{"id":11598,"date":"2019-10-08T15:54:56","date_gmt":"2019-10-08T19:54:56","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=11598"},"modified":"2023-04-10T16:06:10","modified_gmt":"2023-04-10T20:06:10","slug":"browser-updates-round-up-continuing-the-push-for-https-everywhere","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/browser-updates-round-up-continuing-the-push-for-https-everywhere\/","title":{"rendered":"Browser Updates Round-Up: Continuing the Push for HTTPS Everywhere"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"h-google-chrome-and-mozilla-firefox-are-updating-how-ssl-https-sites-are-displayed-to-users-continuing-their-initiative-to-move-all-internet-traffic-to-https\">Google Chrome and Mozilla Firefox are updating how SSL\/HTTPS sites are\ndisplayed to users, continuing their initiative to move all internet traffic to\nHTTPS<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Google and Mozilla have recently announced several changes\nto how they will display HTTPS websites in Chrome and Firefox, respectively.\nMost of these changes are part of the push the browsers have been talking about\nfor a few years \u2013 encouraging all websites to move from HTTP to HTTPS. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Here\u2019s a quick overview of six noteworthy changes the\nbrowsers are making, and what webmasters and internet users need to know.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s hash it out.<span id=\"newline\"><\/span><\/p>\n\n\n<span style=\"--tl-form-height-m:150.25px;--tl-form-height-t:121.4583px;--tl-form-height-d:121.4583px;\" class=\"tl-placeholder-f-type-shortcode_12753 tl-preload-form\"><span><\/span><\/span>\n\n\n<h2 class=\"wp-block-heading\" id=\"h-1-chrome-to-force-https-or-block-mixed-content\">1) Chrome to Force HTTPS or Block \u201cMixed Content\u201d<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">For years, \u201cmixed content\u201d has been the bane of web developers all over the world \u2013 after switching your site to use HTTPS, there were often images, scripts, or other files still loading via HTTP that would trigger \u201cmixed content\u201d security errors in the user\u2019s browser like this:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"320\" height=\"288\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/10\/mixed-content-error.png\" alt=\"\" class=\"wp-image-11609\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/10\/mixed-content-error.png 320w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/10\/mixed-content-error-300x270.png 300w\" sizes=\"auto, (max-width: 320px) 100vw, 320px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">As <a href=\"https:\/\/blog.chromium.org\/2019\/10\/no-more-mixed-messages-about-https.html\">Google explains<\/a>:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u201cHTTPS pages commonly suffer from a\nproblem called mixed content, where subresources on the page are loaded\ninsecurely over http:\/\/. Browsers block many types of mixed content by default,\nlike scripts and iframes, but images, audio, and video are still allowed to\nload, which threatens users\u2019 privacy and security. For example, an attacker\ncould tamper with a mixed image of a stock chart to mislead investors, or inject\na tracking cookie into a mixed resource load. Loading mixed content also leads\nto a confusing browser security UX, where the page is presented as neither\nsecure nor insecure but somewhere in between.\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Starting with Chrome version 79 (scheduled for release in December\n2019), Google will gradually implement a plan to change how mixed content is\nhandled:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Version 79: Users will be able to manually block\nor unblock mixed content.<\/li>\n\n\n\n<li>Version 80: Mixed audio and video will be\nauto-upgraded to HTTPS \u2013 if they are unreachable via HTTPS they\u2019ll be blocked.\nMixed images will load but will show a \u201cNot Secure\u201d warning in the address bar.<\/li>\n\n\n\n<li>Version 81: Mixed images will be auto-upgraded\nto HTTPS \u2013 or blocked if they can\u2019t be loaded via HTTPS.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Ultimately, this doesn\u2019t change what webmasters need to be\ndoing \u2013 ensure that all resources (including images, video, and audio) load\nover HTTPS 100% of the time.<\/p>\n\n\n\n<div class=\"wp-block-button\"><a class=\"wp-block-button__link has-central-palette-2-background-color has-text-color has-background wp-element-button\" href=\"https:\/\/www.thesslstore.com\/products\/ssl.aspx\" style=\"border-radius:3px;color:#ffffff\">Buy an SSL\/TLS Certificate<\/a><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-2-firefox-marks-all-http-urls-as-not-secure\">2) Firefox Marks All HTTP URLs as Not Secure<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Following in Chrome\u2019s footsteps, Firefox is now marking all\nHTTP webpages as \u201cNot Secure\u201d. Over the past couple of years, <a href=\"https:\/\/www.thesslstore.com\/blog\/firefox-chrome-warning-about-insecure-login-pages\/\">Firefox\nhas started warning users if an HTTP page contained a login or other form<\/a>,\nbut now Firefox will show the warning on all HTTP pages. