CybserSecurity News

Tag: security policy

  • HTTPS by Default: Chrome to Force Encrypted Connections on Public Sites in 2026

    As early as 2026, Google Chrome will adopt a new security policy, requiring HTTPS connections by default when accessing public websites. Google announced that with the release of version 154, scheduled for October next year, the “Always use secure connections” option will become the standard setting. Accessing pages without HTTPS will trigger a warning and a confirmation prompt—though only upon a user’s first visit to an unencrypted site. Subsequent visits to the same HTTP domain will no longer display repeated alerts, thereby minimizing unnecessary user frustration.

    Google emphasizes that the threat posed by HTTP connections is far from theoretical. Tools for intercepting and manipulating traffic are widely available, and vulnerabilities in unencrypted transmissions have already been exploited for attacks ranging from malware injection to social engineering. Even a single HTTP request can expose a device to compromise, particularly when the page loads external resources without encryption. In Chrome, such connections often go unnoticed, as an HTTP site may immediately redirect the user to HTTPS before the browser can display a warning.

    The forced HTTPS feature has long existed as an optional setting, first introduced in 2022. When enabled, Chrome automatically attempts to load every page via HTTPS and displays a dismissible warning if an encrypted version is unavailable. Until now, this setting remained optional, but it will soon become the default behavior—applying exclusively to public resources. Private addresses, such as IP-based devices within home networks or intranet links, will be exempt from this policy.

    The distinction between public and private sites proved to be a crucial design decision, easing the burden on everyday users. Internal Chrome 141 experiments revealed that most users encounter HTTPS warnings no more than once per week, with 95% of participants seeing them fewer than three times over the same period.

    The majority of HTTP traffic originates from private addresses, which cannot easily transition to HTTPS due to the absence of a unique owner capable of obtaining a certificate. Such connections pose comparatively lower risks, as attackers must reside within the same local network to exploit them.

    For users who frequently interact with internal services and prefer fewer interruptions, Chrome will offer a lightweight mode—where HTTPS enforcement applies solely to public websites. This will become the default configuration starting with Chrome 154, following an initial rollout in April 2026 (version 147) for users already enrolled in Chrome’s Enhanced Protection program.

    To facilitate the transition, Google has begun reaching out to site owners still operating over HTTP, including those that silently redirect to HTTPS pages. Migrating to HTTPS in such cases requires minimal effort, yet has often been overlooked.

    In parallel, Google continues to refine mechanisms for secure access to local devices—for example, through permissions that allow HTTPS sites to send requests to local IPs without being blocked for “mixed content.” This could simplify the migration of internal portals to the encrypted protocol as well.

    The Chrome Security Team expects that automatically enforcing HTTPS connections will significantly strengthen user protection. Looking ahead, developers plan to further lower the barriers to obtaining certificates, even within local networks, thereby expanding coverage and closing the remaining gaps in the browser’s security model.

  • Microsoft Restricts China’s Access to Vulnerability Data After Suspected Leaks

    Microsoft has restricted Chinese companies’ access to early notifications about vulnerabilities in its products. The decision follows an internal investigation into potential leaks from the Microsoft Active Protections Program (MAPP), a system designed to share details of security flaws with trusted partners ahead of official patch releases. Suspicion arose in the wake of large-scale attacks on SharePoint servers, during which China-linked threat actors compromised more than 400 government agencies and corporations, including the U.S. National Nuclear Security Administration.

    According to Microsoft spokesperson David Cuddy, new restrictions will now apply to MAPP participants in countries where companies are legally obliged to report vulnerabilities to government agencies. This includes China, where a 2021 law requires disclosures of cybersecurity issues to the Ministry of Industry and Information Technology within 48 hours. Previously, such partners received technical details and proof-of-concept code a full day before security updates were published. Going forward, they will instead receive only brief written descriptions of vulnerabilities, and only at the same time as official updates are released.

    Microsoft emphasized that any partners found violating program rules or engaging in offensive cyber operations are removed from MAPP. The company did not disclose the outcome of its investigation into the SharePoint-related leaks, noting only that multiple scenarios are being considered.

    Concerns about Chinese participants in MAPP are not new. As far back as 2012, Microsoft accused Hangzhou DPtech Technologies of violating non-disclosure agreements, and in 2021 suspected two Chinese partners of leaking details about Exchange Server vulnerabilities, which subsequently fueled a global attack attributed to the Hafnium group.

    The Chinese embassy in Washington stated that it was unfamiliar with the details of either the investigation or the new restrictions but stressed that cyberthreats are a shared global challenge requiring joint efforts. At the same time, Chinese officials reiterated their opposition to any accusations of cyberattacks.

    Microsoft also confirmed for the first time the closure of its transparency centers in China, where government officials had previously been allowed to review the source code of Windows and other technologies to verify the absence of surveillance backdoors. According to Cuddy, these centers “have long been closed,” and no visits had taken place since 2019.

    American analysts have largely welcomed the stricter rules. SentinelOne described Microsoft’s move as justified, pointing out that Chinese companies in MAPP cannot disregard the interests of their government. Analysts also noted that, given the unprecedented scrutiny of Chinese cyber operations, Microsoft had little choice but to act decisively.

    The issue drew further attention after a report by the Tech Integrity Project, which claimed that some Chinese Microsoft partners were working on the campus of the National Cybersecurity Center in Wuhan alongside entities linked to China’s Ministry of State Security. Microsoft firmly denied any involvement with this center.

    In effect, Microsoft is abandoning its earlier posture of trust toward certain foreign partners, curtailing the scope of vulnerability data it shares and tightening oversight of its distribution—an approach that underscores growing concerns over global cybersecurity risks.