Chrome will call out mixed content more agressively

Anything in red usually catches your eye. I noticed the error notification "This page is trying to load scripts from unauthenticated sources" with the shield & a red cross at its corner, in Chrome's address bar on accessing a site over https. This appears to be introduced in version 53.

Microsoft Edge locks mixed content too, but the icon doesn't really stand out.

Based on the wording ("unauthenticated source") of the warning, I initially thought Chrome had a problem with the sites where the scripts were originating from. But after a little digging, I found that the issue was with active mixed content

There are two types of mixed content: active and passive.

Passive mixed content refers to content that doesn’t interact with the rest of the page, and thus a man-in-the-middle attack is restricted to what they can do if they intercept or change that content. Passive mixed content includes images, video, and audio content, along with other resources that cannot interact with the rest of the page.

Active mixed content interacts with the page as a whole and will allow an attacker to do almost anything with the page. Active mixed content includes scripts, stylesheets, iframes, flash resources, and other code that can be downloaded and executed by the browser.

Starting January 2017, Chrome 56 will label HTTP pages with password or credit card form fields as "not secure," given their particularly sensitive nature. Eventually, it will label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.

Is having HTTPS for a site really such a big deal? Should Chrome alarm readers of even a casual web site that its pages are NOT SECURE?

One web denizen has this answer:

It's not about the NSA or about protecting you, it's about protecting the people who visit your site.

Although HTTPS prevents MITM traffic snooping, it's more than that. If all websites were HTTPS, it would provide a way for people to know that the websites they were viewing (such as yours) were the actual websites they were supposed to be and also that intermediaries aren't intercepting and modifying/injecting the pages that the end user is requesting. I don't think most users would notice if the hotel, airport or McDonalds Wi-Fi they think they're connected to was modifying the pages they were viewing. Without HTTPS the website owner and the end user would be completely oblivious to it. In addition, with the way the web is at the moment, it's left to users to remember to check for a padlock, which is just plain idiocy.

A decade ago, browsers were simple. Now they have a lot of work to do