February 2020: Expect to See Blocked HTTP Content on Secure Sites
In a previous blog article, we highlighted the importance of using an SSL, or Secure Sockets Layer, certificate on your web pages. When a website is secured by an SSL certificate, HTTPS (Hypertext Transfer Protocol Secure) appears in the URL, indicating that an encrypted connection is enabled. As the blog cites, there are significant advantages in using implementing an SSL certificate, such as improved visitor trust and better search engine results.
Beginning in July 2018, Google began flagging all unencrypted (no SSL in place) sites as “not secure.” This push to embrace HTTPS encryption was part of a larger strategy to improve user safety and privacy while browsing Chrome. Since then, Google has continued to make strides in strengthening user protection measures within the web application. More recently, Google published an announcement in their security blog entitled, “No More Mixed Messages about HTTPS.” In a gradual series of steps that launched in December 2019, Google has begun to block “mixed content” (a topic we’ll explore shortly) by default. While this move will help improve user confidentiality and security, content on your site may be at risk for being blocked if your encryption settings aren’t up to the web giant’s standards.
Why is Google Making this Move?
Over the years, the web has made significant progress in transitioning to HTTPS. According to Google, Chrome users now spend over 90% of their browsing time on HTTPS on all major platforms. However, even if a user has established a secure HTTPS connection on a site, other resources can still load on that site over an insecure HTTP connection.
These resources are referred to as “mixed content”, and they exist in the form of images, audio, video, scripts, and iframes. While browsers may block some types of mixed content by default (scripts and iframes) other content (images, audio, and video) may still appear on the page, thus posing a security threat to users. Mixed content can also unnecessarily complicate the browsing experience by presenting the user with a website that is neither completely secure nor insure, but rather somewhere in-between.
In a series of stages, Google has begun to gradually auto-upgrade various forms of mixed content to https://. The last stage is scheduled for February 2020, wherein in all mixed images on your site will be automatically upgraded to https://. If these images fail to load over https://, Chrome will block them by default, and they will not appear on your site.
How Does This Apply to Me?
While there are many different scenarios in which your content may be blocked or adversely affected by Google’s new protocol, we’re breaking it down to a few relevant examples that may very well impact your business in the coming months:
- Linking to Insecure Images from Other Site
If you have a blog, news feed, or other page on your website that pulls images directly from other sites on the web, your content may be at risk of being blocked come February. If the external page from which the image originates is supported by http:// rather than https://, Google might flag this mixed content as posing a security threat and subsequently prevent it from appearing on your site.
- Only Certain Pages on Your Site are Secured
You may also run into an issue with blocked content if only some pages on your site are secured by HTTPS, while others are not. For example – if you sell items directly from your website or support a donation collection form on your website, that page is (we hope!) secured since there is a financial transaction involved. However, the security certificate on this transactional page does not automatically extend to the other pages on your site. This brings back an earlier statement – your site could fall somewhere in between being secure and insecure.
How Can I Prepare for These Changes?
To avoid warnings, blocked content, and site breakage, all mixed content on your website should be migrated to https:// as soon as possible if it’s not already securely hosted. By moving these assets to more secure pages, you’re not only increasing the authenticity of your website, but you’re also providing users with a safer, less confusing browsing experience on your site. Additionally, by upgrading sooner rather than later, you’ll avoid the headache of Google auto-blocking content on your site that it deems insecure. Google suggests using Lighthouse’s mixed content audit to discover and fix mixed content on your website. However, a word of warning – the audit process is relatively developer-heavy, and we only recommend proceeding if you have web-development experience.
Are you worried about your content being blocked on Chrome, but don’t know where to start? The web experts at Envision can help. Contact our Digital Innovation and Design team today to learn how we can help you migrate your insecure content before February 2020.