- On December 5, 2019
Sign up for Tenrec Tips & News
Some of you may remember back in July 2018 when Google Chrome started penalizing websites that were not running over encrypted connections, by visually calling attention to the browser’s URL bar with a bright red warning:
Previously more discreet, the green secure padlock icon was used to ‘reward’ websites for their secure connections over HTTPS, while leaving regular old HTTP alone for the most part. Once secure connections became the standard, however, they were expected across the board (not just from your bank or financial institution). This was when Google switched gears and decided that instead of rewarding encrypted websites, they would start to shame those that were not.
Most people can agree that a secure website is a good thing, but what’s really happening when you visit an insecure site? When visiting any site, your browser is using an application protocol called HyperText Transfer Protocol (HTTP). This is a client-server protocol that facilitates communication between web browsers and web servers, and allows the fetching of resources on the web, such as HTML. When your browser connects to a website using HTTP it is considered “insecure”. However, with the addition of a Secure Sockets Layer (SSL certification), the connection is reclassified as HTTPS (‘S’ for secure). In this case, communications between the client platform running the console and the managed computer are encrypted using SSL.
While having an SSL certification for your website remains essential as the first step towards being secure, there are still opportunities for vulnerable references to sneak through the cracks, and pose security risks. These insecure references, scripts, cookies, links and images, often referred to as “mixed content” are giving Google yet another reason to penalize websites, but only in an effort to make the world wide web as safe as it can be.
Why is mixed content bad?
Mixed content means there is a mixture of secure and non secure content on a web page. To understand why this is bad, first let’s consider vulnerabilities with a regular HTTP protocol. The HTTP protocol sends information from a server to browser without encryption, which means it can easily be stolen by hackers. Some of these risks include:
- Hackers stealing your private information (usernames, passwords, etc.)
- Mixed content makes a webpage more vulnerable to ‘man-in-the-middle’ attacks, where attackers can eavesdrop on a connection or act as one of the communicating parties
- Can be used in other obtrusive ways, such as injecting irrelevant pop up ads cluttering your page view
With mixed content, these same security issues still exist, only users will be under the impression that their connection is secure. Using the insecure HTTP protocol to request references on an otherwise secure site, begins to weaken the security on that entire webpage. Even just one HTTP file can open up the opportunity for hackers to install malware or otherwise manipulate your site and its visitors. In some cases hackers can take over complete control of a webpage, not just the compromised resource.
How is Google blocking mixed content?
Soon Google Chrome won’t just notify you when there is mixed content on a webpage, it will actually start to block that content. If there is mixed content on your site, this could lead to things looking broken or missing important information. If you don’t take action on this now, mixed content will be blocked, resulting in poor user experience and a possible loss in traffic or sales. It’s important to note that while Google is paving the path forward with these changes, other browsers are sure to quickly follow suit.
The good news if your site currently contains mixed content, is that you have (a little) time to fix it. Google will be rolling out these alerts in phases, the first of which start in December 2019 with the release of Chrome 79.
- December 2019: Insecure content is blocked, but users have the option to allow mixed content on any https:// page by clicking the lock icon and updating updating their browser settings
- January 2020: Google Chrome 80 will begin blocking insecure video and audio files, while attempting to auto upgrade them to HTTPS. If this fails, the content will not be accessible to visitors. Insecure images will still appear, however the URL bar will now display an insecure warning to visitors, even though you are using a valid SSL certification
- February 2020: Google Google Chrome 81 will attempt to auto upgrade any instances of insecure images to instead load load over HTTPS
What does it mean to have content “blocked” by Google?
Google Chrome is already blocking mixed scripts and iframes, which can cause certain parts of a webpage to not work properly. Sometimes this is obvious to site visitors, and prevents them from doing what they are trying to do. Other times the impact can be minimal. Now the same will start to happen with insecure images, cookies, audio or video files, which is likely to be much more problematic. These subresources will be blocked, meaning site visitors can not access or see this information. If this happens, users are still able to accept mixed content references, or adjust their settings if they so choose, but again is not the most ideal user experience and is likely to deter them from your site.
Even though Google is cracking down on the mixed content issue, they have not announced anything about removing the ability to manually allow insecure content to be loaded on your browser. They are however making it more and more difficult to find and change those settings, effectively discouraging people from doing so.
Check out this example webpage created by Google to get a better sense of how that works.
How to know if your website contains mixed content:
There are different auditing tools out there that can help you identify mixed content across your entire website. Another thing you can do manually while browsing your site, is to look for pages where the message “‘Your connection to this site is not fully secure’ appears to the left of your browser’s URL bar. This indicates what Chrome is already, or will soon be blocking. Identifying the source of said mixed content requires a bit of investigating, often done through the developer tools directly in your preferred browser. If you need help, reach out to your web developer to make sure your site is good to go!