Chrome Bans Mixed Content: Make Sure Your Site Is Safe
Google has announced that its Chrome browser will soon begin blocking mixed content on web pages – this being scripts, images, audio, video and other content served by the insecure HTTP protocol on HTTPS pages.
- Last year, Chrome started to mark pages with insecure HTTP elements as 'not secure.'
- With the launch of Chrome 79 in December, users will be alerted if an HTTPS page has insecure HTTP resources and given the option to decide whether or not to display these elements.
- From February 2020 and the launch of Chrome 81, these alerts will no longer be served and Chrome will automatically block mixed content.
If some of your website resources are loaded using HTTP, now is the time to upgrade to HTTPS or risk a sharp drop-off in traffic.
Why is mixed content being blocked?
Google has been pushing HTTPS – websites with an added SSL certificate – in its search engine and browser for years to encourage adoption of the more secure protocol.
Google announced that HTTPS was a "lightweight" ranking factor in 2014, giving a slight SEO boost to secure pages. Meanwhile, Chrome has pushed developers to upgrade their sites by serving warnings to users in the address bar when non-secure content is present, making these sites appear untrustworthy.
Even if you have a secure HTTPS site, it could still feature some insecure HTTP resources – most often images, audio and video. These elements are vulnerable to attacks from hackers, who may alter the content or place tracking cookies and other malicious code to threaten site visitors. Unsecured resources can also be used as a backdoor to give hackers control of the whole page.
How will this affect my site?
If your HTTPS site contains HTTP resources, this should already be flagged up when you load your pages on Chrome. From December, these warnings will escalate until non-HTTPS resources are blocked altogether beginning in February. This could mean losing images, video and other vital page elements.
If visitors are warned that your site isn't safe, they may not choose to proceed. Broken page elements could also prevent users from viewing and navigating your site properly, impacting on sales and ad views.
How do I upgrade to HTTPS?
As a site owner, there are several ways to make sure your websites comply and avoid problems.
- Autoupgrade – starting from the release of Chrome 80 in January, the browser will try to upgrade HTTP elements to HTTPS automatically. If this is successful, these resources will load normally and your pages will be considered secure.
- Manual upgrade – if autoupgrade isn't successful, HTTP resources will be flagged and eventually blocked altogether, starting with Chrome 81 from February. You'll need to replace all HTTP resources manually. These can be identified using an auditing tool such as Google's Lighthouse.
- Contact your web host or CMS to find out if they can help you upgrade your website.
Google's push to HTTPS may be a hassle for site owners, but with cyberattacks now being one of the major threats to businesses of all sizes, making your site as secure as possible will lower the risks to your business and your customers, as well as keeping you on Google's good side.
If you need help upgrading your website to HTTPS or you want to create a new, secure website, contact Quantum today to find out how we can help your business.