Google Mixed Content Blocking: How to Detect Mixed Content and Avoid Blocking
Every year, Google is forced to resort to new solutions regarding security issues. Last year, the company announced that by the end of 2019, the browser will begin to block the downloading of mixed content, gradually replacing the HTTP protocol in favor of HTTPS with a higher level of protection. You can learn more about this from our HTTPS vs. HTTP article. This cannot be called a spontaneous solution because of the times when Chrome allowed mixed content ended a couple of years ago. Google began to take into account the HTTPS support when ranking search results with indexing of HTTPS pages by default. In version 68 of Google Chrome, HTTP pages were flagged as insecure. Then came the final stage: a complete ban on mixed content.
Jo-el van Bergen, Software Engineer at Google, explained why is Google blocking websites with mixed content:
“By default, the browser blocks different types of mixed content (such as scripts and iframes), but at the same time, videos, audio, and images can still be downloaded and this becomes a real threat to the user’s privacy.”
Imagine for a second how an attacker might change a mixed image of an exchange chart to fool investors or insert a tracking cookie file into mixed content. There is absolutely nothing positive about situations like this.
In addition, the process of downloading mixed content is confusing to the security system because the page is somewhere in the middle between safe and insecure.
If you want to allow mixed content, you can manually remove the blocking on a specific site by clicking the icon with a lock and selecting the appropriate option in the “site settings” column. This can be done in the current version of Chrome.
Fortunately for owners of sites with mixed content, there are several ways to solve this problem. In this article, we will tell you what you can do if you have mixed content. For starters, let’s look at the concept of mixed content.
What Is Mixed Content
Mixed content occurs when the source HTML is downloaded via a secure HTTPS connection and other elements such as images, videos, and scripts are downloaded via an insecure HTTP connection.
If you click on the link leading to a site with mixed content, you expose yourself to risks, since it simultaneously contains dangerous and safe scripts.
Most modern browsers will give you a content warning when insecure content is blocked. Typically, a mixed content warning will look like these:
How Can Mixed Content Affect SEO?
Since sites with mixed content are more vulnerable to security risks, your search ranking may deteriorate and Chrome will start blocking the site. If the user tries to unlock the contents and enter personal data, the browser will re-indicate the potential danger and will issue a second warning. As a result, a potential client may simply abandon the idea of visiting your site, and no one will make a purchase or view an advertisement.
How to Check the Site for Mixed Content
You may not be aware of the presence of mixed content on your site. To find if you have mixed content, you need an ssl mixed content checker.
SSL checker (mixed content checker) is a tool with which you can verify the correct installation of an SSL certificate on your site and its security.
An SSL certificate is required to protect user data and identify the server on the network.
There are several online tools that can help you can determine the presence of mixed content. Let’s consider some of them.
A free tool for verifying an SSL certificate with many other useful features such as encryption ciphers details, public key size, secure renegotiation, and protocols like SSLv3 / v2, TLSv1 / 1.2.
It helps to verify the correct installation and reliability of the SSL certificate.
Checks various metrics, such as TLS cipher details, certificate details, OWASP recommended secure headers, and others.
Once you figure out the information about the data on your site, you can move on to solving existing problems. Let’s look at how you can remove mixed content from your site.
How to Remove Mixed Content from a Site
To restore visibility of the site in search engines and ensure its safety, you must perform the following steps:
1. Install an SSL certificate
Some hosts provide an SSL certificate but not all do this by default. If you still have not installed it, you should do it as soon as possible. An SSL certificate provides an additional layer of security for you and your users, allowing your site to function through HTTPS.
There are two ways to obtain a certificate. You can contact your hosting provider who can integrate SLL and configure using the HTTPS protocol, or you can obtain a certificate from a certification authority.
You also need to decide what type of certification you are interested in.
There are three main ones:
Domain Validation (DV)
For DV certificates, an elementary level of SSL validation is used. Simply put, a certification authority just makes sure that you own a specific domain. No one checks if you own a legitimate business. This is the easiest and fastest way but it does not provide the proper level of protection.
Such certificates are intended for companies and organizations on the sites where users enter important information (credit card numbers, personal data, etc.). OV-certificate confirms the owner of the site and contains the name of the company. The validation process for such certificates is a longer and more in-depth process. The certification authority must make sure that you are the owner of a real company.
Extended Validation (EV)
This certificate allows you to get a green line in the browser, which guarantees security and reliability. The EV certificate also displays the company name in the address bar of the browser, and users can verify the authenticity of your company. This is the most effective security solution.
After purchasing a certificate, you must activate it.
2. Remove the HTTP hyperlinks
As we mentioned earlier, most sites are maintained using HTTP or HTTPS protocols. HTTPS enables encryption and provides a reliable level of security for your site.
Even if you link to an external resource containing an HTTP hyperlink, it can still make your site vulnerable to all kinds of attacks and puts users at risk.
You can solve this problem using the Google audit system. To test, install Chrome Canary and use Lighthouse (installed via npm). After you have configured everything, enter the code to start the audit and get a report:
lighthouse –mixed-content URL of your website
Lighthouse will show unprotected links on your site that need to be replaced or removed.
3. Install a 301 redirect
After updating the site and switching from HTTP to HTTPS, consider installing a 301 redirect. Read more about redirects in this article 301 vs 302 redirects. If you skip this step, users may accidentally use the old unsafe version of the site or not reach you at all.
To make sure that users are redirected to the HTTPS version of your site, you must access the .htaccess file through the file transfer protocol (FTP). Afterward, add the following code at the bottom of the file:
Redirect 301 / URL of your website
Save and reload the file, and your redirect will be ready.
We’ve covered the main reasons of why is Google blocking website and why there is no place for mixed content in Chrome. Follow our tips and avoid mixed content error so that a Chrome content blocker will not affect your site.