Last Updated on
If you’ve ignored website security and HTTPS over the last five or so years it’s time to get your ducks in order – and before December 2019.
Google has made another big announcement concerning HTTPS and how its Chrome browser users will start to see your website:
Today we’re announcing that Chrome will gradually start ensuring that https:// pages can only load secure https:// subresources. In a series of steps outlined below, we’ll start blocking mixed content (insecure http:// subresources on https:// pages) by default. This change will improve user privacy and security on the web, and present a clearer browser security UX to users.
Essentially, starting in December Google will gradually start blocking all mixed content by default.
What is Mixed Content?
Mixed content refers to sub-resources like images, audio and videos loading over an insecure http:// connection despite the website loading on a secure https:// connection. If this is you – you’re not alone. Google states that many https:// pages currently have this problem.
What is the Problem with Mixed Content?
When mixed content is loaded insecurely over http:// the users’ privacy and security is threatened.
The examples Google provides is an attacker tampering with a mixed image of a stock chart to mislead investors or a hacker injecting a tracking cookie into a mixed resource load.
In addition to privacy and security issues, mixed content creates a confusing browser user experience. The page isn’t clearly presented as secure or insecure – but somewhere in between. Can your visitors really trust the security of your website when getting these mixed signals?
How Does This Affect My Website?
In a nutshell, Google will eventually block mixed content meaning that if your images, audio and videos are loading over an insecure http:// connection they will be blocked.
This means that all the hard work you put into creating and selecting great visuals for your website will be wasted as they will be unviewable by visitors.
The blocking of mixed content is a gradual roll out starting with Chrome 79 in December 2019, followed by stricter actions with Chrome 80 and Chrome 81.
- Chrome 79 – a new setting will allow users to unblock mixed content on specific sites that Chrome currently blocks by default. This is set to replace the shield icon currently in the omnibox.
- Chrome 80 – mixed audio and video resources will be auto upgraded to https:// and will be blocked by Chrome if they fail to upload (ie. if they are insecure).
- Chrome 80 – mixed images will still load but with a “Not Secure” chip in the ominbox to warn users and motivate website owners to transfer their images to https://.
- Chrome 81 – mixed images will also be auto upgraded to https:// and will be blocked by Chrome if they fail to upload (ie. if they are insecure).
- Chrome users now spend 90% of their browsing time on https:// websites – evidence that your website visitors prefer the secure browsing experience!
- All website owners should migrate mixed content to https:// immediately in order to avoid warnings and breakages in the future.
- You still have time to deal with mixed content – Chrome 79 will launch December 2019 and slowly roll out changes. This means you have about two months to get your website fully secure.
At 1st on the List we’ve been tracking Google’s stance on Secure HTTPS and discussing security with our clients over the last five years. If you need to go HTTPS for the first time or get rid of Mixed Content on your HTTPS website we can help!
Call us at 1-888-262-6687 to find out exactly what is involved for adhering to Google’s requirements before Chrome 79 launches in December 2019.
You can also read the official No More Mixed Messages About HTTPS announcement on Google’s Security Blog.