Apologies for the long article. This is a complicated topic. Here is a synopsis:
- Google Chrome and other web browsers are taking steps to not display some HTTP content.
- This could cost you some website traffic and therefore cost you sales.
- It sounds bad but in the long run it is a good thing.
- It is relatively easy and affordable to fix without disruption to your web traffic.
- Webquarry can help you with it. Just open a ticket mention this article and ask us to help.
DIY or curious? Please keep reading.
Actually it isn’t just Google. Their browser (Chrome) already blocks some “mixed content” as do most all other web browsers. What is changing, according to Google’s announcement, is that they are going to get much more serious and block far more mixed content by default. In addition, all the other web browsers will be following suit.
As we have stated in a previous post, Google is already tightening up on websites that do not have SSL encryption. SSL encryption is a great way to show that you are serious about protecting your visitor’s data and web surfing habits as they use more and more public networks to connect to websites.
What is Mixed Content?
There are two primary ways of delivering content from your web server to your visitor’s web browser. The best way is via SSL encrypted connections (HTTPS) and the other is via the older un-encrypted connections, also known as clear text (HTTP).
The web is moving toward using the more secure HTTPS connections. This is a good thing since more and more people are connecting to your website via unsecured public networks and risk exposing their activities to anyone listening on those networks. Such exposure could include usernames, passwords, their browsing activity, etc. There is even a chance that data could be intercepted and altered between your website and their browser. Using HTTPS connections eliminates all these issues. Your browser has already started warning you that a website you are visiting is “not secure” in the address bar if you are connecting via the HTTP protocol.
Some web pages may use HTTPS for the main page but then they pull in other resources (pictures, scripts, iframe, fonts, etc.) using the older HTTP protocol. These pages can be confusing since they claim to be using the secure HTTPS protocol but the resources they pull in are still at risk. These are “Mixed Content” pages.
Why Mixed Content is dangerous
Mixed content creates a confusing situation where the user might believe they are viewing a secure page but the page resources such as images, javascript or iframes may have been modified during the transit from the web server to their browser. This might result in their key strokes being monitored, malicious cookies being set and other such nastiness.
While scripts and iframes are the most vulnerable, even images, videos, and audio-mixed content could be risky. For example, imagine you’re viewing a secure stock trading website that pulls in an image (graph) of a stock’s history via HTTP. That image isn’t secure since it could have been tampered with in transit to show incorrect details. Also, because it was delivered over an unencrypted connection, anyone listening on the network knows what stock you were looking at.
It is poor web design to mix content like this. However since the web started out using nothing but the insecure HTTP protocol it is just a naturally occurring accident that many web pages contain a mixture of HTTPS and HTTP calls.
What is changing in Chrome and other web browsers?
Come January 2020, most browsers will refuse to load HTTP resources on pages that are HTTPS. This is going to break any page that contains mixed content. As a website owner, you know that broken pages create an unsatisfactory user experience for your visitors which results in less engagement with your website and less sales for you.
The wrong way to fix this
Google Chrome will provide a way for users to tell it to go ahead and load insecure content. This the absolute worst way to fix this. It relies on your users being technically astute enough to “break” their browser to engage in risky behavior. Why would you want to do that? Most people are not that knowledgable about how the web works and how to configure their browser. If they succeed, you have left them in a position to be exploited, and if they fail, they can’t read your web page. Since you only have a few seconds to capture their attention, most will just move on and ignore your site.
The correct solution
Fortunately, there is a right way to fix this. It involves setting your website to use HTTPS connections AND testing to be sure that ALL the resources that your pages use are also called ONLY via HTTPS. This may sound pretty technical but it really isn’t. Here are the steps you need to follow:
- Install an SSL certificate on your website so that you can use the HTTPS protocol. There are SSL certificates that can be used for free for non-commercial purposes. Most web hosts (Webquarry included) offer these somewhere in their control panel. There are also commercial certificates that are intended for business use and are very affordable.
- Search through all your web pages, posts, products, etc. and change any HTTP calls for external resources to HTTPS.
- Set your web server to redirect HTTP to HTTPS calls so that incoming visitors are seamlessly redirected to the more secure version of your pages.
This sounds time consuming…
“But wait…,” you say. “I have hundreds of web pages. This is going to take forever! Besides, won’t the redirect mentioned in step 3 solve this issue for me?”
Not really. Yes, having the server redirect from HTTP to HTTPS will solve the aforementioned security issues but keep in mind that the user’s web browser DOESN’T KNOW that it is about to be redirected. All it knows is that it is about to call insecure content on a mixed content page and it therefore refuse to make the initial call. This means it never gets to the redirection. To avoid this, your web pages MUST contain nothing but HTTPS calls.
While your website may have hundreds of HTTP calls that need to be changed, you can do it rather quickly if you write a program to search and replace those calls.
I don’t have that kind of time or those skills…
Cheer up! There is a better way. We have the skills and expertise to handle this for you. We can test for and correct any Mixed Content errors on your website. We will also install and test the appropriate SSL certificate so you can use HTTPS connections on your website. The best part is that it is really affordable. We charge only $75 to our customers for this service that includes installing the SSL certificate. If you need the commercial SSL certificate, there is an additional fee of $70.00 for the certificate.
How do I get started?
Get in touch with us by opening a ticket, mention this article and tell us the URL of your website. We will take a look and let you know if you have any mixed content on your website. If there is no mixed content, then there is no charge. If we find something that needs correcting, we will outline what it is, along with a confirmation of the price.
What if I am not currently a Webquarry customer?
No problem. Go ahead and open a ticket anyway. We would still love to help.