Google has figured out how to force sites switch to HTTPS

While Google continues to take steps to supplant the HTTP protocol, the company has come up with idea how to force sites switch to more secure HTTPS.

A few years ago, Google began to consider HTTPS support when ranking search results with indexing of HTTPS pages by default.

然后, in the Chrome browser (from version 68), pages using the HTTP protocol began to be marked insecure. Now, Google is ready to move on to the next stage of the HTTP forget planturn on Chrome to completely block “mixed” content.

Mixed content refers to individual elements on HTTPS pages that are insecurely loaded via an HTTP connection.

“Browsers by default block many types of mixed content such as scripts and iframes, but images, audio and video can still be downloaded, which poses a threat to user privacy and security. 例如, an attacker could modify the mixed image of the stock chart to mislead investors, or insert a tracking cookie into the mixed content”, – says the official blog of Chromium.

Also, downloading mixed content causes confusion in security – 在这种情况下, the page is not safe and not insecure, but somewhere in the middle. Google intends to rectify the situation: Chrome will by default block all mixed content. Immediately stipulate that the lock will be introduced gradually.

In the version of 铬合金 79, the release of which is scheduled for December this year, it will be possible to remove the blocking of mixed content for a specific site. This option will apply to mixed scripts, iframes, and other types of content that Chrome already blocks by default.

It will be possible to remove the lock by pressing the lock icon and select the appropriate option in the “Site Settings” (image below).

Google force switch to HTTPS

铬合金 80 (in the early channels the assembly will be released in January 2020) will by default block audio and video that cannot be downloaded via HTTPS.

You can remove the lock in the manner described above. Additionally, in Chrome 80, when loading mixed images, an Omnibox line will display a warning about the potential danger of the page. It will look like this:

Google force switch to HTTPS

This should have prompted developers to renew their SSL certificates.

顺便一提, Google is talking about making great progress in the transition to HTTPS. 据该公司称, Chrome users now spend more than 90% of their time viewing an HTTPS site on all major platforms.

另请阅读: Google Password Manager will warn users about weak and compromised passwords

最后, 铬合金 81 will also block images downloaded via HTTP by default. The release of Chrome 81 in the early branches is scheduled for February 2020.

To avoid blocking, Google advises website developers to switch to HTTPS as quickly as possible. The company provides several resources on the blog that can help in this matter.

Reference:

  • HTTPS is not a separate protocol. This is plain HTTP, complemented by SSL and TLS encryption to enhance security.
  • HTTPS protects the data transfer channel between the browser and the website, preventing all sorts of attacks, including sniffing attacks and man-in-the-middle attacks.

关于作者

瓦尔迪斯·科克

安全工程师, 逆向工程和内存取证

发表评论