HTTPS does not mean that the site is secure, but it does guarantee that the connection between you and the destination server will be encrypted, avoiding data interception. But there is a problem: these pages can still load some types of content over an unprotected connection. This changes from Chrome 79, which will be released in December.
However, it is still possible to upload images, videos and audio through HTTP. This avoids breaks in the display of pages, but can cause security problems. “For example, an attacker could tamper with a mixed image of a stock chart to mislead investors, or inject a tracking cookie into a mixed asset,” says Google.
In addition, the user experience with mixed content is “confusing”, according to Google, because “the page is presented neither as secure nor as insecure, but as something in between”. In the case of Chrome, you may have seen it (and you may be seeing it right now) when the address bar shows the message “Your connection to this site is not completely secure”.
To avoid problems, Chrome will gradually block unsafe content within HTTPS sites. Preparation starts on Chrome 79, which arrives in December: it will have a new option to unlock mixed content, just by clicking on the lock icon and then on “Site settings”.
In Chrome 80, scheduled to be launched in January 2020, the blockade starts effectively: all mixed audio and video content will now be requested through HTTPS; if they don’t load, they won’t be displayed. The images will still be downloaded, but the browser will be clear in showing the message “Not secure” in the address bar.
Finally, in February 2020, on Chrome 81, all content on HTTPS sites will be requested by HTTPS only. Any image, audio or video served over an insecure connection will be blocked by default. Google recommends that sites migrate all content to HTTPS and use tools like Cloudflare to assist in the process.
Remember that HTTP should disappear from time to time: the new HTTP / 3 protocol no longer supports connection without encryption.