Nix to the mix: Chrome to block passive HTTP content swirled into HTTPS pages
Warns site owners: Images, audio, video will be barred in gradual process
Google has announced forthcoming changes to the Chrome web browser that will prevent image, audio and video content from loading if they are served over HTTP.
A typical web page includes content from multiple sources, and it is not really encrypted unless all the content is served over HTTPS. Chrome already blocks most HTTP content on HTTPS pages, including active content such as scripts and iframes, but allows media to load. Google admitted this is insecure, noting:
For example, an attacker could tamper with a mixed image of a stock chart to mislead investors, or inject a tracking cookie into a mixed resource load. Loading mixed content also leads to a confusing browser security UX, where the page is presented as neither secure nor insecure but somewhere in between.
Google also wrote here about the risks of even passive mixed content:
An attacker can intercept HTTP requests for images on your site and swap or replace these images; the attacker can swap the save and delete button images, causing your users to delete content without intending to; replace your product diagrams with lewd or pornographic content, defacing your site; or replace your product pictures with ads for a different site or product.
Even if the attacker doesn't alter the content of your site, you still have a large privacy issue where an attacker can track users using mixed content requests. The attacker can tell which pages a user visits and which products they view based on images or other resources that the browser loads.
Google plans a gradual process. Chrome 79, which will be fully released in December, will move the setting to unblock mixed content to Site Settings, in place of the current shield icon. Chrome 80, set for early release in January 2020 and full release around seven weeks later, will auto-upgrade HTTP links for video and audio to HTTPS – and block them if they do not load. Images will still load but will cause a "Not secure" tag to appear in the address bar. Chrome 81, set for early release in February 2020, will extend this to images.
This performance test shows only a small impact from moving to HTTPS
The fact that content is encrypted is no guarantee that it is not malicious, but does make it harder for attackers to intercept requests and tamper with the content.
The downside of HTTPS is that there is a performance penalty – but not a big one. The speed comparison test here shows only a small difference (less than 10 per cent) between HTTP and HTTPS, but a big difference when you step up to HTTP/2, which is more than 2.5 times faster in this test.
Google's message is in any case straightforward: you will have to move everything to HTTPS in order to avoid warnings in Chrome and search penalties. ®