Google Chrome is against HTTP and will block “mixed” content

Safety is a basic requirement for the Internet. Google is constantly increasing its security requirements, in particular, work is continuing to deliberately discredit the less secure HTTP protocol and create more favorable conditions for the development of the HTTPS protocol.

Back in 2015, the search giant introduced priorityHTTPS pages when ranking by search results. Later, after updating Chrome to version 68, a special designation of pages with HTTP protocol was introduced as unsafe. Currently, Google is introducing a complete blockage in the Chrome browser of any mixed content, which implies the presence of individual elements on HTTPS pages that are insecurely loaded via the HTTP protocol.

In the innovation message posted inChromium's official blog reports that popular browsers currently block a separate type of mixed content (scripts and iframes). However, it remains possible to upload photos, video and audio, which poses a security risk. Google developers give an example of how a vulnerability using fake photos can work: when changing the appearance of a financial chart, a broker or trader makes the wrong decision. In addition, a tracking cookie may be added to the content.

Downloading mixed content alsodisorientates a security system that detects a page that is neither safe nor insecure. In order to resolve the problem created by the "mixed" content, Google decided that Chrome will move to the complete blocking of all such content. The process will take place gradually in several stages.

The next 79 version will be released in December 2019Chrome, which introduces the unlock function on certain sites of mixed content, which is currently blocked automatically (mixed script, iframes). To do this, go to the pop-up menu when you click the icon with a lock and configure in the "Site Settings" section.

Further, already in the version of Chrome 80, which is expectedby January 2020, the browser will block audio and video that cannot load using the HTTPS protocol. In this case, a manual unlock will also be available, similar to that described for version 79. If mixed images are loaded in the address bar (Omnibox), a warning about a possible security violation will appear.

All measures to supplant less secure contentusing the HTTP protocol applied by Google in recent years have already brought certain benefits. According to company employees, about 90% of the content currently viewed through Chrome uses the HTTPS protocol.

Version 81 of Chrome, expected by February 2020, will already move to blocking and images using HTTP.

Source: chromium