While Google continues to take steps to supplant the HTTP protocol, the company has come up with idea how to force sites switch to more secure HTTPS.
A few years ago, Google began to consider HTTPS support when ranking search results with indexing of HTTPS pages by default.
Then, in the Chrome browser (from version 68), pages using the HTTP protocol began to be marked insecure. Now, Google is ready to move on to the next stage of the HTTP forget plan – turn on Chrome to completely block “mixed” content.
Mixed content refers to individual elements on HTTPS pages that are insecurely loaded via an HTTP connection.
“Browsers by default block many types of mixed content such as scripts and iframes, but images, audio and video can still be downloaded, which poses a threat to user privacy and security. For example, an attacker could modify the mixed image of the stock chart to mislead investors, or insert a tracking cookie into the mixed content”, – says the official blog of Chromium.
Also, downloading mixed content causes confusion in security – in this case, the page is not safe and not insecure, but somewhere in the middle. Google intends to rectify the situation: Chrome will by default block all mixed content. Immediately stipulate that the lock will be introduced gradually.
In the version of Chrome 79, the release of which is scheduled for December this year, it will be possible to remove the blocking of mixed content for a specific site. This option will apply to mixed scripts, iframes, and other types of content that Chrome already blocks by default.
It will be possible to remove the lock by pressing the lock icon and select the appropriate option in the “Site Settings” (image below).
Chrome 80 (in the early channels the assembly will be released in January 2020) will by default block audio and video that cannot be downloaded via HTTPS.
You can remove the lock in the manner described above. Additionally, in Chrome 80, when loading mixed images, an Omnibox line will display a warning about the potential danger of the page. It will look like this:
This should have prompted developers to renew their SSL certificates.
By the way, Google is talking about making great progress in the transition to HTTPS. According to the company, Chrome users now spend more than 90% of their time viewing an HTTPS site on all major platforms.
Finally, Chrome 81 will also block images downloaded via HTTP by default. The release of Chrome 81 in the early branches is scheduled for February 2020.
To avoid blocking, Google advises website developers to switch to HTTPS as quickly as possible. The company provides several resources on the blog that can help in this matter.
- HTTPS is not a separate protocol. This is plain HTTP, complemented by SSL and TLS encryption to enhance security.
- HTTPS protects the data transfer channel between the browser and the website, preventing all sorts of attacks, including sniffing attacks and man-in-the-middle attacks.