter wasn't getting out of hand as fast as it used to. Some investigation was in order.
Just last week, Google announced plans to remove SPDY support from its open source Chromium project early next year, and it would be replaced by the not-yet-official HTTP/2 protocol. Today, the Internet Engineering Steering Group (IESG), the managing component of the Internet Engineering Task Force (IETF), announced that the HTTP/2 and HPACK specs have been formally approved and are on the way to becoming official standards.
If you're the type of person that closely follows networking protocols and web server optimizations, you've probably heard of SPDY. This is Google's re-imagining of the HTTP protocol, designed to reduce latency, streamline data flow, and generally speed up data transmission from a server to your browser. Well, you can forget about it. Google is about to kill SPDY, but for a good reason. The Internet Engineering Task Force (IETF) is getting close to finalizing a major revision to the HTTP protocol, dubbed HTTP/2. The new version, which Google made many significant contributions to, almost completely mirrors the feature set offered by SPDY, including things like multiplexing, header compression, prioritization, and protocol negotiation. Since HTTP/2 will be an official open standard, there's no reason to keep SPDY around anymore.