Google has recently announced that Chrome will block mixed content on web pages beginning December 2019. Starting with the Chrome 79 version, Google will gradually move to blocking all mixed content by default. Therefore, if your website has mixed content, it will be blocked and your users won’t be able to access it.
Everything from what mixed content is to how to identify/fix it can be found in the following lines.
The Google Security Team reports that Chrome users now spend more than 90% of their browsing time on HTTPS on both desktop and mobile. The plan to begin blocking mixed content is targeted at addressing insecure holes in SSL implementations of sites that have already made the switch to HTTPS. Here’s everything you need to know about it:
- What Is Mixed Content?
- Why Is Google Blocking Mixed Content?
- How Do You Detect Mixed Content?
- How Do You Fix Mixed Content Issue?
- Does Mixed Content Affect SEO?
What Is Mixed Content?
Mixed content occurs when a secure web page (a page loaded through HTTPS) contains resources like scripts, videos, images, etc. that are served through an insecure protocol (HTTP).
As you probably guessed it from the name, it’s called mixed content because both HTTP and HTTPS contents are loaded to display the same page, and the initial request was secure over HTTPS.
In the following lines we’ll let you know why HTTPS is a must. You already know, but as repetition is the mother of learning, we want to highlight that that Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP) and is used for secure communication over a computer network.
The main motivation for HTTPS is the authentication of the website being accessed and the protection of the privacy and integrity of the exchanged data while in transit.
Therefore, managing security risks is the key. Furthermore, you need to know that in HTTPS the communication protocol is encrypted using Secure Sockets Layers (SSL). And, to better understand the concept of mixed content resources or insecure content and why the “s” from the HTTPS makes such a big difference, let’s briefly go through SSL certificates.
What Are SSL Certificates?
SSL certificates are only used to confirm the identity of a website. These certificates are emitted and signed by certificate authorities with their private keys. Before getting a certificate from them, you must somehow confirm your identity and prove that you are the organization and website owner. Web browsers come packed up with a bunch of public keys from certificate authorities. They check if the certificates have been signed with the proper private keys, therefore confirming that their identity has been verified by a trusted authority and not by some random certificate generator. If the certificate is expired or not valid, a red warning will show up. These warning messages will definitely turn the user down.
By using an SSL Certificate, webmasters can improve the security of their websites and better protect their users’ information.
Taking one step further, you need to know that there are two types of mixed content: active and passive.
Active mixed content – the mixed active content is the type of content that is the most harmful. In this case, an attacker can take full control of your page or website and change anything about the page. They can steal passwords, login credentials, user cookies or redirect users to other sites, etc.
Passive mixed content – when it comes to passive content, an attacker can intercept an HTTP request (resources loading via http) for videos or images on your site and replace those images with whatever they want. They can also replace your product pictures or place ads for a totally different product.
Why Is Google Blocking Mixed Content?
Although Google confirmed in 2014 that it considers HTTPS a ranking factor, all the buzz started when Google released version 68 of the Chrome Web Browser in July 2018. In this version, websites that don’t run on HTTPS are marked as Not Secure.
As you can see in the screenshot above, the browser advises the user of that site not to disclose any passwords or credit cards.
The browser is advising potential customers not to perform any transaction on your site.
And that’s the last thing you want your user to see.
Yet, why mixing rum and cola makes a great cocktail but mixing HTTP and HTTPs is a big no-no?
There are many situations that can cause mixed content issues and many reasons why mixed content is harmful, lots of them highlighted by Google itself. Let’s focus on just a few important ones:
- Mixed content degrades the security and user experience of your HTTPS site.
Whether you like Google’s rules or not, you have to agree with this one: web security is more important than ever. And offering your users the comfort of security is not just a whim but a must.
Imagine that you’re navigating to your bank’s website. If it’s an HTTPS connection, your browser authenticates the website, thus preventing an attacker from impersonating your bank and stealing your login credentials. Also, when transferring money using your bank’s website, this prevents an attacker from changing the destination account number while your request is in transit.
One of the big advantages of HTTPS is that it lets the browser check that it has opened the correct website and hasn’t been redirected to a malicious site.
- Mixed content is confusing.
