When Google starts preaching security, it’s usually about control. The latest sermon from the Google Security Blog announces that Chrome will soon upgrade all navigations to HTTPS by default, automatically redirecting users away from insecure HTTP.
One year from now, with the release of Chrome 154 in October 2026, we will change the default settings of Chrome to enable “Always Use Secure Connections”. This means Chrome will ask for the user's permission before the first access to any public site without HTTPS.
For those who remember, Google first caught the HTTPS spirit around 2014, gosh it was right after reports surfaced that some ISPs were throttling YouTube and even injecting their own ads into live webpages. To webmasters, HTTPS wasn’t just about privacy or security; it was about Google locking down the delivery pipeline so no one but Google could monetize or monitor traffic.
That said, there was certainly merit for Google's position as live injection attacks were running in the wild. Whether Googles HTTPs epiphany was due to real-world realities, or simply a convenient happen-stance, it is clearly here to stay.
And A Decade Later, Here We Are Again
Chrome already “auto-upgrades” many HTTP requests to HTTPS, but now Google says the behavior will become universal default. That means if your site still runs on plain HTTP (your reading here - of course it doesn't), visitors using Chrome will automatically try https:// first - and if your SSL setup fails, they’ll hit an error screen instead of your homepage. Most webmasters will be shocked to realize that it hasn't been that way for ever now - right?
Does it Even Matter Any More for Site Owners
- Forced upgrades: Even if your site never explicitly link to HTTPS, Chrome will assume it’s there.
- SEO implications: Google has long given HTTPS pages preference in rankings. Now insecure sites risk vanishing entirely from users’ reach.
- Legacy systems: Embedded assets (CDNs, images, APIs) still using HTTP may stop loading correctly.
- Affiliate redirects and trackers: Older systems that don’t support HTTPS could start silently failing.
Here is an Apache .htaccess snippet to force all users to HTTPS (including bots):
RewriteEngine On
# if HTTPS is not on then redirect
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
The Irony of “Security for All”
Back in the day, the HTTPS push was framed as “protecting users from snooping ISPs.” In practice, it helped centralize control over the ad ecosystem, limiting what network operators could see or modify. Now, in an era where Chrome, YouTube, and Ads are more tightly integrated than ever, this new HTTPS-by-default move ensures Google sits in the middle of nearly all encrypted traffic on the open web.
What Webmasters Should Do (Well Duh)
- Force HTTPS at the server level (use
301redirects, not JavaScript) (see htaccess snippet above). - Tip: Update hardcoded links and sitemaps to HTTPS.
- Double Check canonical tags and hreflang — these must match the final protocol.
- Reissue SSL certificates if any domains or subdomains were missed.
- Use a sitewide crawl tool (like Screaming Frog or Ahrefs) to catch mixed-content errors before Chrome does.
- Run a crawler against all of your site to make sure you don't have stray HTTP connections happening.
As the CEO and founder of Pubcon and WebmasterWorld., Brett Tabke has been instrumental in shaping the landscape of online marketing and search engine optimization. His journey in the computer industry has spanned over three decades and has made him a pioneering force behind digital evolution. Full Bio
Visit Pubcon.com