{"id":39762,"date":"2021-02-26T18:36:35","date_gmt":"2021-02-26T18:36:35","guid":{"rendered":"http:\/\/495c4e94-1bcd-4065-bd99-63b46b4a22f3"},"modified":"2021-02-26T18:36:35","modified_gmt":"2021-02-26T18:36:35","slug":"chrome-will-soon-try-https-first-when-you-type-an-incomplete-url","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/chrome-will-soon-try-https-first-when-you-type-an-incomplete-url\/","title":{"rendered":"Chrome will soon try HTTPS first when you type an incomplete URL"},"content":{"rendered":"
\"Chrome\"<\/span>
<\/span> Image: Google <\/span><\/figcaption><\/figure>\n

Google engineers have been some of the most ardent promoters of browser security features over the past few years and, together with the teams behind the Firefox and Tor browsers, have often been behind many of the changes that have shaped browsers into what they are today.<\/p>\n

From pioneering features like Site Isolation<\/a> and working behind the scenes at the CA\/B Forum to improve the state of the TLS certificate business, we all owe a great deal of gratitude to the Chrome team.<\/p>\n

But one of the biggest areas of interest for Chrome engineers over the past few years has been in pushing and promoting the use of HTTPS, both inside their browser, but also among website owners.<\/p>\n

As part of these efforts, Chrome now tries to upgrade sites from HTTP to HTTPS when HTTPS is available.<\/p>\n

Chrome also warns users when they’re about to enter passwords or payment card data on unsecured HTTP pages, from where they might be sent across a network in plaintext.<\/p>\n

And Chrome also blocks downloads from HTTP sources if the page URL is HTTPS \u2014to avoid users getting tricked into thinking their download is secured but actually not.<\/p>\n

Changes to the Chrome Omnibox arriving in v90<\/h3>\n

But even if around 82% of all internet sites<\/a> run on HTTPS, these efforts are far from done. The latest of these HTTPS-first changes will arrive in Chrome 90, scheduled to be released in mid-April, this year.<\/p>\n

<\/section>\n

The change will impact the Chrome Omnibox \u2014the name Google uses to describe the Chrome address (URL) bar.<\/p>\n

In current versions, when users type a link in the Omnibox, Chrome will load the typed link, regardless of protocol. But if users forget to type the protocol, Chrome will add “http:\/\/” in front of the text and attempt to load the domain via HTTP.<\/p>\n

For example, typing something like “domain.com” in current Chrome installs loads “http:\/\/domain.com.”<\/p>\n

This will change in Chrome 90, according to Chrome security engineer Emily Stark. Starting with v90, the Omnibox will load all domains where the domain was left out via HTTPS, with an “https:\/\/” prefix instead.<\/p>\n

“Currently, the plan is to run as an experiment for a small percentage of users in Chrome 89, and launch fully in Chrome 90, if all goes according to plan,” Stark explained on Twitter this week<\/a>.<\/p>\n

Users who’d like to test the new mechanism can do so already in Chrome Canary. They can visit the following Chrome flag and enable the feature:<\/p>\n

chrome:\/\/flags\/#omnibox-default-typed-navigations-to-https<\/em><\/strong><\/p>\n

\"chrome-flags-entry.png\"<\/span>