Over the last few years, Google has been seriously promoting the use of HTTPS instead of HTTP. This has resulted in Chrome users now spending 90% of their browsing time on HTTPS on all major platforms. And now it is time for Google to take the next step: to eradicate ‘mixed content’.
You might wonder what ‘mixed content’ is and why it could be harmful, and that’s exactly why we wrote this article. So by the end, you’ll know what it is, how to detect it and what you can do about it.
Let’s start with what ‘mixed content’ is. It’s a combination of secure and non-secure content elements. So sometimes, when a website has a valid and working SSL certificate and uses a secure HTTPS connection, it is possible that some elements on that website, like scripts, iframes, images, or other linked content, are still served through an insecure HTTP connection. For example if you’ve hardcoded an image or video on a HTTP address instead of a HTTPS address.
Why is Google worried about this type of content?
There are a few reasons why Google (and all of us who care about security) want to get rid of ‘mixed content'. The main one is that content elements that are served through a non-secure HTTP connection, can put users at risk. They could be used by attackers to inject a tracking cookie into a mixed resource load. Non-secure elements can also be used by attackers to view, or modify, the communication between two parties. Using these non-secure elements, attackers can sometimes even take complete control over the website, and not just the compromised resource.
Another reason for Google to take ‘mixed content’ more seriously is that:
Loading mixed content also leads to a confusing browser security UX, where the page is presented as neither secure nor insecure, but somewhere in between.
Is this something completely new?
No, not really. For a while, Chrome and other browsers have been refusing to show a (green) padlock in the address bar if they found ‘mixed content’ on that page. They also already block certain types of ‘mixed content’, like scripts and iframes. But so far, images, audio, and video are still allowed to load over an HTTP connection. And that will change.
When will Google start with its new policy?
Google isn’t implementing this new policy overnight. They are taking a step by step approach and giving website owners enough time to fully migrate to HTTPS. The step by step approach will be as follows:
With the introduction of Chrome 79 in December 2019, users will get the option to unblock ‘mixed content’ on specific sites. This setting will apply to mixed scripts, iframes, and other types of content that Chrome currently blocks by default.
Then in January 2020, with the introduction of Chrome 80, mixed audio and video resources will be automatically upgraded to HTTPS, and Chrome will block them by default if they fail to load over HTTPS. Mixed images will still be allowed to load, but will get a notification that the website is ‘Not Secure’.
And finally, in February of 2020, Chrome 81 will auto-upgrade mixed images to HTTPS and block all ‘mixed content’ by default if they fail to load over HTTPS.
What does this mean for website owners?
This new policy means that website owners will have to migrate their HTTPS websites entirely to HTTPS, and not just the main domain. And they need to make sure their websites don't load any resources over HTTP anymore. This includes iframes, cookies, CSS files, JavaScript files, audio, video, and especially images.
How to find and fix ‘mixed content’?
To find out if your website contains ‘mixed content’, there are a few things you can do. First of all, check your address bar. If your website contains mixed items, there won’t be a (green) padlock or there will be a warning. To find out what the cause is for the ‘mixed content’ on your website, Google gives the following advice:
Use Content Security Policy and Lighthouse’s ‘mixed content’ audit to discover and fix ‘mixed content’ on your site.
See this guide for general advice on migrating servers to HTTPS.
Check with your CDN (Content Delivery Network), web host, or content management system, to see if they have special tools for debugging ‘mixed content’. For example, Cloudflare offers a tool to rewrite ‘mixed content’ to HTTPS, and WordPress plugins are available as well.
Still not 100% sure what to do?
I hope that we were able to demystify the subject of ‘mixed content’ sufficiently, but if you have any questions, or if you are still not completely sure if your website contains ‘mixed content’, you can dive a bit deeper and read the full story of the Chrome Security team on their blog.
If your website doesn’t have an SSL certificate to serve the site on HTTPS to begin with, then check out our Cloud Container servers that come with free SSL as standard. The rest is up to you.