Skip to main content
banner image
venafi logo

Why Should We Stop Using HTTP Altogether?

Why Should We Stop Using HTTP Altogether?

HTTP-is-a-dangerous-alternative-to-HTTPS-enabled-websites
April 27, 2021 | Jay Thakkar
Can HTTP mixed content be dangerous?

In the browser terminology, content served over HTTP on an HTTPS-enabled website is regarded as ‘mixed content’ and such downloads are called ‘mixed content downloads.’ Users could easily overlook such insecure content as they’re trained to check for the padlock in the address bar. In fact, in a research conducted by PhishLabs, more than 80% of the respondents believed the green lock (back then it was green) indicated that a website was either legitimate and/or safe. This way, they might assume that any downloads on HTTPS websites are also secure. However, this might not be the case every time.

An attacker could exploit this by replacing malicious files such as malware instead of the file you think you’re downloading. This way, it can find way into your systems and attackers can easily read your insecurely-downloaded bank statements.

Another reason why mixed content is potentially dangerous is because it weakens your security and privacy by making it vulnerable to man-in-the-middle (MiTM) attacks. In these attacks, an attacker can eavesdrop on a network connection and can view and/or modify the communication between two parties. Moreover, an attacker can not only take the control of the compromised resource but it can potentially take total control over the entire page. This is as dangerous as it gets.

Google plans to root out HTTP mixed content

Google has recognized the potential risks inherent in HTTP downloads for quite a while now. In April 2019, it was reported that Google had made a proposal to other browser companies to block HTTP downloads on websites using HTTPS. In this proposal, Google had asked fellow browser makers to block such downloads being served on website secured through HTTPS. As per ZDNet, Mozilla was interested in “exploring these ideas further in conversation with Google and other interested parties.”

Almost eight months later, Google turned this exploration into action by announcing a roadmap to block HTTP Downloads in the upcoming versions of Google Chrome. In this quest, the first step is blocking these downloads from HTTPS sites as users expect these downloads to be safe. Google decided to execute this in six steps, each of them to be materialized with the release of a new version of Chrome.

What does this mean for your users?

This is surely a good step for everyday users as it’s going to enhance their security and privacy. However, this doesn’t mean the trouble of malicious downloads is over. Even if the website and download link are being served over HTTPS, there’s no reason to presume it to be safe. That’s because the files could still be malicious even if they’re served over HTTPS. If you download a virus or malware infected file, an attacker could easily wrack havoc by taking control of your computer. Therefore, the responsibility of your security is only in your hands, even if Chrome blocks HTTP downloads. And more so now as it’s been reported that more and more cyber attackers are now using HTTPS websites as bait to make them do what they want.

What does this mean for developers?

If you’re a web developer, then there’s only one thing you need to do: serve all content over secure HTTPS. Finding such links can be a mammoth tasks if you have a huge website, but there are many mixed content checker tools available on the internet. You should scan your website for all such content and migrate completely to HTTPS.

When will we finally sunset HTTP?

Google has been on the quest to make HTTPS a standard on the internet. Blocking HTTP downloads marks an important milestone in this. All other major browsers are expected to follow this suite as all of them have been moving in harmony as far as making the web HTTPS is concerned.
 

Related Posts

Like this blog? We think you will love this.
facefish-rootkit-attack-on-ssh-machine-identities
Featured Blog

Facefish: New Rootkit Attack on SSH Targets Credentials to Sell

How was Facefish discovered and what can it do?

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS MIM For Dummies
eBook

TLS Machine Identity Management for Dummies

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Jay Thakkar
Jay Thakkar

Jay is a freelance cybersecurity writer passionate about educating the Information Technology community. He has previously written for The SSL Store.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat