Google is running auto-update-to fix HTTPS mixed content errors in Chrome

Google HTTPS Mixed content Errors

Google engineers are looking for a solution to mixed content errors in HTTPS and they seem to have the right idea.

This week, the Google Chrome team will be carrying out an experiment to find solutions to an HTTPS problem that Mozilla also tried to solve last year. The problem Google is trying to solve is called “mixed content,” as described below by Google:

For browser makers and other organizations that have been pushing for HTTPS adoption, mixed content has been a major problem for the past few years.

Mixed content occurs when initial HTML [a web page] is loaded over a secure HTTPS connection, but other resources (such as images, videos, stylesheets, scripts) are loaded over an insecure HTTP connection. This is called mixed content because both HTTP and HTTPS content are being loaded to display the same page, and the initial request was secure over HTTPS. Modern browsers display warnings about this type of content to indicate to the user that this page contains insecure resources.

Mixed content browser errors-sometimes known to block users from accessing a website-scared many website operators from migrating to HTTPS, many fearing that they would lose traffic revenue for no tangible benefit in supporting HTTPS.

Addressing mixed content errors in web browsers is probably the last major obstacle to persuading website operators to move to HTTPS.

This week, Google engineers launched a Chrome experiment in which they configured the browser to upgrade mixed content to full HTTPS automatically. Chrome would do this by secretly changing the resource URL (such as images, videos, style sheets, scripts) from HTTP to HTTPS.

If the same resource exists on an HTTPS link, it loads as usual. If an alternative HTTPS line does not contain the resource, Chrome logs the error and executes one of the many scenarios configured for this experiment (detailed in this document).

The general idea is that when website owners updated their sites to use HTTPS, they might have forgotten to change the source code of their sites, and some content was left to load via HTTP, even via HTTPS.

The purpose of this experiment is to enable Google engineers to gain insight into how many websites would break if Chrome automatically updated all mixed content sites to HTTPS by default, and what is the best fallback strategy for HTTP URLs breaking mixed content.

If the percentage of broken links and sites is small, Google engineers would probably think about shipping this auto-update-to-HTTPS feature in the main Chrome browser and take another step towards a safer web.

For now, Google intends to roll out the experiment to approximately one percent of its Chrome Canary user base (which has enabled the flag of Chrome / #enable-origin-trials). The experiment from Google won’t be the first of its kind. Mozilla tested last year in Firefox with a similar mixed content auto-update.

“They found a lot of breakage, but we hope things have improved since their experiment,” Google security engineer Emily Stark said. Other mixed content experiments are also planned.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.