Google Chrome has started to take strict precautions regarding the security and privacy of its users. Just recently, Google announced new privacy features to secure searches on YouTube, Maps, and Google Assistant voice commands. And now, Google is looking towards protecting user interests via strengthening security over Chrome browsing sessions by blocking mixed content. Google ensures that the top searches on Google are always of the sites with SSL-certification, which means that their respective servers run on HTTPS secured application protocol.
But increasing cybercrimes and past breaches in Google’s security measures have prompted the tech. giant to extend its efforts to further prevent hacking attempts, password breaches, and identity thefts. Google has previously blocked “mixed content” on Chrome. But now Google is planning to get all kinds of insecure content blocked on Chrome.
What is Mixed Content? How it impacts searches on secured browser sessions? And how Google plans to block it? Let’s get on the details:
What is Mixed Content?
Content over Chrome is delivered via sites and web pages in two different types of formats – one is secured content, under HTTPS encryption; and the other is over an unencrypted HTTP connection. The “S” in HTTPS stands for “Secure”. It implies that the communication established between your network connection and the concerned sites’ servers is secure and encrypted. Any data transferred in-between including login details remain encrypted, making it harder for hackers to snoop and breach in.
On the other hand, an HTTP application doesn’t guarantee any encryption. This means there is no guaranteed protection of your login credentials and other internet activities on such site. In this regard, Google since long has signified a warning if in case a user opens up an insecure website on Chrome. The “https://” sign is hidden on such sites, and a “Not Secure” highlight is displayed on the address bar.
However, some webpages still deliver content on HTTPS connection but draw images, scripts, and ads from sources under HTTP connection. Webpages that deliver insecure content over a secure connection are said to provide “Mixed” content. Since mixed content is not entirely protected, the connection can lead to some malicious activity even though the webpage itself cannot be altered in any manner.
How Does Mixed Content Impact Browser Security?
As stated, Mixed Content won’t affect the security of the web page itself. Means, the connection with the webpage’s server remains secure despite the presence of an insecure image, script, video, or ad on that Chrome session. These insecure scripts and images pose more threats if you’re using the internet over a public network. This would allow any hacker to breach in your session, leading to a set of nasty things, which may hamper your browser security on more significant levels.
For instance, you visit a webpage, which draws an image via an HTTP connection. First, that image can be tampered with while that connection was being established. This increases the chances of some malware linked to that image. Plus, through that connection, any hacker can breach your browser security over that webpage and snoop into your activities. This would allow that hacker to track what data you’re searching, what site you’ve logged in to, and what information you’re looking at. This ultimately violates your privacy, increase the chances of malware injection, and data theft during connection.
Why Mixed Content is Delivered on Secured Web Pages?
Mixed Content is basically an issue facing the web in its continuous evolution. The earlier sites and webpages used to have HTTP application protocol. SSL certification and HTTPS security came later. Though major domains have ensured to have an SSL-certification for better credibility; however, there still remain sources who are yet to have this certificate installed on their servers.
Plus, even after SSL certification, the sites don’t necessarily use HTTPS on all resources. Plus, the third-party resource from where these websites pull additional images and scripts, cannot be guaranteed to have an HTTPS connection.
This is the reason Google is pushing to block mixed content on Chrome. By blocking all mixed content, Google suggests it would be able to offer more secured connections over browser sessions. As Google claims, 90% of the webpages that appear on Google search have an HTTPS connection. This new update on Chrome will focus on prompting other browsers to discourage mixed content and would urge websites to disallow images and scripts from insecure resources.
How Google Will Block Mixed Content on Chrome?
According to Google’s blog on the same, it is planning to launch its new feature for blocking mixed content in three different stages. Beginning from December this year, Google will code this facility into three upcoming versions of Chrome:
- Chrome 79:
The first step would be to block mixed scripts and iframes on Chrome sessions. Google has been doing this already for mixed scripts. When Google blocks such content, it displays a message “Insecure Content Blocked” (see image), and a Shield sign can be seen on the URL address bar.
With Chrome 79, such content would be blocked by default. In case, the user wants to unblock mixed content, he/she would have to go through Site Settings. Here’s how you’ll do it in two simple steps:
Step 1: Click on “Lock” button on the left-most side of the address bar.
Step 2: Go to Site Settings and toggle through permissions to allow blocked mixed content on your session.
- Chrome 80:
With Chrome 80, Google will block mixed content that is drawn in the form of audio or video. The resources they’re drawn from will be on HTTPS connection. In case the drawn content is not loading over https//: Chrome would block it by default. Users would be given a choice to unblock such mixed content by clicking on that Lock Button, as shown in the image below.
Google has said that it won’t block mixed content drawn in the form of images as of Chrome 80. However, in case a webpage draws mixed images, Google Chrome would label that page under “Not Secure” (see image below).
- Chrome 81:
In this final version to be launched in February 2020, Google would finally block mixed images to ensure complete security over websites and browser sessions.
Google is probably trying to test its efforts before completing its target to block all mixed content on Chrome sessions. And this is the reason that the feature would be coded in Chrome settings in three steps. In Google’s official blog on the matter, developers have been warned to clean up their webpages and fix web content on their sites to accommodate Google’s new rules.
Mixed Content via Ads
While images and scripts are common forms of mixed content, webpages also draw advertisements from insecure resources. These ads also fall under the category of mixed content. If you want to get ad-based insecure content blocked on Chrome sessions, you can add an extension on Chrome for the same.
StopAll Ads is an excellent extension for Chrome to block ads and ad pop-ups on your browsing sessions. Most blogs and websites run advertisements through Google AdSense to earn affiliate funds. This strategy has been long adopted by Google and is its primary source of income. This is the reason Google will never block ads on webpages under mixed content. It would break its business model.
So, you need to have external support to save yourself from possibly infected advertisements. StopAll Ads acts as an ad-blocker on Chrome and block all ads displayed overall corners of webpages. A regular website running ads on Chrome appears like this:
When you enable StopAll Ads, the extension would block all ads and offer you an ad-free session:
StopAll Ads extension would be signified by a symbol beside the address bar, just like every other extension on Chrome. By blocking ads using StopAll Ads, alongside Google’s new mixed content blocking feature, you’d be able to remove all sorts of insecure content from your sessions.
Google’s attempt at blocking mixed content shows its focus on user privacy, which is necessary after so many backlashes. But again, its negligence towards blocking mixed ads shows how it is primarily focused on its business model. It seems Google is still too far from revamping its business practices per user security and privacy. Nevertheless, the feature can turn out to be useful for Chrome users across the globe. But to be completely safe from mixed content, it’s suggested that you block ads on Chrome as well and browse through webpages without a single doubt of insecurity.
Please give your views on Google’s new attempt at blocking mixed content. Tell us how you think it would impact your browsing sessions and how secure you’d feel with this feature on.