back to article Nix to the mix: Chrome to block passive HTTP content swirled into HTTPS pages

Google has announced forthcoming changes to the Chrome web browser that will prevent image, audio and video content from loading if they are served over HTTP. A typical web page includes content from multiple sources, and it is not really encrypted unless all the content is served over HTTPS. Chrome already blocks most HTTP …

  1. RichardBarrell

    I thought Chrome already did this, at least sometimes?

    ...or maybe I'm thinking of a different browser.

    I'm almost sure that I've seen at least *one* browser automatically block http requests on https origins.

    Good change, yay, well done and let's have all UAs do this. :)

    1. Anonymous Coward Silver badge
      Windows

      Re: I thought Chrome already did this, at least sometimes?

      Good ole Internet Explorer used to pop up a confirmation box for it.

      Ah, memories.

      1. Robert Grant

        Re: I thought Chrome already did this, at least sometimes?

        They would also pop up a box warning you of https as well, though.

    2. sbt Silver badge
      Meh

      It's been in Firefox for a little while

      I only notice it causing issues occasionally with broken image links. Mostly in old technical forums with in-line images. It's a pain for sites with legacy content and no way to upgrade the off-site links.

    3. GnuTzu Silver badge

      Re: I thought Chrome already did this, at least sometimes?

      It does. They mentioned it. But, they make a distinction:

      Passive mixed content refers to content that doesn't interact with the rest of the page, and thus a man-in-the-middle attack is restricted to what they can do if they intercept or change that content. Passive mixed content includes images, video, and audio content, along with other resources that cannot interact with the rest of the page.

      I'm not sure how well they can distinguish in the browser engine though, because I know I've seen images blocked for being HTTP in HTTPS before (which I had to fix on a server).

  2. doowles

    Wish they would do it sooner!

  3. The Basis of everything is...

    Buy stock in certificate authorities now

    Cos any server or application is going to need a certificate from a CA that Chrome trusts. Which will be fun for apps with a web GUI for installing certs, if you need to have the cert installed in order to install it.

    While I can use a private CA for my own test lab and the few machines I'm responsible for, this is not something I'd like to even attempt to deploy for the entire company. I can't even get a entry made in DNS in less than the life-time of testing, and if certs on the project BoM up front then it means a change request to finance and multiple reviews and sign-off just to get them to spend that extra £79 for something that will last 11 months longer than needed.

    1. Bronek Kozicki Silver badge

      Re: Buy stock in certificate authorities now

      Do you really need CA for everything? I've been using Let's Encrypt for years and do not see any problems. In fact, it is much better, thanks to certbot.

    2. Anonymous Coward
      Anonymous Coward

      Re: Buy stock in certificate authorities now

      You've missed the CA boom by at least 10 years - CA's are consolidating and free CA's are becoming common.

  4. big_D Silver badge
    Holmes

    Privacy issue...

    Even if the attacker doesn't alter the content of your site, you still have a large privacy issue

    Yes, that would be Chrome.

  5. msknight Silver badge

    Smaller sites get penalised

    As I'm on a shared host, if I engage the free certificate that the hosting provider offers via my cpanel, some things like PHP, will break. At least that's what the warning said. So... silly little warnings in the chrome bar, or completely non-functioning site. hmmm.... difficult choice.

    1. richardcox13

      Re: Smaller sites get penalised

      > some things like PHP, will break

      Only if buggy.

      Opps sorry, you said PHP so that's quite likely.

      A round of testing/validation will be needed but likely most things will work. Most of these issues are likely problems that have not previously been noticed/reported anyway.

      And with certificates now freely available there is little excuse.

  6. Luiz Abdala Bronze badge
    Stop

    HTTP is going the way of incandescent light bulbs...?

    The first version was revolutionary... and is now becoming illegal/banned/frowned upon.

    Not to mention Flash...

    1. Pascal

      Re: HTTP is going the way of incandescent light bulbs...?

      It's true, flash bulbs are long gone.

      1. GnuTzu Silver badge

        Re: HTTP is going the way of incandescent light bulbs...?

        Flash bulbs often seemed to have a variety of fascinating filament designs, and soon no one will have direct memory of ever seeing one--unless a few get preserved in a museum.

    2. Oengus Silver badge

      Re: HTTP is going the way of incandescent light bulbs...?

      It might take a while to get rid of it just like incandescent light bulbs

  7. Zippy´s Sausage Factory

    How can anything be 255% slower than something else? Yes, it may have taken 255% of the time, but that's dividing the wrong way surely? Shouldn't it be 72% slower because http/2 only took 28% of the time of http? Or am I just being picky?

  8. Tom Paine Silver badge

    An attacker with access to the network path between client and server can intercept HTTP requests for images on your site and swap or replace these images; the attacker can swap the save and delete button images, causing your users to delete content without intending to; replace your product diagrams with lewd or pornographic content, defacing your site; or replace your product pictures with ads for a different site or product.

    Fixed that for Google.

    Has anyone seen any evidence of these sort of attacks in the wild, apart from pranks at Defcon?

    1. Anonymous Coward
      Anonymous Coward

      Would malware in ads be a similar example?

      I have seen pornography or malware delivered via compromised ad sites that rely on HTTP to pull in the unwanted content as they can't use HTTPS without the necessary certificates.

      1. Claverhouse Silver badge

        Never heard the great Pornmasters were ever hurting for money, what on earth stops them from buying cheap certificates, or even using Lets Encrypt ?

        Not like one has to provide a morals affidavit to either buy an SSL or run a website.

        SSL helps very few people anyway, especially since one can vouch for oneself.

    2. Anonymous Coward
      Anonymous Coward

      Does the Chinese Cannon ring a bell?

  9. druck Silver badge
    Stop

    Not wanted or needed

    I've got dozens of Raspberry Pis with web servers providing anything from temperature data to video streams. Many of these are older slower models that https will put an increased burden on, so I neither want to or need to do this. They are only ever accessed on the local network or via my routers VPN, so there is no security benefit. Any browser which prevents me accessing my own systems will be unceremoniously dumped.

    1. Anonymous Coward
      Anonymous Coward

      Re: Not wanted or needed

      Pretty certain local addresses are handled differently dude.

    2. MJB7 Silver badge

      Re: Not wanted or needed

      There is no problem if you want to display the output in an HTTP page. The problem arises if you want to serve an HTTPS page and embed the video stream via HTTP.

  10. Anonymous Coward
    Anonymous Coward

    Block *others* from advertising, eh?

    "you will have to move everything to HTTPS in order to avoid warnings in Chrome and search penalties"

    Why I get the vibe that Google has already moved all of their own advertising to HTTPS and the actual reason for is to block advertising from other companies?

    Is it just me?

  11. DougS Silver badge

    *GOOGLE* is worried about an attacker injecting tracking cookies?

    Don't like others playing their game?

    1. pavel.petrman Bronze badge

      Re: *GOOGLE* is worried about an attacker injecting tracking cookies?

      Google are slowly but relentlessly walling up their garden and by the looks of it their garden is the whole web. Remember the great wall in one eastern country - it, too, was primarily not to let subject escape and only secondarily to protect the realm from invaders.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019