Google Chrome and the mystery of ‘mixed content’...

Google Chrome will soon start blocking 'mixed content'. In this article we will explain what 'mixed content' is and what to do about it.

Over the last few years, Google has been seriously promoting the use of HTTPS instead of HTTP. This has resulted in Chrome users now spending 90% of their browsing time on HTTPS on all major platforms. And now it is time for Google to take the next step: to eradicate ‘mixed content’.

You might wonder what ‘mixed content’ is and why it could be harmful, and that’s exactly why we wrote this article. So by the end, you’ll know what it is, how to detect it and what you can do about it.

Let’s start with what ‘mixed content’ is. It’s a combination of secure and non-secure content elements. So sometimes, when a website has a valid and working SSL certificate and uses a secure HTTPS connection, it is possible that some elements on that website, like scripts, iframes, images, or other linked content, are still served through an insecure HTTP connection. For example if you’ve hardcoded an image or video on a HTTP address instead of a HTTPS address.

Why is Google worried about this type of content?

There are a few reasons why Google (and all of us who care about security) want to get rid of ‘mixed content'. The main one is that content elements that are served through a non-secure HTTP connection, can put users at risk. They could be used by attackers to inject a tracking cookie into a mixed resource load. Non-secure elements can also be used by attackers to view, or modify, the communication between two parties. Using these non-secure elements, attackers can sometimes even take complete control over the website, and not just the compromised resource.

Another reason for Google to take ‘mixed content’ more seriously is that:
“Loading mixed content also leads to a confusing browser security UX, where the page is presented as neither secure nor insecure, but somewhere in between”.

Google isn’t implementing this new policy overnight.

Is this something completely new?

No, not really. For a while, Chrome and other browsers have been refusing to show a (green) padlock in the address bar if they found ‘mixed content’ on that page. They also already block certain types of ‘mixed content’, like scripts and iframes. But so far, images, audio, and video are still allowed to load over an HTTP connection. And that will change.

When will Google start with its new policy?

Google isn’t implementing this new policy overnight. They are taking a step by step approach and giving website owners enough time to fully migrate to HTTPS. The step by step approach will be as follows:

What does this mean for website owners?

This new policy means that website owners will have to migrate their HTTPS websites entirely to HTTPS, and not just the main domain. And they need to make sure their websites don't load any resources over HTTP anymore. This includes iframes, cookies, CSS files, JavaScript files, audio, video, and especially images.

How to find and fix ‘mixed content’?

To find out if your website contains ‘mixed content’, there are a few things you can do. First of all, check your address bar. If your website contains mixed items, there won’t be a (green) padlock or there will be a warning. To find out what the cause is for the ‘mixed content’ on your website, Google gives the following advice:

Still not 100% sure what to do?

I hope that we were able to demystify the subject of ‘mixed content’ sufficiently, but if you have any questions, or if you are still not completely sure if your website contains ‘mixed content’, you can dive a bit deeper and read the full story of the Chrome Security team on their blog.

If your website doesn’t have an SSL certificate to serve the site on HTTPS to begin with, then check out our Cloud Container servers that come with free SSL as standard. The rest is up to you.

Latest News

Occasionally we find time to write about what we've been working on, lessons we've learnt or just something interesting we have found.

News

Our new ICANN accreditation will shorten the domain supply chain

Deregulation and market concentration are reshaping the domain industry, so we're working to improve our position.

Read More
News

International domain prices are on the move

Because we’re being charged more by our providers, we are increasing some international domain prices from July 1.

Read More
News

Positive numbers from our first year of solar power

Now that our 384 solar panels have had their first trip around the sun, Quintin Russ explained to NZNOG how it all came together and how well the numbers stack up.

Read More

People Sharing The Love

People saying nice things about us is always great to hear, but when they say it publicly without us asking it's even better.

Sam McLeod @s_mcleod

@uiri00 @SwiftOnSecurity Can vouch for @sitehostnz - good bastards

The Book of Dave @Spudooli

Aside from the awesome hosting and spectacular service, @sitehostnz gives great Christmas loving. Thanks guys for the cake and stuff