In 2020, the end of HTTP is near, Google is taking aim at websites with mixed content.
Mixed content includes content downloads such as software executables, documents, and media files offered from secure HTTPS websites over insecure HTTP connections.
Mixed content resulted from the need for websites to move to HTTPS from mid-2018 when Google started flagging out sites that are insecurely transmitting information over its Chrome browser.
Users seeing the HTTPS padlock on a site in Chrome typically assume that any downloads it offers are also secure.
Google’s recent announcement points out:
Insecurely-downloaded files are a risk to users’ security and privacy.
For instance, insecurely downloaded programs can be swapped out for malware by attackers, and eavesdroppers can read users’ insecurely-downloaded bank statements.
To eliminate this issue, Google has recently announced a timetable for phasing out insecure file downloads in its Chrome browser.
It will be a gradual effort rather than an immediate hardline exercise. It will begin with Chrome on desktop version 81 due out next month, by offering warnings. The dateline for all downloads via HTTP will systematically be blocked by Chrome version 86 scheduled to be out in October 2020.
Mobile versions of Chrome will use the same timetable except that they will lag by a version behind their desktop counterpart.
This latest plan underlines Google’s desire to improve security and user experience by the promotion of HTTPS everywhere in Chrome.
Make note eradicating unsecured downloads doesn’t guarantee that the download isn’t malicious. In essence, it merely means that the download hasn’t been tampered with as it travels from the webserver to your computer.
As part of our web security offering, we can help scan and fix these mixed content issues.