Chrome will call out mixed content more agressively

Anything in red usually catches your eye. I noticed the error notification "This page is trying to load scripts from unauthenticated sources" with the shield & a red cross at its corner, in Chrome's address bar on accessing a site over https. This appears to be introduced in version 53.

Microsoft Edge locks mixed content too, but the icon doesn't really stand out.
Based on the wording ("unauthenticated source") of the warning, I initially thought Chrome had a problem with the sites where the scripts were originating from. But after a little digging, I found that the issue was with active mixed content


Passive mixed content refers to content that doesn’t interact with the rest of the page, and thus a man-in-the-middle attack is restricted to what they can do if they intercept or change that content. Passive mixed content includes images, video, and audio content, along with other resources that cannot interact with the rest of the page.

Active mixed content interacts with the page as a whole and will allow an attacker to do almost anything with the page. Active mixed content includes scripts, stylesheets, iframes, flash resources, and other code that can be downloaded and executed by the browser.

Is having HTTPS for a site really such a big deal? Should Chrome alarm readers of even a casual web site that its pages are NOT SECURE?


It's not about the NSA or about protecting you, it's about protecting the people who visit your site.

Although HTTPS prevents MITM traffic snooping, it's more than that. If all websites were HTTPS, it would provide a way for people to know that the websites they were viewing (such as yours) were the actual websites they were supposed to be and also that intermediaries aren't intercepting and modifying/injecting the pages that the end user is requesting. I don't think most users would notice if the hotel, airport or McDonalds Wi-Fi they think they're connected to was modifying the pages they were viewing. Without HTTPS the website owner and the end user would be completely oblivious to it. In addition, with the way the web is at the moment, it's left to users to remember to check for a padlock, which is just plain idiocy.

A decade ago, browsers were simple. Now they have a lot of work to do

Comments

Popular posts from this blog

Maven Crash Course - Learn Power Query, Power Pivot & DAX in 15 Minutes

"Data Prep & Exploratory Data Analysis" course by Maven Analytics

Oracle Cloud Infrastructure 2024 Generative AI Professional Course & Certification Exam (1Z0-1127-24)