Google Chrome HTTPS fail… but we still love you

BeSeen / Blog  / Google Chrome HTTPS fail… but we still love you
google-chrome

Google Chrome HTTPS fail… but we still love you

google-chrome

We recently spotted an issue on a client’s WordPress site where the page was loading but without any styling. Subsequent troubleshooting revealed that this was only happening in Chrome. More specifically, it was only happening on Chrome on Mac OSX.

Looking at the source code, we could see a load of resources (CSS, Javascript files etc..) being included on HTTPS (secure) links instead of HTTP. Really weird right? This wasn’t happening in other browsers. Fully clearing the browser cache didn’t help. Previously the site had been working fine… so what was going on?!

Time for a Google search! There’s an element of irony right there: turning to Google for help with an issue that turned out to be a Google bug itself.

Here’s what we found:

In summary, the issue was as follows:

It’s now sending the HTTPS: 1 header on every request by default. This was probably meant as a security improvement, to suggest HTTPs to the server wherever possible, but it’s breaking WordPress and other webserver installations all over the place. (source)

In practice then, if a website had an SSL certificate installed and HTTPS worked without any security issues, then the broken page issue experienced above would not have happened.

I will resist the urge to assert that this was a deliberate bug, designed to wake up 1000s of website owners who haven’t yet had SSL installed on their servers. A compassionate and altruistic organisation such as Google would never do that… (!)

Will we see a boom in sales of SSL certificates in the coming weeks though? You bet!

We are convinced that SSL certificates are an essential requirement on all websites, are you? To find out more contact us.

  • Christopher

    Leave reply
    July 27, 2015

    The Chromium project is proposing that all UAs update their UI to alert users to non HTTPS sites and potentially display HTTP sites as insecure. So doesn’t seem too far fetched that they would do something like this to prompt upgrades to SSL.

    SSL certificates can be cheaper than domain names, not to mention the added security, and even SEO benefit so there is no reason not to have one in my opinion.

    More information:
    https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure

LEAVE A COMMENT