Chrome’s HTTP Warning: Why the Delay Until 2026?

Written By Frank Marano

I’ll admit, I was surprised to learn that Google Chrome still doesn’t warn users before opening HTTP sites. As a Safari user, I’ve been seeing these warnings for years. What’s even more surprising is that Chrome won’t implement this change until October 2026 with the release of Chrome 154. That’s a long wait for a feature that feels like table stakes in 2025.

Sure, I still stumble across the occasional HTTP site — usually a local pizzeria menu — but 98% of websites in the U.S. already use HTTPS. With free SSL/TLS certificates available from providers like Let’s Encrypt, the remaining 2% really don’t have an excuse. So why delay protecting users from the risks of HTTP?

Why HTTP Is Dangerous

HTTP leaves all traffic in plain text. That means:

  • Login credentials, session cookies, and personal data can be intercepted.

  • Attackers can launch man‑in‑the‑middle (MITM) attacks, snooping on or altering communications.

  • Users may unknowingly expose sensitive information on unsecured networks, especially public Wi‑Fi.

In short: HTTP is a playground for attackers.

Why HTTPS Is Important

HTTPS (Hypertext Transfer Protocol Secure) adds encryption and authentication to standard web traffic. It ensures that:

  • Data exchanged between your browser and the server is encrypted, making it unreadable to third parties.

  • The website’s identity is verified through a trusted certificate authority.

  • Users can trust that their connection hasn’t been tampered with in transit.

Beyond security, HTTPS also improves SEO rankings, enables modern browser features, and builds user trust — critical for e‑commerce and any site handling personal data.

But HTTPS Isn’t a Free Pass

Even with HTTPS, users should remain vigilant:

  • Check the URL carefully — attackers can mimic well‑known domains with subtle typos.

  • Look for a valid certificate — click the padlock to confirm it’s up‑to‑date and issued to the correct domain.

  • Be cautious on payment pages — if something looks off, don’t enter your details.

  • Watch for redirects — HTTPS doesn’t stop attackers from sending you to a malicious site.

HTTPS is the baseline for security, not the finish line.

Final Thought

It’s puzzling that Chrome is waiting until 2026 to roll out a feature Safari and other browsers have had for years. With nearly universal HTTPS adoption, there’s little reason to delay. Until then, users should stay alert: if you see “http://” instead of “https://,” think twice before entering sensitive information.

👉 At Actionable Security, you can request a FREE Attack Surface Snapshot to make sure HTTP — and other hidden vulnerabilities — aren’t lurking in your environment. Don’t wait until 2026 to find out where you’re exposed.

#HTTPSOrBust #EncryptEverything #NoExcuseHTTP

Frank Marano https://actionablesec.com
Previous

AI‑Generated Code: Faster, Bigger… and Buggier
Next

WSUS Under Attack: Critical Flaw Exploited in Active Campaigns