Website owners must continually update and improve their sites to keep up with the latest initiatives from Google. Site owners changed their site when Google added ranking factors such as mobile-friendliness, website speed, and more. For more than a year, Google has been encouraging businesses to switch to a more secure HTTPS website. Last week, Google announced that Google Chrome would block content from sites that used HTTP and HTTPS on the same page, starting in December.
HTTPS is the secured form of HTTP that websites use to protect their site and data from customers. Without HTTPS, websites are more vulnerable to “man-in-the-middle” attacks. These are security vulnerabilities that allow a third party to get data from website customers without the site owner or the consumer realizing it. HTTPS encrypts the data that computers send to websites, so it’s more difficult for an unauthorized party to see what’s happening.
When Google turned HTTPS adoption into a ranking factor for SEO, many websites took the hint and updated their servers to HTTPS. Most commercial websites you visit will use HTTPS protocols. However, some sites haven’t completely switched away from HTTP. Starting in December 2019, Google Chrome will begin blocking pages that use HTTPS and HTTP, which is also known as having “mixed content.”
The issue is that objects which use HTTP are the weak link when they’re inserted into a site that uses HTTPS. In a section for developers about mixed content, Google wrote, “Requesting subresources using the insecure HTTP protocol weakens the security of the entire page, as these requests are vulnerable to man-in-the-middle attacks, where an attacker eavesdrops on a network connection and views or modifies the communication between two parties. Using these resources, an attacker can often take complete control over the page, not just the compromised resource.”
Websites that use plugins, embeds, images, and other resources that aren’t on the same server as the site need to be careful about accidentally including mixed content. Something as simple as an old HTTP URL can make sites more vulnerable. Many browsers make it possible to see when a page has mixed content, but these browser warnings don’t come up until the page is loaded with the potential vulnerability.
By blocking sites with mixed content, Google Chrome can prevent consumers from having their online privacy violated. And by blocking site resources that mix HTTP and HTTPS, Google Chrome encourages website owners to address these issues before they lead to more significant problems.
According to media reports, when Google launches the most recent version of Chrome (Chrome 79) in December, the block on mixed content will go into effect. It won’t block the entire site, but it will prevent HTTP resources from being loaded. When Google detects a site with mixed content, Chrome will attempt to automatically upgrade HTTP content to HTTPS if that resource exists on an HTTPS server. If upgrading isn’t possible, Google will introduce a toggle that a Chrome user can use to unblock insecure resources that Chrome is blocking.
To make sure every element of a site works correctly after this change, website owners should review their sites to remove any lingering HTTP resources. For more news about updates and changes to Google, read this article on how Google is changing snippet content.