Nix to the mix: Chrome to block passive HTTP content swirled into HTTPS pages

Google has announced forthcoming changes to the Chrome web browser that will prevent image, audio and video content from loading if they are served over HTTP.

A typical web page includes content from multiple sources, and it is not really encrypted unless all the content is served over HTTPS. Chrome already blocks most HTTP content on HTTPS pages, including active content such as scripts and iframes, but allows media to load. Google admitted this is insecure, noting:

Google also wrote here about the risks of even passive mixed content:

Even if the attacker doesn't alter the content of your site, you still have a large privacy issue where an attacker can track users using mixed content requests. The attacker can tell which pages a user visits and which products they view based on images or other resources that the browser loads.

Google plans a gradual process. Chrome 79, which will be fully released in December, will move the setting to unblock mixed content to Site Settings, in place of the current shield icon. Chrome 80, set for early release in January 2020 and full release around seven weeks later, will auto-upgrade HTTP links for video and audio to HTTPS - and block them if they do not load. Images will still load but will cause a "Not secure" tag to appear in the address bar. Chrome 81, set for early release in February 2020, will extend this to images.

The fact that content is encrypted is no guarantee that it is not malicious, but does make it harder for attackers to intercept requests and tamper with the content.

The downside of HTTPS is that there is a performance penalty - but not a big one. The speed comparison test here shows only a small difference (less than 10 per cent) between HTTP and HTTPS, but a big difference when you step up to HTTP/2, which is more than 2.5 times faster in this test.

Google's message is in any case straightforward: you will have to move everything to HTTPS in order to avoid warnings in Chrome and search penalties. ®

Software News

Oct 15
Choo choo mothertruckers
Oct 14
You want this web tech to be independent? Sure, we'll just put it in an org we bankroll
Oct 14
RoundupApple flogs Microsoft hardware and Puppet's CTO has a... notepad.exe tattoo?
Oct 14
And a release date - sort of
Oct 14
AnalysisWhy Teams is a key product despite its frustrations - and yes, a Linux client is on the way
Oct 14
Who, Me?When 95 + (5 * RAND()) is all your spreadsheet needs
Oct 12
Perl 6 set to be reincarnated as Raku, as favored by Larry Wall