Chrome 46 loosens up on HTTPS 'mixed content' warnings

The browser -- known for being a bit overkill -- finally drops its yellow-warning attached to pages with both secure and non-secure content.

(Image: file photo)

Google's Chrome browser will no longer display a yellow warning that a page that has a mix of encrypted and non-secure content.

The move, announced Tuesday on a company blog alongside the release of the updated Chrome 46 version, is aimed in part at nudging website owners towards adopting encryption sooner rather than later.


Why are we still talking about backdoors in encryption? No, really

FBI's director says he's not a "maniac" about encryption. The experts disagree.

Read More

However, the reassuring green "https" in the browser's address field will remain reserved for fully encrypted pages.

Mixed-content errors are commonplace, appearing on websites that are fully encrypted with modern cryptography but also contain elements that are not encrypted. These errors often come from text-based or banner ads that are served by third-party companies with no encryption. Only a handful of ad networks provide an encrypted service (though Google itself does), despite the security benefit it offers, such as preventing man-in-the-middle attacks.

Google said its new three-state security system -- which now combines HTTP with HTTPS with minor errors -- will help represent the secure state of a website more accurately to the user.

Google's Lucas Garron and Chris Palmer explained: "We've come to understand that our yellow 'caution triangle' badge can be confusing when compared to the HTTP page icon, and we believe that it is better not to emphasize the difference in security between these two states to most users. For developers and other interested users, it will still be possible to tell the difference by checking whether the URL begins with 'https://'."

Garron and Palmer said the company's goal is for two eventual states: secure, and not secure.

CloudFlare chief executive Matthew Prince explained in a conversation in our New York newsroom -- among other things -- last week that moving away from mixed-content warnings would help make the internet more secure in the long run.

How Amazon's monster erotica book ban helped shape CloudFlare's stance on censorship

"At least with the US government you know the rules it follows," said CloudFlare's CEO.

Read More

"Should mixed content be a scarier warning than a server expiring?" he said, shaking his head.

Prince added that his company, which provides content delivery services and network security to websites and services, is "playing" with the issue in an effort to try to fix mixed-content warnings.

"Ad networks will hate that, but we say we'll stop when you update to HTTPS," he said.