Jump to content
New Members Read more... ×
Sign in to follow this  
The AchieVer

Google is running an auto-update-to-HTTPS experiment in Chrome

Recommended Posts

The AchieVer

Google is running an auto-update-to-HTTPS experiment in Chrome

Google engineers are looking for a fix for HTTPS mixed content errors and they appear to have the right idea.

 
sslheroart.jpg

 

The Google Chrome team will be running an experiment this week in an attempt to find solutions to an HTTPS problem that Mozilla also attempted to solve last year.

 

The problem that Google is trying to solve is called "mixed content," which Google describes as below:

Mixed content occurs when initial HTML [a web page] is loaded over a secure HTTPS connection, but other resources (such as images, videos, stylesheets, scripts) are loaded over an insecure HTTP connection. This is called mixed content because both HTTP and HTTPS content are being loaded to display the same page, and the initial request was secure over HTTPS. Modern browsers display warnings about this type of content to indicate to the user that this page contains insecure resources.

For the past few years, mixed content has been a big problem for browser makers and other organizations that have been pushing HTTPS adoption.

Mixed content browser errors --which sometimes are known to block users from accessing a website altogether-- have scared many site operators from migrating to HTTPS, many fearing they'd lose traffic revenue for no tangible benefit for supporting HTTPS.

Addressing mixed content errors that appear in web browsers is probably the last major hurdle in convincing site operators to move to HTTPS.

This week, Google engineers rolled out an experiment in Chrome where they configured the browser to automatically upgrade any mixed content to full HTTPS.

Chrome would do this by secretly changing the URL of resources (such as images, videos, stylesheets, scripts) from their HTTP version to an HTTPS alternative.

If the same resource exists on an HTTPS link, then everything loads as normal. If the resource doesn't exist on an alternative HTTPS linl, Chrome logs the error and executes one of the many scenarios configured for this experiment (detailed in this document).

The general idea is that when website owners updated their sites to use HTTPS, they might have forgotten to change their sites' source code, and some content was left to load via HTTP, even it could have loaded via HTTPS just fine.

The purpose of this experiment is so Google engineers can gain insight into how many websites would break if Chrome would auto-update all mixed content sites to HTTPS by default, and what's the best fallback strategy for mixed content HTTP URLs that break.

If the percentage of broken links and sites is small, Google engineers would most likely think about shipping this auto-update-to-HTTPS feature in the main Chrome browser and take yet another step towards a more secure web.

For now, Google intends to roll out the experiment to roughly one percent of its Chrome Canary userbase (who've enabled the chrome://flags/#enable-origin-trials flag).

Google's experiment will not be the first of its kind. Mozilla tested with a similar mixed content auto-update in Firefox last year.

"They found a lot of breakage, but we're hoping things have improved since their experiment," said Emily Stark, a Google security engineer.

Other experiments for dealing with mixed content are also scheduled.

 

 

Source

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×