Google is running an auto-update-to-HTTPS experiment in Chrome
The Google Chrome team will be running an experiment this week in an attempt to find solutions to an HTTPS problem that Mozilla also attempted to solve last year.
The problem that Google is trying to solve is called “mixed content,” which Google describes as below:
Mixed content occurs when initial HTML [a web page] is loaded over a secure HTTPS connection, but other resources (such as images, videos, stylesheets, scripts) are loaded over an insecure HTTP connection. This is called mixed content because both HTTP and HTTPS content are being loaded to display the same page, and the initial request was secure over HTTPS. Modern browsers display warnings about this type of content to indicate to the user that this page contains insecure resources.
For the past few years, mixed content has been a big problem for browser makers and other organizations that have been pushing HTTPS adoption.
Mixed content browser errors –which sometimes are known to block users from accessing a website altogether– have scared many site operators from migrating to HTTPS, many fearing they’d lose traffic revenue for no tangible benefit for supporting HTTPS.
Addressing mixed content errors that appear in web browsers is probably the last major hurdle in convincing site operators to move to HTTPS.
This week, Google engineers rolled out an experiment in Chrome where they configured the browser to automatically upgrade any mixed content to full HTTPS.
Chrome would do this by secretly changing the URL of resources (such as images, videos, stylesheets, scripts) from their HTTP version to an HTTPS alternative.
If the same resource exists on an HTTPS link, then everything loads as normal. If the resource doesn’t exist on an alternative HTTPS linl, Chrome logs the error and executes one of the many scenarios configured for this experiment (detailed in this document).
The general idea is that when website owners updated their sites to use HTTPS, they might have forgotten to change their sites’ source code, and some content was left to load via HTTP, even it could have loaded via HTTPS just fine.
The purpose of this experiment is so Google engineers can gain insight into how many websites would break if Chrome would auto-update all mixed content sites to HTTPS by default, and what’s the best fallback strategy for mixed content HTTP URLs that break.
If the percentage of broken links and sites is small, Google engineers would most likely think about shipping this auto-update-to-HTTPS feature in the main Chrome browser and take yet another step towards a more secure web.
For now, Google intends to roll out the experiment to roughly one percent of its Chrome Canary userbase (who’ve enabled the chrome://flags/#enable-origin-trials flag).
Google’s experiment will not be the first of its kind. Mozilla tested with a similar mixed content auto-update in Firefox last year.
“They found a lot of breakage, but we’re hoping things have improved since their experiment,” said Emily Stark, a Google security engineer.
Other experiments for dealing with mixed content are also scheduled.