About The Author
Phase 3

Phase 3 is an integrated marketing services company which provides solutions across the print and marketing spectrum. We were founded in Atlanta, GA in 2001 and have served corporate and enterprise clients across the country for over 20 years.

Mixed-Content Security Part 1: Google's Upcoming Policy Change Explained

By Phase 3
October 23, 2019

Increased security on the internet has become more and more important as the proverbial “series of tubes” get bigger and more complex.

In any community, the internet included, there can be bad apples. As the world continues to become more and more reliant upon the internet for brand awareness, user experience, education and business transactions, it is paramount that companies ensure that the visitors to their websites are safe.

 

In 2018, Google introduced a new policy that made sure website security was absolutely clear for internet users. To do this, Google notified users when a website was insecure.

 

A website url can begin with http://, meaning Hypertext Transfer Protocol, or https://, meaning Hypertext Transfer Protocol Secure. Websites need to have that “S” in the url to ensure data on that website is safe and secure. Google's 2018 policy meant that without the “S”, any website visitor would be notified that the website was “Not Secure.” The implementation of this new security feature was a tremendous success with the public, and other browsers quickly followed suit.

 

Google Chrome's 2018 website security feature screenshot

Example of Google's 2018 website security feature

 

Imagine going to a website to purchase an item or sign up for a newsletter and seeing “Not Secure” on your browser line. The new feature made every person think twice about inputting their sensitive information, and companies quickly experienced a change in conversions for both sales and subscribers.

 

In other words, Google’s policy change had a very real and immediate impact on the bottom line.

 

Now, Google is doing it again.

Since more sites have converted to https://, Google is taking the next step to ensure that the content on a website is secure as well. What does this mean?

 

When building a website, everything is built and stored on a server, and oftentimes, developers will use images from other sources. For example, a hypothetical, but secure hamburger aficionado blog (https://burgerlovers.com) wants to show images of a mediocre hamburger they ate for a review.

 

The blogger goes to the restaurant website and copies the url for the image. The blogger then uses that url to display the image of the somewhat dry, but palatable hamburger on their blog next to the 3.5 star out of 5 star rating. Everything works and the image displays as normal. 

 

Sesame seeded cheeseburger image with the right click menu up

Copying the image address or url

 

However, the restaurant website (http://mehbergers.com) is not secure. I mean, they didn’t even spell burgers right. The key difference with these two websites is at the very beginning. The blog is secure which we can tell because the url starts with https://. The questionable hamburger restaurant website is not secure. The url starts with http://.

 

Mac Google Chrome browser navigation bar with an example of a website that is not secure.

Insecure image url

 

But if the image displays correctly, why does it matter that the image comes from an insecure website?

 

While code that travels to and from your computer to the website server is the most vulnerable to modifying by someone in-between,  images or videos can also be tampered with to include malicious code.

Even if the code isn’t tampered with, the image data isn’t encrypted. Someone looking could see what it is you’re looking at. In our example, if you are reading the blog post on https://burgerlovers.com about the mediocre burger at Meh Bergers and someone is looking at the data going between your computer and https://burgerlovers.com, all of the other data may be encrypted but the snoop will still be able to see the picture you’re looking at.

 

This is a relatively minor issue to have (unless you’re the president of the Vegan Association of America), but what if you are an executive looking at a website regarding a potential business deal? Someone might be able see the image you are viewing if the image is not secure.

 

Why is this important?

 

Starting in the next few months, Google will start blocking all insecure content.

This includes images, videos, code; Any source that is not using https:// to deliver content to the browser. At first this feature will be opt-in, so Chrome users will have to turn it on to be protected. However starting in early 2020, it will be opt-out, so all Chrome users will automatically experience this policy change unless they choose to turn the security feature off.

 

This is a big deal. Anyone using Chrome who visits a website with content that is not using https:// will only see blank spaces where images should be. Unless they opt-out. But who wants to opt-out of a feature that keeps them safer in the age of identity theft?

 

While this only effects Chrome users at first, just like the earlier security feature introduced by Chrome, other browsers will likely adopt this practice soon.

 

The good news is that resolving this issue is fairly straightforward. In Part II of this article, we’ll get into solutions to avoid any problems once this change takes effect.

 

 

Sources: 

https://wptavern.com/google-chrome-announces-rollout-plan-for-blocking-mixed-content-beginning-january-2020
https://www.blog.google/products/chrome/milestone-chrome-security-marking-http-not-secure/ 
https://www.cloudflare.com/learning/ssl/what-is-https/ 
https://www.howtogeek.com/443032/what-is-mixed-content-and-why-is-chrome-blocking-it/