Chrome will begin blocking unsecured content on sites in December 2019.
Here comes the science…
Most websites now operate through SSL (which stands for Secure Sockets Layer) a networking protocol that was designed to protect the connection between web clients and servers.
Using a combination of cryptographical functions and the transmission of a digital certificate via a secure session, the connection between browser and website is protected from external intrusion.
Clear as mud? Probably, but all we need to know is; if the padlock icon appears next to the address in our browser, we can browse the web without worrying that our data could be swiped by any devious individuals.
Okay, so your website has an SSL and you’re good to go, right? Almost. If you don’t see the padlock next to your website, it means that your site is probably serving ‘mixed content’. (Great, more arcane terminology!)
What is ‘Mixed Content’?
Mixed content means that a resource (a script, font, video or photo of a cat) is being loaded from outside the website (i.e. from a different website). This is, of course, completely unsecured and opens both your site and your visitors to all kinds of potential security problems.
It’s for this reason that Google has recently announced that, as of December 2019, its browser; Chrome, will combat the problem in two ways:
- If a resource is called via HTTP, but is available via HTTPS, it will automatically switch to HTTPS to load it. (Sounds great!)
- If a resource isn’t available via HTTPS, it will be blocked and the user will need to use a new ‘toggle’ feature to allow it to load. (Sounds awful!)
Imagine a visitor landing on your product page and being faced with a message about ‘images blocked due to unsecured protocol’ or similar. It’s easy to then imagine that user rushing to the ‘back’ button with all speed.
“Mixed content degrades the security and user experience of your HTTPS site.…Using these resources, an attacker can often take complete control over the page, not just the compromised resource.”
From Google’s ‘Chromium Blog’ at: https://blog.chromium.org/2019/10/no-more-mixed-messages-about-https.html
So, what do I do about it?
Don’t worry. Getting an SSL is straight-forward nowadays and the process of removing calls to unsecured content isn’t too complicated either.
The website ‘jitbit.com’ has a handy-dandy SSL checker, which will quickly determine whether your site needs attention: https://www.jitbit.com/sslcheck/ This tests up to 400 pages of a website, which is more than enough for most folks.
It’s important that you take action before this update, because your visitors are likely to look elsewhere if faced with a security warning (Plus, Google already penalises unsecured websites in search engine results).