14 DAY TRIAL // Chrome 14, the future version of Google's browser which just entered the dev channel, will block insecure scripting over HTTPS connections by default.
HTTPS is critical for online security in a time when most people connect over wireless hotspots. But, while jumping on the Internet from virtually anywhere is incredibly convenient, it is also very risky.
Attackers can sniff network traffic to extract session cookies from unencrypted requests and these can be used to hijack other people's accounts.
In order to avoid such attacks, it is important that sessions are encrypted from end to end. However, this is hard to do because most websites load content from external parties.
The most dangerous unencrypted content consists of scripts and their presence will break HTTPS connections. When this happens, browsers display warnings and visual indicators that the connection is no longer secure.
Google is attempting to tackle this issue in Chrome 14. "As of the first Chromium 14 canary release (14.0.785.0), we are trialing blocking mixed scripting conditions by default. We’ll be carefully listening to feedback," the Google Chrome Security Team announces.
When mixed scripting is blocked Chrome 14 users will see an infobar allowing them to reload the page with the insecure content included. This override is required for cases when the external scripts are responsible for critical functionality.
However, the end goal is to have this behavior without offering a bypass option. "Our experience shows that some subset of users will attempt to 'click through' even the scariest of warnings -- despite the hazards that can follow," the Google security engineers explain.
The functionality is also available in the latest Chromium 13 dev channel, but enabling it requires starting the browser with the --no-running-insecure-content flag. In addition, Google is offering some tips to webmasters who currently have mixed content problems on their websites and want to determine the cause.