Google has recently announced they will continue to improve Chrome browser security by blocking mixed content on HTTPS pages. We will explain what it means and how this latest Chrome update can affect your website.
What is mixed content?
Mixed content is images, videos, stylesheets, scripts, embedded web pages, etc that are loaded over an unencrypted HTTP protocol on an HTTPS page.
When a page is loaded even partially over an insecure connection, the safety of the entire site is threatened and the opportunity for data theft occurs.
There are two types of mixed content: Passive and active. Both of them endanger site security but to a different extent.
Passive mixed content includes images, video, audio, and other content that doesn’t interact with the rest of the page. Despite being passive, such content can still harm your website security as in case of an attack, it can be replaced with indecent or deceptive files defacing your brand.
Active mixed content is much more dangerous to load over the HTTP because it includes scripts, stylesheets, iframes, flash resources, and other code that in case of interception can grant an attacker unlimited access to all of the data, including sensitive information.
What will Google do?
To prevent all this from happening, Google Chrome will eventually block all the content that requires loading via the HTTP connection thereby further pushing websites to move from HTTP to HTTPS and use the encrypted protocol only.
When will the transition begin?
Soon, but not immediately. To make it less painful for website owners and developers and not to break the browsing experience for users, the transition will kick in gradually, starting the 79th version of Chrome browser:
The users will begin to see a new setting that will allow them to unblock scripts, iframes, and other types of mixed content by clicking a lock icon and then Site Settings.
This version of the browser will autoupgrade the mixed audio and video content found on the page to HTTPS. If it fails to load over the encrypted protocol, Chrome will block the content leaving users the option to manually unblock it.
As for the mixed images, Chrome 80 will still load them, but with the ‘Not secure’ chip in its omnibox. This somewhat shameful mark is meant to urge websites to do away with all of the HTTP content and migrate to the more secure protocol.
Finally, in Chrome 81 the mixed images will be blocked if they don’t autoupgrade to HTTPS.
Why should you care?
At Webxloo, we migrated to HTTPS a long time ago, and have been continuously highlighting how important it is to move from HTTP to HTTPS to protect your website and provide a safe environment for customers.
According to stats for 2019, Google Chrome is the most popular web browser worldwide with more than 55% share.
If you ignore this Chrome’s warning and won’t ensure that all of your content loads over the encrypted connection, you can imperil your customers' data as well as your reputation. Not to mention the partial content displaying will cause your bounce rate to skyrocket.
The good news is, you still have enough time to move from HTTP to HTTPS completely. If you need any help with your website encryption, contact us today.
Last updated on November 28th, 2019