With every change Google makes to its browser and search engine, the purpose is to improve the browsing experience for internet users. This usually manifests in influencing sites to become more responsive, easy to use and secure. Google’s newest change fits within the realm of improving user security as the tech giant moves to more strictly enforce HTTPS connections on websites. By coming down harder on instances of HTTP content on secured HTTPS websites, Google isn’t leaving a stone unturned in regard to user security and site vulnerability. So, let’s take a look at how Google is treating mixed content in their newest updates and what you need to do to keep your site’s content from being blocked.
In a recent blog update, Google has announced that they’re cracking down on mixed content on HTTPS sites. But what exactly is mixed content?
To understand mixed content, you first need to have a grasp on HTTPS and HTTP content. Sites with an HTTPS connection are secure and encrypted, meaning that any data being transferred between a user’s computer and your site is protected. If content is using an HTTP connection, then it’s not secure or encrypted, meaning that sensitive data may be compromised.
Mixed content exists when a secured HTTPS site delivers insecure HTTP-sourced subresources, whether they be images, scripts, videos, audio or iFrames. This makes sites with mixed content not fully secure because, while the site itself is on a secure connection, the subresources it’s pulling from may be vulnerable to third-party attacks and infiltrations. For this reason, Google has started to both warn users about and block mixed HTTP content on websites to prevent any unwanted third-party infiltrations on an otherwise secured HTTPS site.
There are two main types of mixed content: passive mixed content and active mixed content.
The most dangerous type of mixed content is active, which includes scripts, iFrames, stylesheets, and flash resources. Active mixed content is such a threat because the vulnerable assets can be intercepted by attackers who may rewrite the content and take full control of the web page. This means that attackers can change anything about the page, steal user data and redirect users to another site.
Passive mixed content, while still a security threat, is not as much of a threat as it’s active counterpart. Mixed content that’s passive doesn’t interact with the rest of the page, including images, audio, and video. Because this content is inherently restricted, an attacker is also restricted in what they can do if they gain access to those assets. But attackers can still be malicious with passive mixed content by replacing your site’s images with unwanted graphic images, defacing your site or placing ads on your product pictures.
It’s no secret that Google has long preferred to rank secured HTTPS sites on its SERPs (search engine result pages) over insecure sites on HTTP connections. This goes hand in hand with their continued efforts to keep users safe as they browse the internet by serving them sites that are fully secure, leaving no risk of compromising their private data in the process. Since Google is already punishing sites on HTTP with low ranking on SERPs and security warnings to users, it’s makes sense to see that they’re taking things a step further by blocking unsecure files and assets within web pages themselves.
Google actually blocks mixed scripts and iFrames already in Chrome, symbolized by a shield icon in the address bar and a pop-up message that states insecure content has been blocked on the page. Currently, users are able to unblock mixed content if they choose by clicking “Load unsafe scripts” in the pop-up window. If a user agrees to unblock that mixed content, the web page will lose its padlock icon as it changes from secure to not secure.
Although Google already blocks some forms of mixed content, all forms will be blocked and/or auto-upgraded to HTTPS URLs in due time. But, good news for site owners: Google is slowly rolling out these changes in order to give webmasters and developers time to fully migrate their entire site from HTTP to HTTPS. Here’s the general timeline of changes that Google has announced:
Starting in December 2019 with Chrome 79, Google will be moving the toggle setting to unblock mixed content to the site settings menu of the browser.
In January 2020, Chrome 80 will introduce auto-upgrading of any HTTP video and audio files to HTTPS URLs. If those files fail to load under HTTPS, they will be blocked.
By February 2020, Chrome 81 will bring auto-upgrading to images that load over HTTP. If images fail to load over HTTPS, they will be blocked as well.
Since Google is giving web developers time to review and fix any HTTP mixed content issues on their site pages, now is the time to get started. If you ignore these changes, then you’re risking important elements on your site to break and become unavailable to users when Google starts blocking. There are two major things you need to do in order to ensure that your website is fully secured on HTTPS all the way through: enable an SSL certificate and locate any instances of mixed HTTP content. So, let’s dive deeper into how you can go about doing both.
If you haven’t made the move towards securing your site, then now’s the time. Having your site exist on a secured HTTPS connection is not only important for Google’s standards – most online customers will avoid eCommerce stores that lack HTTPS security for fear of their sensitive information being at risk. In fact, 85% of online shoppers avoid unsecured websites.
To secure your website and move it to HTTPS, you’ll need an SSL certificate. With an SSL certificate enabled on your site, users can send sensitive data to you without having to worry about it being compromised by a third party along the way. There are several different types of SSL certificates, including shared SSL, Domain Validation, Organization Validation, and Extended Domain Validation. Each type differs in price and trust levels, so be sure to do your research and choose the best eCommerce SSL certificate for your website.
Once your site has been moved to HTTPS, the task at hand is locating any potential mixed content on your pages. There’s two main ways that you can do this: the manual way and the automatic way.
If your site has tons of pages, it’d be impossible to manually go through each one to determine if any have mixed content. Thankfully, there’s quite a few online mixed content scanners that you can easily use to find mixed content on your site. Just a few of those tools are:
By using one of these scanner tools, you’ll find out exactly what pages may be marked as insecure or have blocked content by Google so that you can change those asset URLs to HTTPS.
If your store is built with and runs on Shift4Shop, and you have a custom SSL enabled for your entire site, then default scripts and design elements should not be HTTP because they are made to work on both secure and non-secure modes. However, if your store has designs or scripts that either you’ve implemented yourself or had implemented by a third party, then you may need to ensure that those URLs are properly upgraded to secure HTTPS. For more information on moving your entire site to HTTPS, you can check out our knowledge base article.
As Google continues to work towards a safer internet experience for every user, web developers and site owners need to work harder to catch up and make sure that their content is up to snuff. Online attackers are becoming more and more creative each passing day, so it’s no surprise that tech companies like Google are constantly evolving to better protect their users. While it may seem like a tedious burden to have to reinforce the security of your website by checking for mixed content and avoid Google blocking, it’s a necessary measure to ensure the safety of both your data and your customer’s data.