Will Chrome block all types of non-HTTPS mixed content downloads?

Background of the article:

In October this year, Google released an official update for the new version 86 of the Chrome browser, which means that Chrome will block all types of non-HTTPS mixed content download.

In order to further strengthen the browser's security defense, Chrome, the browser dominance with a global share of 71%, can be said to be "broken." As early as February this year, Google announced: In order to enhance users' download protection experience, Chrome will gradually block the downloading of mixed content that is not Hypertext Transfer Protocol Secure, ensuring that HTTPS secure pages only download secure files.

Why HTTP resource downloads for HTTPS pages are blocked

HTTPS mixed content errors have always been a major obstacle for websites to promote HTTPS encryption. An HTTPS mixed content error occurs when the initial web page is loaded through a secure HTTPS link, but other resources in the page (such as images, videos, stylesheets, scripts) are loaded through an insecure HTTP link. That is, unsafe factors). Google reports that Chrome users use HTTPS for more than 90% of their browsing time across all major platforms, but these secure pages often load insecure HTTP subresources.

In the early days, Chrome blocking started with unsafe downloads of secure pages. This situation is particularly concerning because Chrome currently has no way to indicate to users that their privacy and security are being compromised. Insecure file downloads threaten user security and privacy. For example, an attacker can replace a program downloaded via HTTP with a malicious program, and an eavesdropper can read a user's bank statement downloaded via HTTP, etc. To address these risks, Google plans to eventually disable the loading of unsafe resources in Chrome. As a continuation of a plan announced last year, Chrome will block access to all "non-secure sub-resources" on "secure pages."

Chrome’s six-phase plan to block mixed content

Starting with Chrome 82 in April 2020, the Chrome browser took action to warn users , further ensuring security, until finally blocking "downloads of mixed content" (non-HTTPS downloads on secure pages) support. The file types that pose the greatest risk to users (executable files) are affected first, and subsequent versions will cover more file types.

Google plans to roll out restrictions on mixed content downloads first on Windows, macOS, ChromeOS, and Linux desktop platforms. The Chrome team divides this process into six steps, which are:

☞Chrome 81 (March 2020): The browser will pop up a console message warning of all mixed content downloads;

☞ Chrome 82 (April 2020): The browser will warn about mixed content downloads (executable files such as .exe);

☞ Chrome 83 (June 2020): Warning.zip Downloads of mixed content from archives and .iso disk images;

☞ Chrome 84 (August 2020): Warning about downloads of mixed content other than images, audio, video, and text;

☞ Chrome 85 (September 2020): Warn about the download of mixed content such as images, audio and video, and text;

☞ Chrome 86 (October 2020): Block the download of all types of mixed content.

The gradual rollout is intended to quickly mitigate serious security risks and provide developers with updates given that mobile platforms have better native protection against malicious files. The buffering time of its website prevents unsafe websites from affecting the Chrome user experience.

Is your website content mixed?

Is your website content mixed? I believe that most website administrators do not know what mixed content their websites contain, and the major update of Chrome 86 version helps users understand that all HTTP websites are unsafe, forcing website administrators to upgrade their sites to the more secure HTTPS protocol to protect users. privacy and data security.

Countermeasures

① Check for mixed content/insecure links on your website, check the loaded files in the website, and ensure that all files are downloaded only through HTTPS. This can be solved with the help of certificate management tools Regarding the insecure (external link) issue of HTTPS, monitor the website in real time and obtain a professional evaluation report to detect whether the HTTPS website you deploy is truly secure.

#② It is recommended that the website implement full-site HTTPS encryption. Protect private data from eavesdropping and leakage.

③ Worried that full-site HTTPS will consume more cloud server CPU resources and increase latency? Can develop performance optimization solutions for full-site HTTPS acceleration.

Related recommendations: Website Security Tutorial

The above is the detailed content of Will Chrome block all types of non-HTTPS mixed content downloads?. For more information, please follow other related articles on the PHP Chinese website!