Sun, Jul 12, 2026NY 5:55 PM EDTLA 2:55 PM PDTLON 10:55 PM GMT+1DXB 1:55 AM GMT+4TOK 6:55 AM GMT+9SYD 7:55 AM GMT+10UTC 9:55 PM UTCBTC market check delayedETH CoinGecko source
Strangely Useful

Practical guides for apps, money, security, and everyday tech problems.

Start: payment fixFake supportMoney hubTopicsVerification
Sections
Latest storiesTopicsMoney & ChargesSearchInternet & CultureTech & AISecurity & TrustPractical TechnologyMoney & PaymentsBrowser & PrivacyAI ToolsSoftware & ServicesInternet Culture & Everyday WorkflowsHidden HistoryUseful ThingsEntertainmentQuizzesAboutHow we workHow guides are madeNewsletter
Browser & Privacy - story

HTTPS-Only Mode Turns a Silent Downgrade Into a Visible Decision

The browser can try HTTPS first and warn before loading an insecure connection. That protects the trip to a site, but it does not prove the site itself is honest.

Last verified July 11, 20262 sources checkedEditorial standards
A browser connection follows an encrypted route while an insecure route is stopped.
HTTPS-Only Mode Turns a Silent Downgrade Into a Visible DecisionA browser connection follows an encrypted route while an insecure route is stopped.HTTPS-only mode makes an insecure fallback a decision instead of a silent default. Illustration: Strangely Useful. Generated for Strangely Useful; provenance retained.
In this story4 sectionsWhat the setting changesWhat HTTPS cannot tell youWhen the warning is reasonableSet up a stronger baseline

Enable HTTPS-only mode if your browser offers it: the setting tries the encrypted version of a site first and warns before using an insecure HTTP connection. It prevents an old link or mistyped address from quietly sending page contents across the network without HTTPS.

What the setting changes

Chrome calls the option Always use secure connections. Google says it upgrades URLs to HTTPS and shows a warning before visiting a site that does not support it. Firefox's HTTPS-Only Mode similarly attempts a secure connection and asks before falling back. Modern sites usually work without any extra step because they already serve HTTPS.

HTTPS provides transport security between the browser and the site identified by the certificate. It helps prevent someone on the same network from reading or altering page contents in transit. The address bar and certificate checks matter because encryption to the wrong or malicious site is still encryption.

What HTTPS cannot tell you

  • It does not prove a shop, investment offer or download is legitimate.
  • It does not stop the site from collecting information you submit.
  • It does not remove cookies, fingerprinting or account tracking.
  • It does not make a dangerous file safe to open.

Phishing sites can obtain valid certificates. Treat HTTPS as a secure pipe, not a character reference for whoever owns the destination. Read the full hostname, arrive through a trusted route and verify unusual requests independently.

When the warning is reasonable

An old device dashboard, local router page or archival site may lack HTTPS. Before continuing, decide whether the page will carry anything sensitive. Never enter a password, card number or private message through plain HTTP. For a local device, look for a firmware update and use the manufacturer's documented address rather than a search result.

Do not train yourself to click through

A security warning should interrupt the flow. If a familiar public site suddenly cannot establish HTTPS, stop and check the address, device clock and network. Try a different trusted network or the site's official status page. A captive portal may require a temporary sign-in step, but that does not justify ignoring warnings on unrelated pages.

Set up a stronger baseline

  1. Update the browser so its certificate and protocol support are current.
  2. Turn on HTTPS-only or always-secure-connections mode.
  3. Use encrypted DNS as a separate protection for domain lookups.
  4. Keep Safe Browsing or equivalent malicious-site warnings active.
  5. Use a password manager, which can help expose look-alike domains by refusing to autofill.

HTTPS-only mode is valuable because it changes failure from invisible to explicit. Most days it does nothing noticeable. On the day an old link, hostile network or misconfigured site tries to drop encryption, the warning gives you the chance to stop before sending data.

Sources & methodology2 sources - evidence for this revision

The records below show what each source supports in this published revision.

  1. Manage Chrome safety and securityGoogle Chrome Helpreference - Retrieved Jul 12, 2026

    What it supportsChrome can upgrade URLs to HTTPS and warn before visiting a site without HTTPS.

  2. HTTPS-Only Mode in FirefoxMozilla Supportreference - Retrieved Jul 12, 2026

    What it supportsFirefox HTTPS-Only Mode attempts HTTPS and asks before an HTTP fallback.

The Useful Dispatch

Keep the good rabbit holes coming.

The weekly email is being prepared. No address is collected yet.

See the newsletter plan →