Can HTTP mixed content be dangerous?
In the browser terminology, content served over HTTP on an HTTPS-enabled website is regarded as ‘mixed content’ and such downloads are called ‘mixed content downloads.’ Users could easily overlook such insecure content as they’re trained to check for the padlock in the address bar. In fact, in a research conducted by PhishLabs, more than 80% of the respondents believed the green lock (back then it was green) indicated that a website was either legitimate and/or safe. This way, they might assume that any downloads on HTTPS websites are also secure. However, this might not be the case every time.
An attacker could exploit this by replacing malicious files such as malware instead of the file you think you’re downloading. This way, it can find way into your systems and attackers can easily read your insecurely-downloaded bank statements.
Another reason why mixed content is potentially dangerous is because it weakens your security and privacy by making it vulnerable to man-in-the-middle (MiTM) attacks. In these attacks, an attacker can eavesdrop on a network connection and can view and/or modify the communication between two parties. Moreover, an attacker can not only take the control of the compromised resource but it can potentially take total control over the entire page. This is as dangerous as it gets.
Google plans to root out HTTP mixed content
Google has recognized the potential risks inherent in HTTP downloads for quite a while now. In April 2019, it was reported that Google had made a proposal to other browser companies to block HTTP downloads on websites using HTTPS. In this proposal, Google had asked fellow browser makers to block such downloads being served on website secured through HTTPS. As per ZDNet, Mozilla was interested in “exploring these ideas further in conversation with Google and other interested parties.”
Almost eight months later, Google turned this exploration into action by announcing a roadmap to block HTTP Downloads in the upcoming versions of Google Chrome. In this quest, the first step is blocking these downloads from HTTPS sites as users expect these downloads to be safe. Google decided to execute this in six steps, each of them to be materialized with the release of a new version of Chrome.
What does this mean for your users?
This is surely a good step for everyday users as it’s going to enhance their security and privacy. However, this doesn’t mean the trouble of malicious downloads is over. Even if the website and download link are being served over HTTPS, there’s no reason to presume it to be safe. That’s because the files could still be malicious even if they’re served over HTTPS. If you download a virus or malware infected file, an attacker could easily wrack havoc by taking control of your computer. Therefore, the responsibility of your security is only in your hands, even if Chrome blocks HTTP downloads. And more so now as it’s been reported that more and more cyber attackers are now using HTTPS websites as bait to make them do what they want.
What does this mean for developers?
If you’re a web developer, then there’s only one thing you need to do: serve all content over secure HTTPS. Finding such links can be a mammoth tasks if you have a huge website, but there are many mixed content checker tools available on the internet. You should scan your website for all such content and migrate completely to HTTPS.
When will we finally sunset HTTP?
Google has been on the quest to make HTTPS a standard on the internet. Blocking HTTP downloads marks an important milestone in this. All other major browsers are expected to follow this suite as all of them have been moving in harmony as far as making the web HTTPS is concerned.