Google Chrome address bar may soon default to HTTPS

Kyle Bradshaw | Jan 11 2021 - 2:18 pm PT

Google Chrome will soon have an experiment that will automatically try to connect to the HTTPS versions of website URLs that you type into the address bar instead of the insecure HTTP version.

For years now, HTTPS has steadily grown from being a way of feeling secure about a particular site into being the expected minimum for a website. It’s gotten to the point that instead of Chrome showing “Secure” when you’re on an HTTPS site, it instead displays “Not Secure” when on a standard HTTP website.

With HTTPS becoming the effective default, Google Chrome’s address bar has gone on since then to hide parts of the URL that aren’t relevant for the average person browsing the web — things like www., http://, and https://. This lack of distinction has lead to an increase in the number of people who will simply type a URL like “9to5google.com” into their address bar and hit enter.

As you would expect, Chrome is more than able to figure out where you’re trying to go, but perhaps not in the way you might expect. The first time that you browse to a particular website in this way, Chrome will try the Not Secure version of the URL — such as http://9to5google.com — and at that point, most websites that have a secure version will redirect you to the secure https:// URL. Chrome will then save whether or not that HTTPS redirect happened and remember for next time to jump straight to the https:// URL.

In the next few months, it seems Google is intending to flip the priorities of Chrome’s address bar, according to a new flag being added to chrome://flags, as well as an associated post on the issue tracker.

Omnibox – Use HTTPS as the default protocol for navigations
Use HTTPS as the default protocol when the user types a URL without a protocol in the omnibox such as ‘example.com’. Presently, such an entry navigates to http://example.com. When this feature is enabled, it will navigate to https://example.com if the HTTPS URL is available. If Chrome can’t determine the availability of the HTTPS URL within the timeout, it will fall back to the HTTP URL.
#omnibox-default-typed-navigations-to-https

From what we can see in the description and related code, Google Chrome will first attempt to connect to the HTTPS version of any URL you type into the address bar. If the site doesn’t offer HTTPS — such as a test site like NeverSSL — Chrome will give up after either 3 seconds or 10 seconds and connect to the site via HTTP instead.

Overall, this seems like a change that is long overdue. Thanks to efforts like Let’s Encrypt that make HTTPS simple for even the most inexperienced of web developers, there’s really no reason browsers like Chrome shouldn’t try to connect through HTTPS first.

As the flag is only just now appearing in the Chromium code, it’s not likely to appear in stable Chrome until version 89 or 90, due in March and April, respectively. Even then, it will likely be a few more months before the Google Chrome address bar defaults to https:// urls without needing to use the above Chrome flag.