Google Chrome and the mystery of ‘mixed content’...

Google Chrome will soon start blocking 'mixed content'. In this article we will explain what 'mixed content' is and what to do about it.

Brendan calendar Nov 06, 2019 book News

Over the last few years, Google has been seriously promoting the use of HTTPS instead of HTTP. This has resulted in Chrome users now spending 90% of their browsing time on HTTPS on all major platforms. And now it is time for Google to take the next step: to eradicate ‘mixed content’.

You might wonder what ‘mixed content’ is and why it could be harmful, and that’s exactly why we wrote this article. So by the end, you’ll know what it is, how to detect it and what you can do about it.

Let’s start with what ‘mixed content’ is. It’s a combination of secure and non-secure content elements. So sometimes, when a website has a valid and working SSL certificate and uses a secure HTTPS connection, it is possible that some elements on that website, like scripts, iframes, images, or other linked content, are still served through an insecure HTTP connection. For example if you’ve hardcoded an image or video on a HTTP address instead of a HTTPS address.

Why is Google worried about this type of content?

There are a few reasons why Google (and all of us who care about security) want to get rid of ‘mixed content'. The main one is that content elements that are served through a non-secure HTTP connection, can put users at risk. They could be used by attackers to inject a tracking cookie into a mixed resource load. Non-secure elements can also be used by attackers to view, or modify, the communication between two parties. Using these non-secure elements, attackers can sometimes even take complete control over the website, and not just the compromised resource.

Another reason for Google to take ‘mixed content’ more seriously is that:
“Loading mixed content also leads to a confusing browser security UX, where the page is presented as neither secure nor insecure, but somewhere in between”.

Google isn’t implementing this new policy overnight.

Is this something completely new?

No, not really. For a while, Chrome and other browsers have been refusing to show a (green) padlock in the address bar if they found ‘mixed content’ on that page. They also already block certain types of ‘mixed content’, like scripts and iframes. But so far, images, audio, and video are still allowed to load over an HTTP connection. And that will change.

When will Google start with its new policy?

Google isn’t implementing this new policy overnight. They are taking a step by step approach and giving website owners enough time to fully migrate to HTTPS. The step by step approach will be as follows:

What does this mean for website owners?

This new policy means that website owners will have to migrate their HTTPS websites entirely to HTTPS, and not just the main domain. And they need to make sure their websites don't load any resources over HTTP anymore. This includes iframes, cookies, CSS files, JavaScript files, audio, video, and especially images.

How to find and fix ‘mixed content’?

To find out if your website contains ‘mixed content’, there are a few things you can do. First of all, check your address bar. If your website contains mixed items, there won’t be a (green) padlock or there will be a warning. To find out what the cause is for the ‘mixed content’ on your website, Google gives the following advice:

Still not 100% sure what to do?

I hope that we were able to demystify the subject of ‘mixed content’ sufficiently, but if you have any questions, or if you are still not completely sure if your website contains ‘mixed content’, you can dive a bit deeper and read the full story of the Chrome Security team on their blog.

If your website doesn’t have an SSL certificate to serve the site on HTTPS to begin with, then check out our Cloud Container servers that come with free SSL as standard. The rest is up to you.

Latest News

Occasionally we find time to write about what we've been working on, lessons we've learnt or just something interesting we have found.

News

How We Deal With DDoS Attacks

In light of the recent DDoS attack on the NZX more than a few of our customers have asked us how SiteHost mitigates DDoS attacks. So we thought we might put out a little post explaining what goes on behind the scenes at SiteHost should this ever happen to you.

Read More
News

New in Cloud Containers: Simple Cache & Port Management

Introducing Port Management, Settings UI and Simple Cache, the easiest way to boost performance.

Read More
News

New in Cloud Containers: Integrated Containers & MySQL 8

Announcing the availability of MySQL 8 and our new Integrated Containers for Cloud Containers.

Read More

People Sharing The Love

People saying nice things about us is always great to hear, but when they say it publicly without us asking it's even better.

Ross 'not the BBC guy' Hawkins @rosshawkins

Weee thanks @sitehostnz for a control panel and service that makes remote provisioning slightly less scary :)

Was Phantom @WasPhantom

These guys are doing it right. - “@aurynn: Sitehost: Zero to all done in an hour or so. Number of humans I had to wait on: Zero.”