Browser security is a big part of the next release of Chrome. A major impact to websites if it contains mixed content downloads…ie…content that is downloaded from secured and unsecured sites. There are a significant number of websites that have the current warning that they are “Not Secure” even with HTTPS.
Transcript
Today we’re going to talk about a browser that is making some significant changes coming in January of 2021, and that’s going to have an impact to how people view your websites. If you haven’t taken all the precautions that we spoke about so listen in.
Back in March of 2019, the article that we wrote was “This Website is not Secure.”
And in the article. we kind of give you the insight to what does it mean that your website should be secure, what is security, and how can you tell that it’s secure and so forth. So, let’s take a quick look at that article just to kind of refresh ourselves with the content of that article, and kind of really dive deep into one area where one browser is making a big change in January 2021.
Here is the article. We talked a little bit about HTTPS and HTTP what’s the difference. What is secure or not secure website. Non-secure websites are open, in other words, any data that’s being passed back and forth can be read by others. How that it’s important from a consumer’s privacy and security to make sure that you do have a secure website.
Naturally, there is always search engine optimization benefit to make sure that your websites are secure. Google has made it a mandate that all websites, no matter if they are passing content or registration forms or anything like that on them, it should still be secured.
But, what I’m really concerned about and why I really wrote the article was to inform everybody about the impact that it has on your companies brand image.
When people go to your website and if they get some kind of negative response from the browser, that doesn’t reflect very well on the company’s brand. This is why we are really looking at this, because Chrome specifically is making a significant change.
Right now, if you go to Chrome and your go to someone’s website, it might say HTTPS on it, but it still will have this “Not Secure”. Well, what does that mean? The connection to the site is not secure, but it also could mean that maybe some content that is specifically on that website is not secure.
So, in another words, your whole website is HTTPS, but let’s say you have an image coming from a different source and that source isn’t secure, it doesn’t use HTTPS. It’s using HTTP that’s insecure. Right now, Google and the other browsers in this area will let people know that, Hey, you know this site might be somewhat secure, but it’s not all secure and that goes for video, text, PDF files, audio files, and so forth.
So, they’re really looking at all this. And, we kind of talk about that how it looks like in Chrome, how does a website looks like that is secure in Chrome. There is big difference when it comes the brand image. This also extends out to the mobile devices as well.
So, it’s not just browsers. I know we’re just looking at browsers here, but it really also impacts your iPad your iPhones, your Androids, and the tablets.
So, these are just all kinds of things that we talked about back in March of 2019, and why it’s important for you to start looking at it just from a company brand image but.
Chromium Blog – Chrome security roadmap
Here is why I want to, what I’m going to really focus on is what Google is doing with Chrome. We are going to go to this article that was written in February of 2020, so earlier this year, and it’s been updated in April of 2020.
Well, what they’re doing is kind of explaining why they are doing this and why they are making sure that there are no, that, if there are insecure downloads from a server coming to the browser, that they’re going to do something about it. I’m just going to go right down to this little graph right here.
And on the little text bullet points underneath it, which I’m gonna address, try to pull out here. So, this graph here will let you know that as each version of Chrome comes out, the different releases overtime, that they are going to take certain steps.
So, like for instance, in Chrome 85 you know they are now blocking executable such as dot EXE files. So, any link that might be too an EXE file or dot APK file, or whatever type of file, it will block it automatically, especially if it’s coming from a non-secure site.
And that is what they call mixed content downloads. You have some content that is secure and some content that’s not secure.
Well, this is what is really important starting in Chrome 88 and later. Images, audio, and video. Like PNG files, MP3 for audio, MP4 for video, dot MOV for video, dot PDF for Adobe PDF files. Any kind of file like that, is going to be blocked.
In other words, if your site is pulling content from an insecure source or it has mixed content downloads, they are going to block those images.
We’re going to kind of scroll down to this last bullet point here, where you can see this is what’s coming up in January of 2021 on Chrome 88, which is scheduled to be released in January of 2021, will now blocked all mixed content downloads.
So, that’s all your images and so forth and that’s really important, because unfortunately, I kind of took a gander around the real estate space of websites, and you would be surprised on how many sites have mixed content download of secured an unsecured download of images.
And they’re mostly all images, some files. Mostly your core corporate sites, especially on the residential side, are pretty much OK. Especially if you are on a platform like MoxiWorks, or Reliance Networks, Delta Media and others.
But here’s where I find that we are missing the boat on a lot, and that’s on your ancillary service websites. Your mortgage, your title, your insurance, your rentals, and your commercial websites.
I was completely surprised by how many websites that I have went through, and saw that this was a big issue. You know that I’m being notified that there’s mixed content, secure and insecure downloads occurring on a website, on a mortgage website.
How much of a brand negative is that, it really is…I was lost for words to really say “Hey”, it wasn’t just one or two, it was several websites.
So, it doesn’t speak very well for the brand when someone goes to your website and it says not secure. Especially when you’re talking about mortgage. And the worst part about it, it’s really is simple stuff. It’s really just images coming from an insecure site.
All you have to do is secure those servers so that they are delivering content securely. That is why it’s important.
Chrome Market Capture
To end this. Why am I so focused that Chrome is going to do this? I believe the other browsers are also going to eventually follow suit, with Google is doing with Chrome. But, Chrome happens to be, as we will see from this page. BOOM, from StatCounter.com, on browser market share worldwide.
Chrome happens to be close to 66 – 63 percent, at the end of November, of the market share. Substantially a lot more than all the others combined as far as market share goes, so, which means most people use Chrome.
They use Chrome on their tablets, on their mobile devices, and their laptops and desktops. So, it’s very prominent. And, as of January 2021, people are going to start not seeing images if they are coming from an insecure source.
So, what you need to do now over the next 4 weeks, 5 weeks, 6 weeks – before the release of Chrome 88 comes out – is do an audit, really quick. Take a look at all of your websites, including blogs.
That’s the other biggest offender that I found was blogs that are not hosted within your own website platform. They’re hosted through WordPress on an external WordPress site or Drupal or Joomla or PHP or whatever.
I’m finding that a lot of them also have mixed content downloads on them. In other words, there are secured but they have content that is being downloaded to the browser that is insecure. And starting in January 2021 sometime, those downloads are not going to happen.
What you’re going to get? Is you’re customers are going to get pages that will not have images. I know because if those images are coming from an insecure source. It’s they’re just not going to be downloaded it will be blank space
Do your audit take a look and be prepared to take care of it before January of 2021.
Thank you very much for this edition’s insightful tech take care and as always be safe.
Be happy and be better, take care.
References:
The original WAV Group article, “This Website is Not Secure”, that discusses how sites with HTTPS can still be downloading unsecured content.
The roadmap laid out by Google on Chrome’s pathway to ensure all content delivering to the browser is secured – Protecting users from insecure downloads in Google Chrome
Browser market share information provided by StatCounter.com
Thanks David! To make sure I’m clear in communicating this with our agents who have their own sites/blogs, it will be specifically the image or other file from an insecure site that is blocked, correct? As in, Chrome will not be blocking the WHOLE site if it sees you have a few images hosted at insecure sites?
Hi Rachael – Chrome will not block the WHOLE site. Only images and files on the site that come from an insecure site are blocked.