Google’s HTTPS Everywhere Chrome Campaign Expands…
More Penalties for Websites Not Complying with New Google Chrome Standards
In 2017, Google rewarded those who moved to HTTPS with a boost in their Search rank. Then later, Google added warning alerts to the Chrome browser URL bar. Now, Google has plans to expand Chrome warnings even further.
For coming versions of the Chrome browser (beginning December 2019), Google plans to serve additional warnings to Chrome users if websites don’t adhere to their revised Best Practices. There are two areas that website owners should now pay extra attention to; web pages having mixed content and websites with slow load times.
First, a Backgrounder: What is the HTTPS Everywhere Crusade?
In 2014, The Electronic Frontier Foundation (EFF) and The TOR Project teamed up to publish the “HTTPS Everywhere” browser extension in an effort to help improve web security. Shortly thereafter, Google adopted the HTTPS Everywhere rally cry and created incentives for website developers to integrate HTTPS/TLS.
I’ve written extensively on what HTTPS is and what type of security it provides. Refer to my original post on HTTPS, followed by this update. Bottom line, HTTPS prevents eavesdropping by unknown parties, protecting your website and your users from nefarious attacks.
For 2020, there are three major changes coming to Chrome. Two of these changes involve mixed content. The third is a new additional warning to be associated with slow loading websites.
So, here’s the meat and potatoes of what’s about to happen…
Google says it’s not you, it’s your Mixed Content…
The Chrome Browser Will Begin Censoring Web Pages having Mixed Content
What is Considered Web Page Content?
All of us view content when we visit a website; written word, photos, videos, etc. What’s considered content includes those things and much more. Google’s definition of content also includes: logos, image animations, sounds, scripts, CSS code, and more.
What is Mixed Content?
A web page is considered to have mixed content when the page loads both secure content over HTTPS and insecure content over HTTP. When mixed content loads, the page isn’t completely secure because a portion of it is loaded over HTTP (an insecure protocol). Loading just one insecure asset makes an entire web page insecure.
“Requesting subresources using the insecure HTTP protocol weakens the security of the entire page, as these requests are vulnerable to man-in-the-middle attacks, where an attacker eavesdrops on a network connection and views or modifies the communication between two parties. Using these resources, an attacker can often take complete control over the page, not just the compromised resource.
“Although many browsers report mixed content warnings to the user, by the time this happens, it is too late: the insecure requests have already been performed and the security of the page is compromised. This scenario is, unfortunately, quite common on the web, which is why browsers can’t just block all mixed requests without restricting the functionality of many sites.”
Why Mixed Content Persists
Mixed content isn’t unusual. It regularly shows up after a website is migrated from HTTP to HTTPS, or after posting a page with an embedded iframe having HTTP references.
Correcting mixed content
Depending on the size and age of a website, fixing mixed content can be quick and easy; or, it can become a time-consuming tedious process of combing through and manually correcting software code. It’s recommended that small businesses find an expert for undertaking this task.
Google’s Plan to Employ Real-time Censoring of On-page Content
Chrome Browser will Censor Harmful Mixed Content On-the-fly as Web Pages Load
“In a series of steps starting in Chrome 79, Chrome will gradually move to blocking all mixed content by default. To minimize breakage, we will auto-upgrade mixed resources to https://, so sites will continue to work if their subresources are already available over https://.
“In Chrome 79, releasing to stable channel in December 2019, we’ll introduce a new setting to unblock mixed content on specific sites. This setting will apply to mixed scripts, iframes, and other types of content that Chrome currently blocks by default. Users can toggle this setting by clicking the lock icon on any https:// page and clicking Site Settings. This will replace the shield icon that shows up at the right side of the omnibox for unblocking mixed content in previous versions of desktop Chrome.
“In Chrome 80, mixed audio and video resources will be autoupgraded to https://, and Chrome will block them by default if they fail to load over https://. Chrome 80 will be released to early release channels in January 2020. Users can unblock affected audio and video resources with the setting described above.
“Also in Chrome 80, mixed images will still be allowed to load, but they will cause Chrome to show a “Not Secure” chip in the omnibox. We anticipate that this is a clearer security UI for users and that it will motivate websites to migrate their images to HTTPS. Developers can use the upgrade-insecure-requests or block-all-mixed-content Content Security Policy directives to avoid this warning.
“In Chrome 81, mixed images will be autoupgraded to https://, and Chrome will block them by default if they fail to load over https://. Chrome 81 will be released to early release channels in February 2020.”
Google says this censoring is all optional. Although the content blocking will be turned on by default in the Chrome browser, users will need to dig around in the settings area to turn it off. In reality, only developers and techs are likely to ever turn off this option.
A “Not Secure” Notice Added to Mixed Content pages
As an added penalty, Google is extending the use of the “Not Secure” notice in Chrome’s URL bar. As of this writing, the “Not Secure” message is only shown in Chrome if HTTPS isn’t enabled. With the new ‘feature’ Chrome will present the ‘Not Secure’ warning when either the webpage loads over HTTP (HTTPS is completely missing) or there is mixed content on a HTTPS-loaded page.
Now, moving away from HTTPS and mixed content…
Google Plans to Assign Slow websites a Badge of Shame
Google Plans to Serve a Technical Quality Grade to Your Visitors.
Does your website load slow? It better not. On November 11th, 2019, Google’s Chromium team announced they’re pursuing the idea of warning visitors about chronically slow loading websites. Information on what will be considered a ‘slow’ load-time or how a load-time would be measured wasn’t released by Google.
No date has been set on rolling this out, but according to Google this what they’re looking to do:
“In the future, Chrome may identify sites that typically load fast or slow for users with clear badging. This may take a number of forms and we plan to experiment with different options, to determine which provides the most value to our users.
“Badging is intended to identify when sites are authored in a way that makes them slow generally, looking at historical load latencies. Further along, we may expand this to include identifying when a page is likely to be slow for a user based on their device and network conditions.
“Our plan to identify sites that are fast or slow will take place in gradual steps, based on increasingly stringent criteria. Our long-term goal is to define badging for high-quality experiences, which may include signals beyond just speed.”
For better or worse, Google is now the standard bearer for acceptable load times. We should expect Google to release their best practices on website load times soon.
Prepare your Website
These actions from Google will certainly make the Internet more secure and improve overall user experience. However, now is the time for website owners to audit their website’s HTTPS/TLS status and work on maintaining an acceptable load time. The last thing you’ll want is Chrome labeling your website as slow.
If your company needs to shore up their HTTPS, fix mixed content, or address slow loading pages, contact us. We undertake such projects.
NOTE: If you’re a client of My Internet Scout and currently under our monthly maintenance plan, you do not need to take any action. Our support team proactively looks for and acts to remedy issues discussed in this post. If your website isn’t covered by our maintenance plan, feel free to learn more about these services here.
Feature photo courtesy of Cayetano Gil
Not Secure and Slow Load Badge images courtesy of Google, Inc.