Last Updated on
If you’ve ignored website security and HTTPS over the last five or so years it’s time to get your ducks in order because Google Chrome will block mixed content as of December 2019.
Google made the big announcement concerning HTTPS and how its Chrome browser users will start to see your website as follows:
Today we’re announcing that Chrome will gradually start ensuring that https:// pages can only load secure https:// subresources. In a series of steps outlined below, we’ll start blocking mixed content (insecure http:// subresources on https:// pages) by default. This change will improve user privacy and security on the web, and present a clearer browser security UX to users.
Essentially, starting in December, Google will gradually start blocking all mixed content that isn’t secure by default.
What is Mixed Content?
Mixed content refers to sub-resources like images, audio, and videos loading over an insecure http:// connection, despite the website loading on a secure https:// connection. If this is you – you’re not alone. Google states that many https:// pages currently have this problem.
What is the Problem with Mixed Content?
Google Chrome will block mixed content that is loaded insecurely over http:// because they feel that the users’ privacy and security could be threatened.
The examples Google provides is an attacker tampering with a mixed image of a stock chart to mislead investors. Or, a hacker injecting a tracking cookie into a mixed resource load.
In addition to privacy and security issues, mixed content creates a confusing browser user experience. The page isn’t clearly presented as secure or insecure – but somewhere in between. Can your visitors really trust the security of your website when getting these mixed signals?
How Will This Affect My Website?
In a nutshell, Google Chrome will block mixed content, which means that if your images, audio, and videos are loading over an insecure http:// connection they will be blocked.
Essentially, all the hard work you put into creating and selecting great visuals for your website will be wasted as they will be not be viewable by visitors.
The blocking of mixed content is a gradual roll out starting with Chrome 79 in December 2019, followed by stricter actions with Chrome 80 and Chrome 81.
- Chrome 79 – a new setting will allow users to unblock mixed content on specific sites that Chrome currently blocks by default. This is set to replace the shield icon currently in the omnibox.
- Chrome 80 – mixed audio and video resources will be auto upgraded to https:// and will be blocked by Chrome if they fail to upload (ie. if they are insecure).
- Chrome 80 – mixed images will still load but with a “Not Secure” chip in the ominbox to warn users and motivate website owners to transfer their images to https://.
- Chrome 81 – mixed images will also be auto upgraded to https:// and will be blocked by Chrome if they fail to upload (ie. if they are insecure).
- Chrome users now spend 90% of their browsing time on https:// websites – evidence that your website visitors prefer the secure browsing experience!
- Before Google Chrome blocks mixed content, all website owners should migrate mixed content to https:// immediately in order to avoid warnings and breakages in the future.
- You still have time to deal with mixed content – Chrome 79 will launch December 2019 and slowly roll out changes. This means you have about two months to get your website fully secure.
At 1st on the List, we’ve been tracking Google’s stance on Secure HTTPS and discussing security with our clients over the last five years. Since Google Chrome will block mixed content very soon, you need to act now. If you need to go HTTPS for the first time or get rid of Mixed Content on your HTTPS website, we can help! We also offer full service website security and maintenance plans.
Call us at 1-888-262-6687 to find out exactly what is involved for adhering to Google’s requirements before Chrome 79 launches in December 2019.
You can also read the official No More Mixed Messages About HTTPS announcement on Google’s Security Blog.