The next version of Chrome will include a new security policy that may make it easier for developers to ensure “HTTPS” websites aren’t undermined by insecure HTTP resources.
The new feature will arrive in Chrome 43 and promises to take out some of the work website owners — such as news publishers — would have to do if they were to enable HTTPS. That is, sites that have a digital certificate to verify its authenticity and that encrypt communications between a web server and browser, often signified by the padlock in a browser’s address bar.
The feature might be helpful for publishers migrating legacy HTTP web content to HTTPS when that old content can’t or is difficult to be modified. The issue crops up when a new HTTPS page includes a resource, like an image, from an HTTP URL. That insecure resource will cause Chrome to flag an “mixed-content warning” in the form of a yellow triangle over the padlock.
In the example Google provides at googlechrome.github.io, clicking on the icon in Chrome 42 and below will deliver the explanation: “Your connection to googlechrome.github.io is encrypted with modern cryptography. However, this page includes other resources which are not secure. These resources can be viewed by others while in transit, and can be modified by an attacker to change the look of the page.”
If the same site was accessed in Chrome 43 -- which is beta now but should be stable in May -- the warning should vanish thanks to a browser Content Security Policy directive known as Upgrade Insecure Resources. The directive “causes Chrome to upgrade insecure resource requests to HTTPS before fetching them”, Google explained today.
“This change allows developers to serve their hard-to-update legacy content via HTTPS more easily, improving security for their users,” it added.
The feature is outlined in a draft document submitted to the web standards body, W3C, that may become a standard.
The document highlights two good examples of legacy web content that fit the “hard-to-update” category, including the BBC’s frozen archive; and the New York Times, which raised the issue of hard-coded URLs when considering making its website entirely HTTPS.
The Upgrade Insecure Resources initiative would also help further Google’s goal of nudging all websites over to HTTPS by giving those sites better rankings through its search engine — a move it made following disclosures about US government surveillance.
The arrival of the Chrome feature follows a call to action by the Interactive Advertising Bureau (IAB) — which represents publishers, platforms and advertisers — for online publishers to move embrace HTTPS. But as the industry group highlighted, mixed-content is a tricky obstacle for online publishers to overcome, given its dependencies on advertising.
This article is brought to you by Enex TestLab, content directors for CSO Australia.