In early 2020 Google;s Chrome browser is releasing a number of updates that focus on improving security for website visitors.
The imminent updates don't just have user experience implications; in some cases users could be completely blocked from visiting your website.
Find out what is changing, why it's changing, and what you can do about it - in order to protect your website from potentially catastrophic issues.
How to Safeguard Your Site from Chrome's New Security Updates
1. How to Safeguard Your Site
from Chrome's New
Security Updates
22nd January 2020
Patrick Hathaway
@HathawayP
2. @HathawayP
What this presentation covers
1. What is changing in Chrome and why.
2. Mixed content - what does it mean?
3. Insecure TLS - what does it mean?
4. How to audit security issues.
3. @HathawayP
Google care about security
1. In 2011 they adopted HTTPS.
2. In 2014 HTTPS became a ranking
factor in search.
3. In 2018 Chrome began marking
HTTP sites as ‘not secure’.
4. In 2020….plenty more to come.
6. @HathawayP
Why you should also care about security
• Visitors might start seeing warnings
when they arrive at your site.
• Your pages might have missing
elements.
• Worst case scenario is that browsers
might start blocking your content
from displaying at all.
7. @HathawayP
Chrome security updates Q1 2020
1. Chrome will gradually start blocking
mixed content by default.
2. Chrome (and the other major
browsers) will stop supporting
depreciated TLS protocols.
8. @HathawayP
#1 Mixed Content – what is it?
When a web page is loaded over HTTPS
and some of the page resources load
over HTTP.
So there is a mix of HTTPS and HTTP,
picked up at the URL level.
9. @HathawayP
Example – image loaded over HTTP
This page loads over https:// but
contains an image that loads over http://
10. @HathawayP
This could be any page resource URL
• Image
• Video
• Audio
• JavaScript
• CSS
• IFrame
• Etc…
12. @HathawayP
Chrome ‘mixed content timeline’
1. Chrome 80 (February 4th 2020) -
mixed audio and video resources will
be autoupgraded or blocked if they
don’t load over https://.
2. Chrome 81 (March 17th 2020) -
mixed images will be autoupgraded
or blocked if they don’t load over
https://.
13. @HathawayP
What does ‘autoupgrade’ mean?
If they find a resource URL on http://,
behind the scenes they will just try to
load it over https:// instead.
The issue is if these resources are not
accessible over https://, in which case
they simply will not be loaded.
14. @HathawayP
Not loaded = not actually on the page
If product images can’t be loaded over
https:// they will not be displayed.
15. @HathawayP
You’ll still get the padlock
Chrome will show the padlock to say the
page is secure, even if some of the
content is being blocked.
-> You need to audit this stuff
20. @HathawayP
How to fix mixed content issues
You must only use https:// URLs when
loading resources on your page.
For each URL that loads HTTP resources,
update the link references to point to
the HTTPS counterparts. Much more
important to do for resource types that
Chrome will not autoupgrade.
21. @HathawayP
If resources are not available on https://
• Include the resource from a different
host, if possible(over HTTPS, obvs).
• Download and host the content on
your site directly, if you are legally
allowed to do so.
• Exclude the resource from your site
altogether (which may mean you
need to find an alternative solution).
22. @HathawayP
#2 TLS – what is it?
TLS is the encryption used in order to
make HTTPS secure. Any website that
uses HTTPS is employing TLS encryption.
If the encryption is weak, it is more
vulnerable to attack, and this exists at
the domain/website level.
23. @HathawayP
HTTP is the protocol for data transfer
HTTP request from browser to server
HTTP response from server to browser
24. @HathawayP
HTTPS = (HTTP + an encryption layer)
Password = sandwich1
Password = $665fdvzs_/$^*rt5
HTTP – data is not encrypted
HTTPS – data is encrypted, using TLS
25. @HathawayP
TLS = Transport Layer Security
TLS is the encryption layer that makes
the HTTP data transfer secure.
However, some versions of TLS are very
OLD, and no longer as secure as we
need them to be.
26. @HathawayP
TLS release timeline
• TLS 1.0 – released 1999
• TLS 1.1 – released 2006
• TLS 1.2 – released 2008
• TLS 1.3 – released 2018
27. @HathawayP
TLS release timeline
• TLS 1.0 – released 1999
• TLS 1.1 – released 2006
• TLS 1.2 – released 2008
• TLS 1.3 – released 2018
RED = DEPRECIATED = SECURITY RISK
28. @HathawayP
Chrome ‘TLS timeline’
1. Chrome 79 (out now!) - Chrome will
give sites a "not secure" label if TLS
1.2 is not enabled.
2. Chrome 81 (March 17th 2020) -
Chrome will show a full page
warning if TLS 1.2 is not enabled.
30. @HathawayP
Full page warning -> Implications
• Users will most likely bounce.
• Organic and paid channels will
suffer.
• Googlebot may not be able to access
your content.
34. @HathawayP
Ok but not perfect example
TLS 1.2 enabled, so no full page Chrome
warning, BUT site is still accessible over TLS
1.0 and TLS 1.1, and therefore not secure:
35. @HathawayP
Particularly important for certain sites
• Ecommerce sites that handles
transaction data (the above site
would not pass PCI compliance)
• Websites that handle sensitive data
(e.g. medical data)
• Websites that store personal data
(e.g. names and addresses)
37. @HathawayP
How to fix TLS issues
In order to ensure your site has no
issues with TLS, you need the following
setup:
• Disable: SSL, TLS 1.0, TLS 1.1.
• TLS 1.2 should be enabled.
• TL3 1.3 can optionally also be
enabled.
38. @HathawayP
This is a job for the ‘server guy’
This is a task for whoever runs your
website server:
• In house developer/SysAdmin
• 3rd party website hosting company
• Ecommerce software provider
39. @HathawayP
Bonus tip
Hit the ‘Printable PDF’ button in the
Sitebulb Security report, to get a PDF
report you can forward on.
40. @HathawayP
Takeaways -> Take security seriously!
If you don’t you could be subject to:
• Users and search engines unable to
access content.
• Users seeing warnings and losing
trust in your site.
• Important content not being
displayed on your web pages.
41. @HathawayP
Takeaways -> Action points
• Regularly audit your website and pay
attention to security warnings.
• Check Google Search Console for
existing messages.
• Make sure you are signed up to GSC
email notifications.
• Start to practice ‘secure as standard.’
42. Sitebulb free 14 day trial:
-> sitebulb.com/download/
Blog post contains full, up to date
explanation of these issues
-> bit.ly/security-2020
Patrick Hathaway
@HathawayP