Chrome to start blocking mixed content

Chrome browser will soon block sites that mix HTTP (non-secure) with HTTPS (secure) content

Google has recently announced that its Chrome browser will start to block web pages that feature mixed content, beginning at the end of the year. Now is the time to make sure your SSL’s are configured correctly to ensure no disruption to your web visitors.

What is mixed content?

When you visit a webpage, you’ll often see that the website is secure through the identification of the green padlock symbol. Depending on your browser, this may display differently, i.e. in Chrome itself, the padlock is Grey.

A secure website has various benefits for both website owners and users. For owners, it provides protection against malicious attacks, as well as a slight rankings boost. For website users, it provides encryption on data that is sent over the browser, i.e. personal details.

Sites that are set up this way, use what’s known as an SSL certificate. This is what changes HTTP requests into HTTPS.

Example:

http://www.example.com – this would be an unsecured site. Data is not encrypted over the browser and can be intercepted.
https://www.example.com – this would be a secure web page. Data is encrypted between the browser and the server.

So, what is mixed content? Simply put, mixed content refers to a website that has an SSL certificate, but has HTTP resources on the webpage.

A webpage is made up of several resources such as stylesheets, images and videos. It’s possible for a website to be secure and have insecure content. This poses a security risk.

From Google:

Mixed content degrades the security and user experience of your HTTPS site. Using these resources, an attacker can often take complete control over the page, not just the compromised resource.

You might think that established sites are not going to have this problem, but you’d be surprised.
It took me a whole of 3mins searching to find a site with insecure content, and a pretty well-known one too – ESPN

Moving Forward

Come December, Google’s browser will update to version 79 and that’s when we will start seeing these new security changes be implemented.

Version 79 will feature two changes to how it handles insecure content.

  1. The browser will automatically load HTTPS resources, even if the markup contains HTTP.
  2. A toggle will be available so users can choose to unblock resources that Google has blocked.

Then, in Jan/Feb 2020, Google will remove the unblocking option and will begin to block insecure content altogether.

There’s always been a reason to implement an SSL certificate, from security to the slight ranking boost that Google had publicly announced a while ago. However now is the time to make sure you have everything in order, with no mixed warnings. Failure to do so will result in decreased customer conversions and sales as users will be presented with warnings of a blocked webpage.

How to check your website for insecure content?

You can scan your website for insecure content by using various free services including this one:

https://www.missingpadlock.com/

Simply enter your full website URL and click ‘crawl my site’

How to fix insecure content

Assuming you have an SSL certificate installed from your hosts or domain registrar, though have insecure content, you can force SSL via your .htaccess file. Simply add the following code into your .htaccess which will force a secure connection.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

How long will it be before Google completely blocks pages that are not secure? It’s not worth waiting to find out. Secure your site and visitors information now, before it causes disruption to your business.