What Google’s recent decision to start blocking mixed content means for your website
Recently, Google announced that starting in December of 2019, it will begin to block web pages that contain mixed content. Initially, Google is going to allow users to bypass the block by manually accepting a pop-up security warning. However, by the beginning of 2020, Google plans on implementing a complete block of all pages containing mixed content.
The impact of Google’s decision can be devastating for businesses that have web pages containing mixed content. Of course, many businesses who contract out web-design services may not be aware whether their website contains pages with mixed content.
Encrypted (HTTPS) versus unencrypted (HTTP)
Web pages contain two types of content: secure, encrypted content that is delivered through an HTTPS connection, and unencrypted content that is delivered through an HTTP connection. Back in the day, all content was delivered through an HTTP connection. However, in 1995, the first iteration of HTTPS was developed. Initially, it was primarily used for secure transactions, such as credit card purchases; however, use of HTTPS has expanded. Recent statistics indicate that roughly three-fourths of the internet traffic is encrypted. In the future it is likely that all websites will be secured.
An HTTPS connection serves three important purposes. First, it allows authentication to ensure that the user was not redirected to a malicious site. Second, it can detect if someone has tampered with any of the data received by the browser. And finally, it prevents third-parties from tracking a user’s history, browser requests and stealing information that is sent or received through the browser.
What is mixed content?
As noted above, most content these days is delivered over an HTTPS connection. Indeed, the vast majority of new web pages are delivered over a secure HTTPS connection. However, some web pages that are delivered over a secure HTTPS connection may use subresources such as images, scripts, or other resources that are pulled in an unencrypted HTTP connection. This is referred to as mixed content. In other words, while much of the web page is secure, certain elements are not.
The problem with mixed content is that by including insecure content on a secure web page, developers weaken the entire page, making it vulnerable to attack. According to Google, “mixed content degrades the security and user experience of your HTTPS site.…Using these resources, an attacker can often take complete control over the page, not just the compromised resource.”
Currently, when a user visits a page containing content that is delivered through a HTTP connection, a pop-up will appear, warning the user that the page is “not secure.” However, starting in December, with the introduction of Chrome 79, Google will do two additional things. First, Google will automatically upgrade and HTTP content to HTTPS if the secured version of the resource is available. Second, Google will introduce a toggle allowing users to manually unblock resources that Chrome is currently blocking. Notably, this is not a complete block; however, the result may be the same, as users are warned and given the option not to continue.
Business owners who are not sure whether their pages contain mixed content should take proactive action before December 2019 to ensure that their web pages will not be negatively affected by Google’s new rule.
Tony Chiaramonte is a content developer for law firms at Custom Legal Marketing.