Home / Mac / Google runs an automatic update experiment for HTTPS in Chrome

Google runs an automatic update experiment for HTTPS in Chrome


The Google Chrome team is running an experiment this week in an effort to find solutions to an HTTPS problem that Mozilla also attempted to solve last year.

The problem that Google is trying to solve is called "mixed content", which Google describes as follows:

Mixed content occurs when the first HTML file [a web page] is loaded over a secure HTTPS connection, but other resources (e.g. images, videos, stylesheets, scripts are loaded over an insecure HTTP connection. This is called mixed content because both HTTP and HTTPS content are loaded to display the same page, and the first request was secure over HTTPS. Modern browsers display warnings about this type of content to indicate to the user that this site contains unsafe resources.

In recent years, mixed content has been a major problem for browsers and other organizations that have pushed HTTPS adoption.

Mixed content browser errors ̵

1; sometimes known to block users from accessing a website – have frightened many site operators from migrating to HTTPS, and many fear they will lose traffic revenue without any benefit to support HTTPS. 19659006] Access to mixed content errors displayed in browsers is probably the last major obstacle in compelling site operators to move to HTTPS.

This week, Google engineers have rolled out an experiment in Chrome where they configured the browser to automatically upgrade all mixed content to full HTTPS.

Chrome would do this by secretly changing the URL of resources (such as images, videos, stylesheets, scripts) from the HTTP version to an HTTPS option.

If the same resource exists on an HTTPS link, everything is loaded normally. If the resource does not exist on an alternative HTTPS line, the Chrome logs the error and performs one of the many scenarios configured for this experiment (detailed in this document).

The general idea is that when site owners update their sites to use HTTPS, they may have forgotten to change the source code of their sites, and some content was left to load via HTTP, even though it might have loaded via HTTPS just fine.

The purpose of this experiment is that Google engineers can gain insight into how many sites will break if Chrome automatically updates all mixed content pages to HTTPS by default, and what is the best revocation strategy for HTTP mixed content URLs that break.

If the percentage of broken links and websites is small, Google engineers will probably consider sending this auto-update feature to HTTPS in the main Chrome browser and taking another step towards a safer web.

For now, Google intends rolling out the experiment to about one percent ent by its Chrome Canary user base (which has enabled Chrome: // flag / # enable-origin-trial flag.)

Google's experiment is not the first of its kind. Mozilla tested with a similar automatic update in Firefox last year.

"They found a lot of violations, but we hope things have improved since the experiment," said Emily Stark, a security engineer from Google. [19659006] Other experiments to handle mixed content are also planned.

More browser coverage:

Source link