Google is running an auto-update-to-HTTPS experiment in Chrome
The Google Chrome team will be running an experiment this week in an attempt to find solutions to an HTTPS problem that Mozilla also attempted to solve last year.
Security
The problem that Google is trying to solve is called "mixed content," which Google describes as below:
Mixed content occurs when initial HTML [a web page] is loaded over a secure HTTPS connection, but other resources (such as images, videos, stylesheets, scripts) are loaded over an insecure HTTP connection. This is called mixed content because both HTTP and HTTPS content are being loaded to display the same page, and the initial request was secure over HTTPS. Modern browsers display warnings about this type of content to indicate to the user that this page contains insecure resources.
For the past few years, mixed content has been a big problem for browser makers and other organizations that have been pushing HTTPS adoption.
Mixed content browser errors --which sometimes are known to block users from accessing a website altogether-- have scared many site operators from migrating to HTTPS, many fearing they'd lose traffic revenue for no tangible benefit for supporting HTTPS.
Addressing mixed content errors that appear in web browsers is probably the last major hurdle in convincing site operators to move to HTTPS.
This week, Google engineers rolled out an experiment in Chrome where they configured the browser to automatically upgrade any mixed content to full HTTPS.
Chrome would do this by secretly changing the URL of resources (such as images, videos, stylesheets, scripts) from their HTTP version to an HTTPS alternative.
If the same resource exists on an HTTPS link, then everything loads as normal. If the resource doesn't exist on an alternative HTTPS linl, Chrome logs the error and executes one of the many scenarios configured for this experiment (detailed in this document).
The general idea is that when website owners updated their sites to use HTTPS, they might have forgotten to change their sites' source code, and some content was left to load via HTTP, even it could have loaded via HTTPS just fine.
The purpose of this experiment is so Google engineers can gain insight into how many websites would break if Chrome would auto-update all mixed content sites to HTTPS by default, and what's the best fallback strategy for mixed content HTTP URLs that break.
If the percentage of broken links and sites is small, Google engineers would most likely think about shipping this auto-update-to-HTTPS feature in the main Chrome browser and take yet another step towards a more secure web.
For now, Google intends to roll out the experiment to roughly one percent of its Chrome Canary userbase.
Google's experiment will not be the first of its kind. Mozilla tested with a similar mixed content auto-update in Firefox last year.
"They found a lot of breakage, but we're hoping things have improved since their experiment," said Emily Stark, a Google security engineer.
Other experiments for dealing with mixed content are also scheduled.
All the Chromium-based browsers
More browser coverage:
- Safari engineers look at different approach to fighting intrusive ads
- Google Chrome 73 to officially support the multimedia keys on your keyboard
- Google publishes 14 official Chrome themes
- Firefox to get a 'site isolation' feature, similar to Chrome
- Google releases Chrome extension to check for leaked usernames and passwords
- Firefox to block auto-playing audio starting March 2019
- What enterprises need to know about the new Chromium-based Edge TechRepublic
- Brave's privacy-focused ads to spread beyond startup's own browser CNET