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Starting with Firefox version 70 (scheduled for release in\nOctober), users will see a warning like this on all HTTP pages:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"350\" height=\"43\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/10\/firefox-not-secure.png\" alt=\"Firefox Not Secure icon\" class=\"wp-image-11599\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/10\/firefox-not-secure.png 350w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/10\/firefox-not-secure-300x37.png 300w\" sizes=\"auto, (max-width: 350px) 100vw, 350px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">If you click the padlock, you\u2019ll see a message like this:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"477\" height=\"262\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/10\/firefox-not-secure-box.png\" alt=\"Firefox Not Secure message\" class=\"wp-image-11600\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/10\/firefox-not-secure-box.png 477w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/10\/firefox-not-secure-box-300x165.png 300w\" sizes=\"auto, (max-width: 477px) 100vw, 477px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">From there, you can click for more details to see this:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"481\" height=\"269\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/10\/firefox-not-secure-box-2.png\" alt=\"Firefox Not Secure details\" class=\"wp-image-11601\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/10\/firefox-not-secure-box-2.png 481w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/10\/firefox-not-secure-box-2-300x168.png 300w\" sizes=\"auto, (max-width: 481px) 100vw, 481px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-3-firefox-begins-transition-to-dns-over-https\">3) Firefox Begins Transition to DNS-over-HTTPS<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Starting in September, Firefox began a gradual rollout\nswitching users to use <a href=\"https:\/\/www.thesslstore.com\/blog\/dns-over-tls-vs-dns-over-https\/\">DNS-over-HTTPS\n(DoH)<\/a> by default. If their plan goes as hoped, they\u2019ll have all US users\nswitched over by 2020.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Last year, <a href=\"https:\/\/blog.nightly.mozilla.org\/2018\/06\/01\/improving-dns-privacy-in-firefox\/\">Firefox\nexplained<\/a> why they were starting efforts to switch to DoH:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u201cBecause there is no encryption, other devices along the way\nmight collect (or even block or change) [DNS] data too. DNS lookups are sent to\nservers that can spy on your website browsing history without either informing\nyou or publishing a policy about what they do with that information&#8230;Our first\neffort to upgrade the privacy of DNS is to implement the DNS over HTTPS (DoH)\nprotocol, which encrypts DNS requests and responses.\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This decision hasn\u2019t been without controversy, though, as <a href=\"https:\/\/www.zdnet.com\/article\/dns-over-https-causes-more-problems-than-it-solves-experts-say\/\">some\ncybersecurity experts believe that DoH is going to cause more problems than it\nsolves<\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Firefox\u2019s DoH uses CloudFlare\u2019s DNS service by default, but\nusers can switch to an alternate service if they prefer.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-4-google-tests-dns-over-https\">4) Google Tests DNS-over-HTTPS<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Starting with Chrome version 78 (scheduled for release in\nOctober) <a href=\"https:\/\/blog.chromium.org\/2019\/09\/experimenting-with-same-provider-dns.html\">Google\nwill begin testing DoH<\/a> for certain DNS servers:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u201cThis experiment will be done in\ncollaboration with DNS providers who already support DoH, with the goal of\nimproving our mutual users\u2019 security and privacy by upgrading them to the DoH\nversion of their current DNS service. With our approach, the DNS service used\nwill not change, only the protocol will&#8230;The goals of this experiment are to\nvalidate our implementation and to evaluate the performance impact.\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">While Google\u2019s a bit behind Firefox in rolling out DoH, it\nseems likely that Chrome will roll this out to most\/all users in 2020.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-5-chrome-hides-protocol-http-or-https-from-url\">5) Chrome Hides Protocol (http:\/\/ or https:\/\/) From URL<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Google recently made a change to how URLs are displayed in\nthe address bar \u2013 hiding the http:\/\/ or https:\/\/ from the beginning of the URL.\nAt first glance, this change might sound like Chrome is reducing the importance\nof HTTPS, but it\u2019s actually the opposite. This change is part of Google\u2019s push\nto make HTTPS the default protocol for the entire web. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Research has shown that when it comes to internet security,\npositive indicators are valuable, but users pay more attention to negative\nindicators. That\u2019s why Google has implemented a plan to make HTTPS the default\nand to show warnings for HTTP URLs. This change is simply the next step in that\nplan: HTTPS is normal (so normal it\u2019s not shown) but HTTP triggers an error.