Google Chrome’s administration has promised to introduce an optional blockage of pages with mixed content in December 2019 and to make blockage obligatory in January 2020. To prevent the worsening of user experience and a loss of customers, website owners should make sure their pages do not fall under Google’s sanctions.
Continue reading to find out the reasons for the update, as well as tips on how you can prepare for it.
Mixed Content Purpose and Definition
Until recently, all websites were based on the HTTP protocol, which was totally okay. However, after the advent of HTTPS advanced encryption, browsers began to perceive HTTP as an obsolete and second-rate option, since it leaves room for sensitive data interception by hackers. This vulnerability makes it unsuitable for carrying out monetary transactions or exchanging confidential details.
Chrome already warns people trying to visit pages with the old and unreliable protocol, in an effort to stimulate the web community to opt-out of obsolete technology. The December and January updates are the next steps towards establishing a uniform security standard and accelerating mass encryption of all websites. Removal of the “https://” indicator was an earlier step in this direction. Google assumes there is no need to mark secure pages in this way since all pages should be secure.
So what is mixed content? Let’s say your HTTPS page has HTTP elements. Chrome will perceive this page as mixed content and warn web users that it is not encrypted.
Why Does Chrome Display the Mixed Content Warning?
Like a wolf in sheep’s clothing, mixed content pages appear totally harmless. However, they can cause havoc at the most unexpected moments. A maleficent code can sneak into your system via HTTP and provoke irreversible changes. For example, hackers can substantiate your original content with misleading materials, get passwords to your users’ electronic wallets, track their cookies, and much more.
While some HTTP-related issues manifest themselves as active and destructive attacks, others bring damage gradually and discreetly. Even if there are no obvious problems, clicks on your HTTP-based content can inform hackers about which pages are viewed and what operations are carried out on your website. Don’t wait until your site is violated to take action. Do everything you can now to ensure 100% security of your online platform.
Google has introduced the concept of blocked mixed content to encourage website owners to finish what they started long ago. Many migrated to HTTPS but left some unencrypted content on their sites, or continued to rely on external HTTP resources. This format will no longer work with Chrome’s new security standards. Taking steps to fix mixed content is no longer an option, but an acute necessity for business websites.
Mixed Content Types
There are two types of blocked mixed content exposing users to danger of different degrees: passive (display) and active. The first type is less dangerous, since it can only steal cookies or forge information on your site. With the second type, your users could unwittingly disclose their confidential data or be redirected to websites containing viruses.
Let’s talk about each type in greater detail.
Passive Mixed Content
Passive content is simply displayed on a website to collect information on users’ behavior, or to mislead them. It cannot spread its malicious influence to other website elements or drive undesirable actions.
HTTP requests that fall under this category:
- <img>, <audio>, and <video> src attributes;
- <object> subresources.
Active Mixed Content
In this case, malicious code can influence any part of a page’s Document Object Model. Your website can become uncontrollable and behave in ways dictated by a hacker. They may steal your users’ confidential information, respond to users’ requests with misleading messages, or download a virus to users’ computers. Active manipulations carried out through HTTP affect “healthy” HTTPS elements and drive malicious processes on the website.
The amount of damage active content is able to inflict depends on the type of information exchanged on the website. Owners of private platforms that require authentication before allowing users to conduct transactions and share private data should be particularly concerned. Even if you run a public site that can be accessed by anyone on the web, active content can still redirect your visitors to insecure pages or scan their behavior.
HTTP requests that fall under this category:
- <script> and <iframe> src attributes;
- <link> href attribute;
- <object> data attribute;
- <url> used in CSS.
Chrome’s New Approach to Mixed Content
Currently, Google allows the transition to unencrypted pages but signals that they are insecure. In December 2019, after the release of Chrome 79, the following provisions will go into force:
- HTTP content of HTTPS-based websites will be automatically converted into HTTPS.
- For now, users will be able to disable the blocking feature and freely visit unencrypted pages, but the option will no longer be available beginning in January 2020.
With Google’s impending changes, it will become impossible to continue using mixed content and ignoring Google’s updates. Warnings in Chrome that your website is insecure could potentially alienate some of your target audience, leading to a decrease in the number of ad views, clicks, and conversions. And in January 2020, the rules will get even stricter.
Proactively upgrading your website and taking precautions in advance will help you safely enter the new era of browsing without undue pressure or stress.
Scanning Your Site for Mixed Content
Many website owners fail to clear out mixed content because, at first glance, everything appears to be alright. All the features work normally on HTTP, so there seems to be no point in spending time and energy converting them to HTTPS. However, neglecting to make upgrades will cost you down the road.
Now is the time to detect and eliminate all your HTTP elements. Happily, there are plenty of automatic scanners to help you accomplish this goal quickly and easily. Here are the most notable ones:
- JitBit SSL Checker. This tool can be used online for free. Its resources are sufficient to analyze up to 400 pages.
- Really Simple SSL. This WordPress plugin not only detects but also clears out mixed content. Use it to migrate to SSL with no hassles.
- SSL Insecure Content Fixer. This is another WordPress plugin designed for websites that already use SSL. It detects unencrypted content and helps you fix it.
- Screaming Frog Crawl Software. For a small fee (£149.00/year), you will get a powerful tool that can efficiently crawl large websites. The user-friendly interface and straightforward features mean you won’t need to spend a lot of time learning to use it. But keep in mind that Screaming Frog can only detect HTTP, not fix it.
General Situation in the Browsing World
The mixed content blockage is not isolated to Chrome, other popular browsers also support the trend. For example, pages containing HTTP are blocked by default in Firefox. Safari treats them with suspicion as well. Edge, a new browser by Microsoft, is based on the same code as Chrome and, therefore, behaves in the same way.