Google Chrome and the mystery of ‘mixed content’...

Google Chrome will soon start blocking 'mixed content'. In this article we will explain what 'mixed content' is and what to do about it.

Brendan calendar Nov 06, 2019 book News

Over the last few years, Google has been seriously promoting the use of HTTPS instead of HTTP. This has resulted in Chrome users now spending 90% of their browsing time on HTTPS on all major platforms. And now it is time for Google to take the next step: to eradicate ‘mixed content’.

You might wonder what ‘mixed content’ is and why it could be harmful, and that’s exactly why we wrote this article. So by the end, you’ll know what it is, how to detect it and what you can do about it.

Let’s start with what ‘mixed content’ is. It’s a combination of secure and non-secure content elements. So sometimes, when a website has a valid and working SSL certificate and uses a secure HTTPS connection, it is possible that some elements on that website, like scripts, iframes, images, or other linked content, are still served through an insecure HTTP connection. For example if you’ve hardcoded an image or video on a HTTP address instead of a HTTPS address.

Why is Google worried about this type of content?

There are a few reasons why Google (and all of us who care about security) want to get rid of ‘mixed content'. The main one is that content elements that are served through a non-secure HTTP connection, can put users at risk. They could be used by attackers to inject a tracking cookie into a mixed resource load. Non-secure elements can also be used by attackers to view, or modify, the communication between two parties. Using these non-secure elements, attackers can sometimes even take complete control over the website, and not just the compromised resource.

Another reason for Google to take ‘mixed content’ more seriously is that:
“Loading mixed content also leads to a confusing browser security UX, where the page is presented as neither secure nor insecure, but somewhere in between”.

Google isn’t implementing this new policy overnight.

Is this something completely new?

No, not really. For a while, Chrome and other browsers have been refusing to show a (green) padlock in the address bar if they found ‘mixed content’ on that page. They also already block certain types of ‘mixed content’, like scripts and iframes. But so far, images, audio, and video are still allowed to load over an HTTP connection. And that will change.

When will Google start with its new policy?

Google isn’t implementing this new policy overnight. They are taking a step by step approach and giving website owners enough time to fully migrate to HTTPS. The step by step approach will be as follows:

What does this mean for website owners?

This new policy means that website owners will have to migrate their HTTPS websites entirely to HTTPS, and not just the main domain. And they need to make sure their websites don't load any resources over HTTP anymore. This includes iframes, cookies, CSS files, JavaScript files, audio, video, and especially images.

How to find and fix ‘mixed content’?

To find out if your website contains ‘mixed content’, there are a few things you can do. First of all, check your address bar. If your website contains mixed items, there won’t be a (green) padlock or there will be a warning. To find out what the cause is for the ‘mixed content’ on your website, Google gives the following advice:

Still not 100% sure what to do?

I hope that we were able to demystify the subject of ‘mixed content’ sufficiently, but if you have any questions, or if you are still not completely sure if your website contains ‘mixed content’, you can dive a bit deeper and read the full story of the Chrome Security team on their blog.

If your website doesn’t have an SSL certificate to serve the site on HTTPS to begin with, then check out our Cloud Container servers that come with free SSL as standard. The rest is up to you.

Latest News

Occasionally we find time to write about what we've been working on, lessons we've learnt or just something interesting we have found.

News

Voice Search - What Is It & Is It Relevant (yet)?

You might have heard of the Amazon Echo or the Google Home. In this blog post we'll look at what Voice Assistants, and Voice Search, could mean for your business.

Read More
News

Holiday Hours 2019

As we're approaching the end of 2019, SiteHost will be entering into our reduced support period - here's the key dates to be aware of.

Read More
News

Are You Using Two Factor Authentication? You Should Be

You may think your password is secure, but it's not, read on to learn about 2FA.

Read More

People Sharing The Love

People saying nice things about us is always great to hear, but when they say it publicly without us asking it's even better.

Dirt and Rust @dirtandrust

Shoutout to @sitehostnz whose support is freaking outstanding. #fb

John Cortexiphan @yakmoose

FYI @sitehostnz are rad. That is all.