Just days after Google’s plans to introduce controversial DNS over HTTPS (DoH) to Chrome hit the headlines, comes news of another HTTPS change that is set to hit the hundreds of millions using the world’s most popular browser. For Google this change is critical, completing the task of pushing websites to ensure all traffic is encrypted. For website developers, it means there is a cut-off date to make changes. For users, it means some content will be blocked—even on popular sites—as changes take place.
By Zak Doffman
The latest news comes with a warning—websites that have been dragging their feet in sorting out encryption settings are going to find themselves rejected by Chrome. At issue are those sites that only encrypt parts of their sites or pages, introducing security vulnerabilities despite seeming to have taken a good approach to security.
This so-called “mixed content” occurs when the website loads over a secure (HTTPS) connection, but some of the content within its pages loads over an insecure (HTTP) connection. This confuses users who think they’ve accessed a secure site, when in truth that isn’t entirely the case. And “confusing” users into taking risks is bad news.
Google has arguably done more than anyone else to push the web towards default encryption. “Chrome users,” the company says, “now spend over 90% of their browsing time on HTTPS on all major platforms. We’re now turning our attention to making sure that HTTPS configurations across the web are secure and up-to-date.”
Some of this mixed content is already blocked—especially where there’s a chance it may include scripts or calls that in themselves might be insecure. But rich media content has until now received an exemption. Not for much longer.
These exemptions still “threaten users’ privacy and security…