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">HTTPS webpages now display like this:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"477\" height=\"200\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/10\/chrome-https-pages.png\" alt=\"Chrome HTTPS url display\" class=\"wp-image-11602\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/10\/chrome-https-pages.png 477w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/10\/chrome-https-pages-300x126.png 300w\" sizes=\"auto, (max-width: 477px) 100vw, 477px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">While HTTP pages look like this:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"389\" height=\"35\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/10\/chrome-http-pages.png\" alt=\"Chrome HTTP url display\" class=\"wp-image-11603\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/10\/chrome-http-pages.png 389w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/10\/chrome-http-pages-300x27.png 300w\" sizes=\"auto, (max-width: 389px) 100vw, 389px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-6-chrome-firefox-ev-display-changes\">6) Chrome &amp; Firefox EV Display Changes<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Unlike the first five changes, this one isn\u2019t about getting\nmore sites to switch to HTTPS \u2013 it\u2019s a change to how sites with EV SSL\ncertificates are displayed. Chrome and Firefox are moving the EV display\n(verified company name) from the address bar to the certificate details display.\nUsers will now be able to view the EV company details by clicking on the\npadlock to get a display like this: <\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"480\" height=\"295\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/10\/ev-display-1.png\" alt=\"EV site display\" class=\"wp-image-11605\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/10\/ev-display-1.png 480w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/10\/ev-display-1-300x184.png 300w\" sizes=\"auto, (max-width: 480px) 100vw, 480px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">They can also click to view additional certificate details\nlike this:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"483\" height=\"331\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/10\/ev-display-2.png\" alt=\"EV site display\" class=\"wp-image-11606\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/10\/ev-display-2.png 483w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/10\/ev-display-2-300x206.png 300w\" sizes=\"auto, (max-width: 483px) 100vw, 483px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">You can think of this EV display a bit like a passport: you\ndon\u2019t wear it on your sleeve, but it\u2019s there anytime identity verification is\nneeded. If a user is unsure about a website, they can quickly check the EV\ndetails to see what legal entity owns and operates the website. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In addition to being available for customers to check\nanytime they\u2019re unsure about a website, EV certificate details are used by\nother entities for <a href=\"https:\/\/www.thesslstore.com\/blog\/google-makes-identity-verification-mandatory-for-all-advertisers\/\">identity verification:<\/a><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Anti-virus software uses EV certificate details\nto distinguish reputable websites from phishing websites.<\/li>\n\n\n\n<li>Governments (especially in Europe) are\nincreasingly requiring companies who transact online to provide verified\nidentity information via an EV SSL certificate and\/or an LEI.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">For the record, we believe that browsers should make\nverified identity information such as EV details more prominent, not less. Unless\/until\na better solution is implemented, EV SSL is still the best solution out there\nfor users to verify the legal entity that operates a website.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">That being said, these changes don\u2019t change the fundamental\npurpose an EV SSL certificate fills: a way for internet users, security\nsoftware, and governments to verify the legal entity that operates a website. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">With the explosion of online crime, regulators are increasingly\nexpecting companies to present verified identities online &#8211; we believe that EV\nSSL (and similar tools) will be an important part of the internet for years to\ncome.<\/p>\n\n\n<span style=\"--tl-form-height-m:150.25px;--tl-form-height-t:121.4583px;--tl-form-height-d:121.4583px;\" class=\"tl-placeholder-f-type-shortcode_12753 tl-preload-form\"><span><\/span><\/span>\n\n\n<h2 class=\"wp-block-heading\" id=\"h-the-bottom-line\">The Bottom Line<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">None of these SSL UI changes are game changers for users or for\nwebsite owners. Most of these changes are incremental changes gradually moving\nmore users and websites to HTTPS &#8211; on balance, that\u2019s a good thing for users,\nfor website owners, and for the internet.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Google Chrome and Mozilla Firefox are updating how SSL\/HTTPS sites are displayed to users, continuing their initiative to move all internet traffic to HTTPS Google and Mozilla have recently announced&#8230;<\/p>\n","protected":false},"author":23,"featured_media":3975,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[130,17,10200],"tags":[132,151,131,967,208],"class_list":["post-11598","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-everything-encryption","category-industry-lowdown","category-monthly-digest","tag-chrome","tag-firefox","tag-google","tag-mozilla-firefox","tag-not-secure","post-with-tags"],"views":13630,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2017\/04\/iStock-458653351.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/11598","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/23"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=11598"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/11598\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/3975"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=11598"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=11598"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=11598"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}