This month, Google Chrome began removing the unblocking option and blocking web pages with mixed content. Web pages that load securely through HTTPS but contain any resources, including images, videos and scripts which are served through an insecure HTTP protocol, will be affected. Chrome will mark sites as “Not Secure” if they are using TLS 1.0 or 1.1. and no lock icon will display for them, causing site visitors to see the page as a security risk and likely back out.
Mixed content blocking is not the only measure that Chrome is introducing. Due to be released in March, Google’s Chrome 81 will remove support for the legacy TLS protocol altogether. Any content not loading over HTTPS will be blocked and will not be viewable by visitors.
Overall, these measures are positive, as mixed content can weaken the security of a site, even if it loads via a secure connection. HTTPS uses SSL certificates to encrypt transmissions between the client and server, reducing the risk of cyberattack. However, it is vital that site owners not only take steps to install an SSL certificate on their site but to also ensure these security measures extend to their site content and mobile platforms.
Sites such as SSL Shopper make it easy to check if a site’s SSL certificate is valid. Screaming Frog can also be used to crawl sites and identify any 200 status code URLs loading HTTP resources.
Figure 1: Images loading through HTTP
To avoid being served with insecure content warnings and impacting your site traffic, make sure you take the time to monitor and update any mixed content as soon as possible, as these changes only signal the start of a serious crackdown on insecure content by big browsers.
Figure 2: Sensitive information hidden to protect site identity
For more information on the digital services we offer click here.