Page 50 - Payout Magazine Online Volume 10.01
P. 50
Google Chrome
To Start Blocking
Mixed Content
Google is making good on its promise to vulnerable to man-in-the-middle attacks.” Web surfers will also receive confusing
favor websites with SSL, but a recent [* https://developers.google.com/web/ mixed messages about the page. Instead
announcement from the search giant reveals f u n d a m e n t a l s /s e c u r i t y /p r e v e n t - m i xe d - of being wholly secure or insecure, it will fit
how serious they are about improving the content/what-is-mixed-content#mixed_ somewhere in between those extremes.
security and privacy and of their users. content_weakens_https]
Google’s Chrome browser will now start Even though the web was initially built on
blocking web assets on HTTPS pages when Google Chrome updates will eventually the HTTP protocol, it’s not a good idea to
some of those assets are delivered via default to the new setting of blocking mixed deliver mixed content in this way. Google, with
insecure HTTP connections. content to help improve the user experience its Chrome browser, is attempting to create a
and increase their level of privacy and security. more secure internet for everyone by making
What is Mixed Content? it more challenging to deliver content using an
Google has also stated that more users outdated and insecure protocol.
There are two types of content delivered to are spending 90% of their browsing time on
web browsers: content served over a secure, secure sites. Rolling out Mixed Content Blocking
encrypted HTTPS connection, and content
served over an insecure HTTP connection. “We’re now turning our attention to making To implement mixed content blocking,
Content delivered via HTTPS is encrypted sure that HTTPS configurations across the Google has embarked on a gradual rollout,
and cannot be intercepted and tampered with web are secure and up-to-date.” with the next three planned Chrome releases
by hackers. It’s for this reason that HTTPS is employing different levels of blocking.
essential for websites dealing with private and How Mixed Content Affects Users’
sensitive information from its visitors. Security � Step 1
Over the last few years, the web has The current situation allows web pages In December 2019, an additional setting,
steadily migrated towards the more secure to load web assets from both secure and “Site Settings,” will be added to the menu
HTTPS protocol. The Chrome browser now insecure pages. The vulnerable assets open system. Internet users will have the option
issues warnings to users that sites using only pathways for hackers to intercept the data to unblock mixed content, which has been
HTTP are insecure. and modify the code or switch out the content blocked via Google Chrome’s default content
to whatever they like. blocking setting (including iframes and
Mixed content is when a web page pulls in scripts).
content from other sources that may not be For example, if you are browsing a site with
secured by HTTPS. Some material is delivered mixed content on a public Wi-Fi network, the When the user opts-out of the blocking
via HTTP, and some finds its way via HTTPS. web page could pull in a JavaScript file over feature, the mixed content will continue to
These pages are considered mixed content HTTP. On an insecure connection, the code download as insecure assets. The locked icon
because the SSL protocol doesn’t fully secure could be modified to do whatever the hacker will then be replaced with an insecure icon.
the page. Google states that mixed content wanted.
degrades the level of security, privacy, and � Step 2
user experience its users can enjoy. Most modern browsers are already
defaulting to blocking the most dangerous The Chrome update, Chrome 80, is
According to Google, mixed content type of content: iframes and scripts. However, planned for a January 2020 release and will
weakens HTTPS. there are other assets, such as video, audio, begin auto upgrading insecure assets such as
and images, which will usually load without video and audio files to the HTTPS standards.
“Requesting subresources using the any issues. Over time, a user’s security will be If these assets fail to load over HTTPS, then
insecure HTTP protocol weakens the security significantly diminished. they will be blocked from downloading.
of the entire page, as these requests are
50 PAYOUTMAGAZINE
