Referred to as ‘HTTP over HTTPS’, mixed content is a condition, when an HTTPS (Hyper Text Transfer Protocol Secure) site also contains some elements that are loaded using the plaintext HTTP protocol. This means that a secure web page (loaded through HTTPS) which contains scripts, styles, images or other linked content is served through the insecure HTTP protocol. HTTPS refers to HTTP Secure, which is a more secure version of the HTTP protocol used on the internet to connect users to websites. This secure protocol provides key benefits such as – authentication, data integrity and secrecy. According to the Google Security Team, Chrome users now spend more than 90% of their browsing time on HTTPS on both desktop and mobile. An experienced web design company in Long Island can assist businesses to update their websites in keeping with any changing website standards.
This HTTPS protocol –
- allows the browser to check that it has opened the correct website and hasn’t been redirected to a malicious site
- lets the browser detect if an attacker has changed any data the browser receives
- prevents an attacker from eavesdropping on the browser’s requests, tracking the websites visited, or stealing information sent or received
This secure protocol helps to protect both your site and your users from attack.
Google Chrome Takes Action to Block Mixed Content
Google recently announced that Chrome will begin blocking mixed content by default in order to ensure that HTTPS browsing is more secure. Starting in December 2019, Chrome will get a new setting to unblock mixed content on specific sites. In the next phase of the rollout, due in January 2020, mixed audio and video resources will get auto-upgraded to HTTPS. Even if mixed images may be loaded, Chrome will display a “Not Secure” warning in the omnibox next to the URL. The third phase starts in February 2020, where mixed content will be blocked permanently and Chrome will start auto upgrading mixed content to HTTPS pages. With these roll-out plans, Google aims to ensure that HTTPS pages in Chrome can only load secure HTTPS sub-resources.
Types of Mixed Content and Why It Is Harmful to Your Site
There are two types of mixed content:
Passive mixed content
Passive mixed content doesn’t interact with the rest of the page and includes images, video, and audio content, along with other resources. With this type of mixed content, attackers can exchange or replace the images in the site, and swap the save and delete button images.
Active mixed content
Active mixed content poses more threat than passive content. It interacts with the page as a whole and attackers can do almost anything with the page – rewrite active content, steal user passwords or redirect the user to a different site entirely. Active mixed content includes scripts, stylesheets, iframes, flash resources, and other codes that the browser can download and execute.
A non-secure webpage leads to many different threats to you, your business, and your users. Mixed content degrades the security and user experience of HTTPS site. Loading mixed content also leads to a confusing browser security UX, where the page is presented as neither secure nor insecure but somewhere in between. It also affects the way your webpage is displayed by browsers. Insecure images can also compromise the security of your site, but they are not as dangerous as other types of mixed content. Modern browsers still load mixed content images, with display warnings to the user.
Google’s current plan is to block the most dangerous types of mixed content but still allow the less dangerous types to be requested.
How to check and fix it?
The WordPress official plug-in directory has several popular plug-ins such as Really Simple SSL, SSL Insecure Content Fixer, UpdraftPlus WordPress Backup Plug-in, One Click SSL and Testimonials Widget that can assist with fixing problems with mixed content.
To prevent mixed content, Google has recommended to
- Always use https:// URLs when loading resources on your page.
- Use the Content-Security-Policy-Report-Only header to monitor mixed content errors on your site.
- Use the upgrade-insecure-requests CSP directive to protect your visitors from insecure content.
To find errors, you can also use Chrome security panel and determine which files or calls are causing the mixed content.
The security panel is part of chrome developers’ tools and the user need not be a security expert to get some interesting information from this panel, but at the same time, you can dig as deep as you want. The overall security of the page will be reported prominently.
According to How to Geek, it is not only Chrome, but Firefox and Apple’s Safari are also aggressive about blocking mixed content. Responsive web design and development services provided by an experienced company can help your website be browser-friendly as well as user-friendly.