If a web page is using HTTPS, then all its resources should be pulled in via HTTPS as well. You’re somehow viewing a web page that’s both secure and not secure. It is like you bought a very good bicycle lock but you’re not using it every single time, just randomly, and at the end of the day you are surprised to see that your bike was stolen.
Let’s say that you’re on a secure web page and you stay assured that everything is OK as the webpage is on HTTPS. Yet, if that page has some insecure images (or other HTTP resources) and let’s say you’re on a public Wi-Fi network, you can get into lots of problems, from getting your keystrokes monitored to tracking cookies.
- Mixed content weakens HTTPS.
You might have heard before about the man-in-the-middle attack (MITM). In computer security, a man-in-the-middle attack is a type of attack where the attacker secretly relays and possibly alters the communications between two parties who believe they are directly communicating with each other. One example is when the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. It’s like eavesdropping, just that the stakes are much higher than the latest gossip from the office.
Therefore, requesting subresources using the insecure HTTP protocol weakens the security of the entire page, as these requests are vulnerable to man-in-the-middle attacks.
Running your site over HTTPS is not an option; it is a must. Not only is it more secure (everything is encrypted), but it also builds trust, is an SEO ranking factor, and provides more accurate referral data. Not to mention that the most important web browsers are blocking pages that are not considered secure.
These are just some of the many reasons why Google decided to block mixed content. This new update will break a big number of website and many, many businesses will lose big time.
Yet, there is hope: you can quickly detect if you have mixed content and you can also fix it. Keep on reading to find out how can you still make your site accessible to your users.
How Do You Detect Mixed Content?
The easiest possible way to see whether you have any mixed content error on your site is to run a Site Audit within cognitiveSEO. It is the easiest, safest and stress-free option you could take and it doesn’t imply any programming skills or developer guides to fix mixed content warnings. I mean, you find out if you have mixed content (+ many other issues ) on your site, with just a few clicks.
Just start an analysis of your site and the tool will automatically identify the mixed content issue. There is a section dedicated to this exact matter where you can see the not secure pages of any website and its insecure origins. No headaches, reliable and super simple to identify.
It couldn’t get much easier than this. Simply check the reported pages and start fixing them.
How Do You Fix Mixed Content Issue?
Once you find the insecure content, the resources being served over HTTP vs. HTTPS, you can start changing the URLs, by simply append HTTPS at the beginning.
Fixing the issue is often as simple as adding an “s” to links – http:// to https://.
Yet, before you do that, be sure that the HTTP resource is available over an HTTPS connection. To check this, simply copy – paste the HTTP URL into a new web browser, and change HTTP to HTTPS. If the resource (URL, image, video, etc.) is available over HTTPs, then you can start changing HTTP to HTTPS in your source code.
Mixed content is an issue that can be so easily identified and solved, but if ignored it can cause big problems, like your website being blocked by Google.
Once you solved the issue, go back to the Site Audit to make sure you didn’t miss any insecure content resource. The tool re-crawls your website periodically to spot any new changes, although you can always check particular issues only to see if they have been solved.
Does Mixed Content Affect SEO?
As we stated above, Google made it pretty clear that it values secure content and it considers it a ranking factor. It’s listed on their blog, out wide in the open.
The main reason is definitely security. If Google provides its users with better security, it provides better value and the users will be pleased. The fact that internet credit card fraud is on the rise definitely pushed Google into this direction.
Google has tested its results with HTTPS as a ranking signal and has seen positive results. It could also mean that webmasters who take security seriously might generally present better websites as they care about the users.
While there is no doubt that mixed content affects SEO (especially with the latest announcement from Google), before search engine optimization one has to think about user trust and user experience.
If you have mixed content, most of the modern browsers (like Mozilla Firefox, Google Chrome, etc) will display warnings about this type of content to indicate to the user that the page contains insecure resources. Due to the mixed content warning and insecure resources loading, most likely the user will leave your site, will mark you as a deceiving site and will browse websites that offer similar services and are secure. All your digital marketing and content strategies efforts will go down the drain with chrome blocking your http content.
So, the answer is yes, mixed content certainly impacts SEO, but more than that, it impacts your users’ trust and that’s something you can’t afford to lose.
We know it’s unlikely but yet, if you haven’t done it already and you want to switch from HTTP to HTTPS, check out this article for everything you need to know about it.