Quick Links

With the constant security threats we face while browsing the Internet each day, it pays to lock things down as much as possible. With that in mind, how does one force Google Chrome to use HTTPS whenever possible? Today's SuperUser Q&A post discusses some solutions to help a security-conscious reader get HTTPS satisfaction.

Today’s Question & Answer session comes to us courtesy of SuperUser—a subdivision of Stack Exchange, a community-driven grouping of Q&A web sites.

The Question

SuperUser reader kiewic wants to know how to force Google Chrome to always use HTTPS instead of HTTP whenever possible:

Many websites offer both versions (HTTPS and HTTP) like https://stackoverflow.com and http://stackoverflow.com for instance.

Is there any way to force Google Chrome to always try for HTTPS first before HTTP when typing something like stackoverflow.com in the address bar?

How do you force Google Chrome to always use HTTPS instead of HTTP whenever possible?

The Answer

SuperUser contributors paradroid and Omar have the answer for us. First up, paradroid:

You could try the HTTPS Everywhere extension for Google Chrome. (Note From the Editor: We recommend HTTPS Everywhere if you want to be sure HTTPS is enabled everywhere it's available. This extension is less necessary than it was a few years ago, however, as more and more sites have enabled HTTPS by default.)

Followed by the answer from Omar:

Force HTTPS in Google Chrome

Google is one of the more aggressive companies pushing to make this happen. Here are several ways you can force HTTPS in Chrome to ensure your browsing is as safe as possible.

Start Google Chrome with HTTPS

Enable Google Chrome support by typing chrome://net-internals/ into your address bar, then select HSTS from the drop-down menu. HSTS is HTTPS Strict Transport Security, a way for websites to elect to always use HTTPS. Using this setting, you can now force HTTPS for any domain you want and even “pin” the domain so that only a more trusted subset of CAs are permitted to identify that domain. The downside is that if you force a domain that does not have SSL at all, you will not be able to access the website.

HTTP Strict Transport Security (The Chromium Projects) (Note From the Editor: You can no longer change this option yourself in Chrome. Website owners can still enable HSTS for their websites.)

Force HTTPS with the KB SSL Enforcer Extension

This extension will force HTTPS in Google Chrome for websites that support it. Keep in mind that It is not completely secure against the infamous Firesheep, but it does minimize the risk greatly. Due to Google Chrome's limitations, the KB SSL Enforcer extension redirects the page while it is loading. You will see a quick flicker of the unencrypted page, but it redirects you as fast as possible.

KB SSL Enforcer Extension Homepage

Use HTTP Extension to Force HTTPS in Google Chrome

The Use HTTP extension will force defined sites to use HTTPS instead of HTTP. It comes preloaded with two defined sites: Facebook and Twitter. Like the previous extension, the initial request is sent to websites not using HTTPS.

Use HTTPS Extension Homepage (Note From the Editor: This extension is no longer available.)


Have something to add to the explanation? Sound off in the comments. Want to read more answers from other tech-savvy Stack Exchange users? Check out the full discussion thread here.