https

Simply supporting HTTPS isn’t always enough — you also need to know how to identify and fix mixed content errors If you recently migrated your website from an insecure HTTP connection to a more secure HTTPS connection, you may still run into the problem of receiving mixed content warnings. Worse yet, your site may render as insecure to site visitors, causing them to quickly click the ‘back’ button and find elsewhere to explore. That said, the real problem with mixed content warnings on HTTPS connections is emerging with Google Chrome’s latest release — Chrome 79. With this new release, some content that continues to load over an insecure connection will automatically be blocked. It will mark websites that use TLS 1.0 or 1.1 as “Not Secure” and no longer show the lock icon for them. Further down the road with Chrome 81, scheduled to be released sometime in March, Google will completely remove support for the legacy TLS protocol, which will block all non-secure content by default. In other words, content on your site that is not loading via HTTPS will not load at all, and your site visitors will not see this content. If you want to make sure all your site’s content is loading over a secure connection and site visitors see it all, keep reading. Today we’re explaining what mixed or insecure content is, why it’s a problem, and how to find and fix mixed content warnings if you see them on your HTTPS website. Let’s hash it out. What is Mixed Content? According to Google, mixed content occurs when HTML on a website loads over a secure HTTPS connection (thanks to a recently installed SSL certificate) but other content, such as images, video content, stylesheets, and scripts, continue to load over an insecure HTTP connection. This results in some web content loading securely and some web content loading insecurely. Hence the name “mixed content.” The thing with mixed or insecure content is that it all loads over a secure HTTPS connection, whether the content itself is secure or not. And when this happens, modern browsers such as Google Chrome display warnings to users trying to view the web content that the site contains insecure content. Secure websites that load over HTTPS connections provide the following benefits: Authentication. Reassure your site visitors that they’re safe when they land on your website and engage with your site content, especially if you run an online shop where financial information is shared. In addition, verify for site visitors that they’re on the website they want to be and haven’t been redirected to a malicious site. Data Integrity. Visually tell site visitors that their personal and financial information is secure and safe from hackers no matter what action they take on your site. In addition, give browsers the ability to detect whether a hacker has changed any data a browser receives. In other words, help users trust that a hacker hasn’t redirected money paid via your online store to another account. Anonymity. Guarantee site visitors that their behavior while on your site isn’t being intercepted by others and used maliciously. In short, HTTPS allows website owners to secure their data and build trust with those that visit their site so they can continue to build their brand and business. Why is Mixed Content a Security Issue? If mixed content loads over a secure connection, you may be asking yourself why it matters. After all, the HTTPS connection should be securing the resources regardless of whether it’s mixed or not, right? Wrong. Any time there is mixed or insecure content on a webpage, the entire website becomes vulnerable to attack. While it doesn’t open the webpage up to all types of cybercrime, it weakens the overall security of the site. This means that if a hacker breaches a website that loads mixed content, they might be able to take control of the entire page, not just the resource that is insecure. While most modern browsers display mixed content warnings for people to see before they visit a website, the truth is, many of these warnings come too late. In fact, oftentimes hackers have already broken into mixed content websites and have begun doing damage without the site owners or visitors knowing what’s occurred. Here are some other ways mixed or insecure content on your HTTPS site can become a security problem: Hackers can intercept HTTP requests to load an image and swap your site’s image out for another one the hacker prefers. Your ‘save’ and ‘delete’ button images can be switched, causing site visitors to accidentally save or delete content. The front end of your site can be defaced, which is especially bad when it’s with lewd or inappropriate images or text. A hacker can intercept written content and rewrite it entirely. Passwords, session cookies, and other login credentials can become compromised and land in the hands of cyber criminals. Your site visitors can be redirected to another site without knowing any different. Browsers do their best to block the most dangerous types of mixed content on websites. However, it’s impossible to block all of it (though that seems like an obvious solution) because so many well-established and highly trafficked websites render mixed or insecure content for site visitors. Blocking all of it will lead to ruin and cause a lot of problems. That said, you can expect popular browsers like Chrome to continue to block more and more mixed content as new versions are released. How to Find and Fix Mixed Content Warnings on Your HTTPS Website If you’ve taken a proactive approach to site security and have installed an SSL certificate on your site, be proud. Data from Google’s Transparency Report indicates that desktop users load more than half the pages they visit over HTTPS connections and spend more than two-thirds of their time on HTTPS webpages. Unfortunately, data encryption is less prevalent across mobile devices, though more site owners are taking measures to secure their mobile sites as