Google Patches Chrome, Changes Mixed Content Warnings

Google has changed the way it presents HTTPS Mixed Content warnings in Chrome.

Google has made some changes to the way it presents browser warnings in Chrome.

Starting with Chrome 46, don’t expect to see the yellow warning icon on HTTPS pages with minor errors. Google announced on Tuesday that it would start marking those pages with the neutral icon it uses on unencrypted HTTPS pages; the change, it said, will affect HTTPS pages with mixed content.

“Site operators face a dilemma: Switching an HTTP site to HTTPS can initially result in mixed content, which is undesirable in the long term but important for debugging the migration. During this process the site may not be fully secured, but it will usually not be less secure than before,” Lucas Garron and Chris Palmer of the Chrome security team wrote in a blog post yesterday. “Removing the yellow “caution triangle” badge means that most users will not perceive a warning on mixed content pages during such a migration. We hope that this will encourage site operators to switch to HTTPS sooner rather than later.”

Secure HTTPS pages will continue to get the green closed padlock icon, while HTTP and HTTPS with errors pages will show a gray neutral icon. Broken HTTPS will remain with the red strikethrough icon.

“We have to strike a balance: representing the security state of a webpage as accurately as possible, while making sure users are not overwhelmed with too many possible states and details,” Garron and Palmer wrote. “We’ve come to understand that our yellow “caution triangle” badge can be confusing when compared to the HTTP page icon, and we believe that it is better not to emphasize the difference in security between these two states to most users.”

Chrome 46 also includes 24 security fixes that were also announced yesterday, including eight from external sources that earned bounties ranging from $8837 to $500.

The bugs that earned bounties are:

[$8837][519558] High CVE-2015-6755: Cross-origin bypass in Blink. Credit to Mariusz Mlynski.

[$6337][507316] High CVE-2015-6756: Use-after-free in PDFium. Credit to anonymous.

[$3500][529520] High CVE-2015-6757: Use-after-free in ServiceWorker. Credit to Collin Payne.

[$3000][522131] High CVE-2015-6758: Bad-cast in PDFium. Credit to Atte Kettunen of OUSPG.

[$1000][514076] Medium CVE-2015-6759: Information leakage in LocalStorage. Credit to Muneaki Nishimura (nishimunea).

[$1000][519642] Medium CVE-2015-6760: Improper error handling in libANGLE. Credit to lastland.net.

[$500][447860 & 532967] Medium CVE-2015-6761: Memory corruption in FFMpeg. Credit to Aki Helin of OUSPG and anonymous.

[$500][512678] Low CVE-2015-6762: CORS bypass via CSS fonts. Credit to Muneaki Nishimura (nishimunea).

Suggested articles