HTTP vs. HTTPS: What Should I Know About Mixed Content?

https green padlock icon

More and more in today’s digital world, safety and security are trending on the Internet of Things. We want to make sure our online transactions and transmissions proceed without hacks, identity theft, or trampling on our privacy.

Over the years, the way our computers communicate with the broader digital world has evolved. You may have noticed that the web addresses you visit have moved mainly from HTTP to HTTPS. 

This change marks an essential distinction in security. It gives you a way to ensure the sites you visit have encryption for layers of safety as you browse, purchase, or communicate.

In this article, we’ll expose the difference in these URL types, why they matter, and what you should know about “mixed content.” 

Are you a business owner concerned about the security and user experience of your business website? Contact Romain Berg for a complete website audit to maximize your use of mixed media and encryption on your digital doorstep.

What are HTTP and HTTPS?

You can think of these two terms like telephone operators. They both are essential pieces of code in connecting your computer to the internet. They enable you to interface with websites, social media, and individuals.

Without these two connectors, your computer functions as a fancy calculator that can only play Oregon Trail from a floppy disk. (Anyone else remember those days?)

HTTP stands for Hypertext Transfer Protocol. When you type this into your browser address bar, it’s like you’re ringing up the telephone operator and asking to connect to another party. 

There are coded messages exchanged between the server and the computer, which “approve” the connection. You’re off and running on the website you want to explore.

HTTP uses Transmission Control Protocol to send packets of information to different locations. HTTP was created in 1974. Though it’s had several enhancements since then, the mechanism for information delivery first enacted through TCP remains mostly unchanged.

How HTTPS is different

HTTPS means Hypertransfer Protocol Secure. Essentially, HTTPS puts a layer of encryption between the information sent and the rest of cyberspace. Think of it as a secure channel, because that’s what it is. 

For example, when you use wi-fi at a public place like a coffee shop or restaurant, you’ll typically get a pop-up notice from the host location that it’s a bad idea to do your banking or other personal transactions there. 

When you get this message, it probably means you’re on a non-secure channel, and your privacy cannot be guaranteed.

An HTTPS site will still send and receive information packets via TCP, but with a layer of encryption by Transport Layer Security

Why should I care about HTTP and HTTPS?

why should I care

If you sell items or services, schedule appointments, or otherwise request sensitive data from your customers, you’ll need an HTTPS site. To launch a secure site, you’ll need to obtain an SSL certificate for proper encryption and a padlock icon that lets visitors know your site is secure.

If you use web platforms like Wix and WordPress, your certificate is likely included for you when you launch your site.

If you haven’t created your site yet, be sure your platform or your web designer includes HTTPS and an SSL certificate in your site build-out.

What is mixed content?

young woman holding laptop PC

There exists a peculiar aspect of HTTPS. It’s a little sneaky. Here’s what we mean.

You can use an HTTPS URL over a secure channel and still have HTTP content hitching a ride in on its coattails. 

A lot of content like pictures, videos, audio, and scripts still load via HTTP, even on an HTTPS site. This “piggybacking,” as it were, occurs because HTTP has dominated the internet since its inception. 

HTTPS is a relative newcomer as a secure channel for digital information transfer, and up till now, mixed content has been overlooked while many websites are still converting to HTTPS. 

Browsers like Google Chrome and Mozilla are just beginning to enact new policies on HTTP stow-away practices that have, until now, been commonplace.

Browser crack-down on mixed content

police officer standing next to a police car

Now that HTTPS is gaining a digital toe-hold, both Google Chrome and Mozilla are encouraging its use on all websites and penalizing sites that used mixed content.

For example, if your site had an HTTPS domain, you’d get a small padlock icon on the right of the URL bar indicating a secure site to your users. 

Now, however, Google Chrome is punishing sites that have an HTTPS URL but still loading HTTP photos, videos, or other content. Google places a “not secure” message in the URL bar to indicate a lack of full security on those sites.

On a more proactive note, Mozilla’s Let’s Encrypt program allows website creators to obtain a free TLS certificate to fully support HTTPS on new and existing sites. 

There are a few options for Chrome access to abandoned or legacy sites. Here’s what’s coming.

Changes in 2019

Google Chrome 79 will launch a new setting in December 2019. This button will allow you to toggle from blocking mixed content sites automatically to an “allow” mode for mixed content.

With Chrome 80 (due out in January 2020), mixed audio and video content will be automatically upgraded to HTTPS, or blocked if loading fails over HTTPS. Mixed photos will still load, but you’ll get the dreaded “not secure” message in your URL.

Chrome 81, scheduled for a February 2020 release, will automatically convert all HTTP content, including photos, to HTTPS and will block all mixed content that fails to load on HTTPS.

If you’re a webmaster, you can get on the conversion train immediately by converting HTTP images to HTTPS, as well as any other HTTP material on your site.

Want a DFY (Done For You) HTTP-to-HTTPS website conversion or build?

Romain Berg is a full-service marketing agency ready to help you fully secure your digital business presence. We’ll do a full website crawl for HTTP content, as well as convert your existing HTTP site to HTTPS.

Fill out our contact form today, and we’ll be in touch to make sure your website stays on top of all the newest security features available.

Leave a Reply