The latest Google Chrome 21, now in the stable channel, comes with some changes to the way it handles mixed-content sites, i.e. sites served via HTTPS but which have some elements, usually from third-parties, that are served via the unencrypted HTTP.
This is a problem since it gives users a false sense of security, they believe they are visiting a secure, encrypted site when, in fact, some content is being sent and received in-plain for anyone to intercept.
A compromise between security and usability is hard to reach, but Google believes it managed to in Chrome 21. Google has been experimenting with blocking for more than a year now, but only in the beta and dev channels.
Blocking was not enabled in the stable channel as it interfered with quite a few sites and was confusing to users who are less savvy than the beta and dev channel ones.
In that time, Google worked with many of the large sites out there to fix existing problems, including Facebook and Twitter. Finally, Chrome 19 introduced mixed-script blocking in the stable channel.
But that didn't go so well and the notifications were confusing to some. Plenty of websites with the problem were found and many started fixing it though.
In Chrome 21, Google dropped the notification and now blocks mixed-scripting altogether all the time. Users that want to load the unsecure content will have to click on the shield icon in the OmniBox and then click the "Load anyway" link. This also helps prevent clickjacking attacks.
What's more, sites that opt into the HSTS security standard will have mixed-content blocked by default all the time, with no option for the user to load it. This is the best safeguard against this potential vulnerability.
Via: Chrome 21 Adds Silent Mixed-Scripting Protection
Tidak ada komentar:
Posting Komentar