From February 2020, Google will migrate non-secure “Mixed Content” to HTTPS in Chrome and will block all non-secure content by default - Are you prepared?

If you have an SSL certificate and you are loading a non-secure Mixed Content on your site, you should consider fixing it before February 2020

From February 2020, Google will migrate non-secure “Mixed Content” to HTTPS in Chrome and will block all non-secure content by default - Are you prepared?

Intending to improve user privacy further, Google announced on October 3, 2019, that they would migrate all non-secure "Mixed Content" to HTTPS and block non-secure content by default. In order words, users may not see some of your website content. In case you are loading insecure HTTP connexion on a secure page, you should think about fixing them. We will elaborate more on the announcement in this article. Furthermore, we will see all the options that you have in such cases.

What are Mixed Content, HTTPS and HTTP?

HTTP stands for HyperText Transfer Protocol. It is a language used by the web to communicate resources requested between web clients and a server. And HTTPS is the secure version of HTTP. To encrypt communication between a web client and a server, you need an HTTPS. One of the advantages of an HTTPS is that it avoids data passed between clients and servers to be corrupted or interpreted by malicious third parties easily.

We talk about mixed content when your HTML document loads both with secure HTTPS and insecure HTTP connexion. For example, if you install an SSL certificate on your website, and you charge some content like images, scripts or video on an insecure connexion, then we will say your web page is a non-secure mixed content.

What does blocking all non-secure content by default mean?

The statement above mean that all the content with non-secure connexion will not show on a user browser unless he/she allows it. The feature was available on Chrome for script and iFrame. Google is just extending that for all types of resources. And you are requested to make some adjustments on your website.

For illustration, I intentionally change the https of one of my Javascript files to HTTP. You can see the error to your right. Additionally, you will see that the page stop loading content(Because the data is crucial)

Timeline by Google to do all the changes

Below are some of the deadlines with high chances that will/occurred in how chrome handle "mixed content."

December 2019 (Last year)

Google has released a stable channel in Chrome 79. There is a new setting to unblock mixed content on specific sites. As announced by Google, a user can now toggle the configuration by clicking on the https lock. If you recall, it wasn't so before. Previously, there was a red shield icon at the right of the URL.

January 2020 (This month)

It will be the tern of audio and video resources (Chrome 80). Hence, in case you have an audio or a video coming from a non-secure source, you will have to unlock the setting above.

Note that you can still image on chrome 80. But You will notice that your web page will show a "Not secure" notice.

February 2020 (Next month)

Any "Mixed Content" that you load will not show. Unless a user decides to activate the setting.

Consequences of those essential changes

In case you haven't figured out, many outcomes are attached to that change. And below are some of them:

Effect 1: - Lost in traffic and visitor

Few people will want to stay on a website if they feel like the site is not secure. Even though the notice would not technically "hurt" a visitor, he/she may feel threaten and live.  As a consequence, you may notice a decrease in your number of visitors. We all know that the popularity of a web page also depends on the number of visitors and how long they stay.

Effect 2: - Some hidden content on your website

Unlike javascript, which is not necessarily showing, people will quickly notice some changes on your site. For instance, if, by default, a user doesn't allow your non-secure content to show, what would display will be empty spaces.

Many approaches to solving the "mixed content" issue

The source of a "mixed content" could be:

  • An image on your site
  • Iframes or videos
  • Script or stylesheet
  • Any other links

As a website owner, you may have or may not have enough information about the location of the file in your server. The source may be directly in your code or third-party resources. Below are the options to fix the issue.

If the URL of the file is your website

You can locate the page template or the code that populate the page and change HTTP to HTTPS. For example, let assume you have an image http:prositeweb.ca/images.jpg causing the "Mixed content" notice. To solve it, you will need to locate when the file is and replace the "http:" by "https:" In the end, you will have https:prositeweb.ca/images.jpg

If the URL of the data is not your website

In this case, you will try to apply the above recommendation. Two things may happen; if the external site is secure, everything will be ok. However, if it is not a secure site, then you will still see the notice. At this time, I will recommend to either download the external file (if you have the right) or look for an alternative.

Bulk changes on a non-secure "mixed content.."

If you are using a database to populate content on your site, all your mixed material may be directly in your database. In that case, you should run a query to apply the change all the "http:" connexion.  The article below may guide you on the steps "How to create a cookie-free domain" Pay attention to "3.  Update your SQL database with the following query" almost the end of the article.

Get in touch with your third-party provide

Changing all the "http:" request to "https:" may not be secure when you are dealing with third resources. For instance, if you use external software to display vlog on your website through iframe or API, in case the support is not secure, the change will not help. In that case, if you can, you can see with the provider for an SSL update. Otherwise, check if you can have another secure resource to fulfill the same function. 

Conclusion

The article was all about a secure website loading non-secure "mixed content." Throughout the report, we have discussed what it means to have "non-secure "mixed content." We also saw the approaches to solve the issues. 

In case you have an issue with loading non-secure resources, and you didn't get an answer from this article, will you share your situation with us? We will be happy to help. 

If you love this article, you may be interested in this one: 

Seven tricks to reinforce the security of your web solutions based on my painful experience

What's Your Reaction?

like
0
dislike
0
love
0
funny
0
angry
0
sad
0
wow
0