Are there resources on your site that still loads via the insecure HTTP protocols? If so, did you know that hacker attacks after every 39 seconds.
If there are resources or sub resources loading on HTTP protocols, then your best bet right now would be to move all of them to secure HTTPS pages. It may save you from costly data breaches.
Besides, from December 2019, such pages won’t load anymore. Google will block them by default, and your site visitors won’t see them again.
Read on to understand why and what to do regarding Mixed Content.
What Does Mixed Content about HTTPS Mean?
Mixed Content warning, in this case, means that you may be having secure pages on your site, which loads via the recommended HTTPS protocol and some linked contents, scripts and files that run on the insecure HTTP protocol.
While internet users spend 90 percent of their times on HTTPS pages, mixed contents like iFrames, and scripts, etc. is a problem that troubles most websites. By default, browsers block most of them but leave out other sub-resources like videos, images and video files, etc.
You may not be aware of this, but the linked contents and scripts are significant risk profiles for your audience. According to Google, cyber criminals can always manipulate these sub-resources to not only ‘hijack’ them but also ‘hijack’ your web pages.
They, therefore, affect the user experience on your site and degrade your HTTPS website’s security.
To curb this, Google Chrome will only load secure HTTPS pages. They will also only load secure resources on the HTTPS pages and have the mixed Content blocked automatically.
This move to block the mixed Content will be initiated upon the release of Chrome 79. Blocking the mixed contents by default can cause a lot of damage to websites, and to avoid this, Google will auto-upgrade all the mixed contents to secure HTTPS pages.
This means that if you have these sub-resources stored on secure HTTPS pages, your site will still run and won’t go offline.
It’s also worth noting that, currently, Google Chrome can still load the mixed contents and iframes. You won’t see this with Chrome 79, Chrome 80 and other future upgrades.
From the beginning of December 2019, four significant changes are going to be put in place.
The Introduction of User-Centered Security Filter
In the efforts to boost UI on your site, Google will not entirely block the mixed contents on Chrome 79. Instead, it will have a unique feature that allows the site visitor to permit the mixed contents to load at their wish.
Here is how it will work:
By default, Google Chrome will still block the mixed contents, including iframes and mixed scripts, etc. Given that the web users will have to choose whether they can view or dismiss the mixed Content, they will be able to disable the automatic block by clicking on the padlock icon usually displayed on the HTTPS pages. After that click on Site settings and then proceed to unblock mixed content resources that chrome has blocked.
After confirming the switch, the toggle icon will replace the shield icon, which indicates that mixed contents are blocked.
Automated Upgrade of Sub-resources
Chrome 80 will automatically upgrade mixed video and audio resources on HTTPS pages. Here’s a twist, though.
If these mixed resources don’t load on the HTTPS pages, Chrome will automatically block them. With this feature still, web users will be able to choose whether they wish to view or dismiss the mixed audio and video contents on your site.
Mixed Imaged Will Still Load in Chrome 80
Chrome 80 will still allow mixed images to load. The only downside with this feature is that while the pages will load successfully, they’ll come with a ‘Not Secure’ warning on Google Chrome Omnibox.
Now, while your audience will be able to view the images on your site, chances are high they won’t make purchases on the site. Some will even navigate away immediately, something that may result in high bounce rates on the site.
Auto Upgrade of Mixed Images
The auto-upgrade of mixed images will only be available by early February 2020 when Chrome 81 shall have been released. Therefore, in Chrome 81, all mixed images will be upgraded automatically to the HTTPS protocol.
Nevertheless, if these images fail to load on the secure https pages, Chrome will automatically block them too.
You never want to risk the security of your customers. You also don’t wish to get your pages hacked by internet crooks.
If you wish to avoid these breakages or unnecessary security warnings that would scare away your target audience, you should migrate all the mixed contents on your site to HTTPS
We also must acknowledge that spotting these mixed contents on your web pages wouldn’t be simple. To avoid any guesswork, here are a few pointers that should help you migrate.
Check if Your Service Providers Can Help You.
It’s recommendable that you contact your web hosting company, CMS, or CDN and ask if they have any tools that can help you debug mixed contents on your web pages.
If you use WordPress as your Content Management Software (CMS), there are handfuls of plugins you can use to debug these issues.
A good example is Really Simple SSL WordPress plugin. It’s a free plugin that will help you with debugging most SSL problems.
If you have a Secure Socket Layer (SSL) certificate already installed on the site, the SSL Insecure Content fixer WordPress plugin should also help debug the mixed content problems.
It will help you do a full scan on the site then alert you in case there are a few resources or sub-resources that you should fix.
Use Reliable Mixed Content Scanners
There are lots of options when it comes to mixed content scanners that can help you find the mixed Content on your site. If you’re just getting started, perhaps you’d go with a free one if you have a slim budget.
One of the popular options that you could check out is the checker.
The security of your website starts with you. Abiding by the right security measures will not only help you increase sales but also make you stand out as a reputable brand in your niche.
As you gear up for these changes, one thing that you shouldn’t forget about is “Secure Socket Layer Certificate“. If you don’t have one yet, be sure to grab one early, so you secure your site and avoid unnecessary safety warnings on your pages.