Encryption Everywhere: What is mixed content and why should marketers care?

Browser vendors are planning changes that will affect the way Pardot users produce online content and emails. The Pardot product team is working with the browser vendors and web standards communities to stay current with planned changes and to communicate to our customers what you need to know to continue to deliver effective content. In this post, we’ll explain what mixed content is and how near-term changes being rolled out by browser vendors will affect you.

But first, some background that will help us understand why things are changing.

The history of online encryption

Before about 1970, commercial computers were mostly isolated systems, each installed by a business for some specific task, such as running an accounting system. As business processes became increasingly reliant on information technology, the potential of networked computers became apparent. This raised a serious question: How would networked systems protect themselves against malicious actors who would snoop on and tamper with critical data moving between systems?

Outside of secretive governmental agencies, encryption was mostly a dark art in 1970. But due to the rise of the internet, this has changed in the decades since. In the 1970s, we saw the standardization and deployment of the Data Encryption Standard (DES). In the 1980s, we saw the rise of encryption systems with fancy capabilities such as performing secure digital signatures. During the 1990s, Netscape developed the early versions of Secure Sockets Layer (SSL), now rebranded Transport Layer Security (TLS).

TLS is the protocol that secures the internet. It’s based on the encryption research that happened in earlier decades, and the protocol continues to mature today – the most recent version is TLS 1.3. During the 2010s, technologies such as Let’s Encrypt made TLS more accessible, and the visible rise of major cybersecurity incidents has motivated technology leaders like Salesforce to push for the universal adoption of encryption via TLS. The 2020s will be the decade where we witness ubiquitous web security and privacy via encryption.

This is a trend that we need to pay attention to.

What is mixed content?

Browsers interact with sites using a technology called Hypertext Transfer Protocol (HTTP). The “http” in http://example.com/ indicates the link is using HTTP to transfer your content to your visitor. But HTTP alone doesn’t provide any encryption. This means that content transferred to the browser can be snooped on or tampered with while in transit.

HTTPS is HTTP combined with TLS. The “https” in https://example.com/ means the link is using HTTP along with TLS to provide a secure browsing experience. Technology leaders and standards bodies are moving away from vanilla HTTP to secure HTTPS.

Now we come to the heart of this post: mixed content.

Mixed content is when a site mixes HTTPS and HTTP. A common example of mixed content is a secure site (served over HTTPS) that includes images served over vanilla HTTP. The problem is that the site owner or site visitor created a website that was clearly intended to be secure, but some parts of the website — images in this example — still remain vulnerable to snooping and tampering.

Why it matters to marketers

You may be thinking: None of my trade secrets are exposed on my site or in my marketing materials. While this is probably true (I’d hope so!), there are good reasons to move all of your content to HTTPS and make sure you don’t have mixed content. The biggest reason?

Browser vendors are changing the browser experience to encourage site owners to avoid mixed content, with an ultimate aim to create a secure browsing experience across the internet.

Chromium, the technology at the heart of the Google Chrome, has announced mixed-content deprecation, an initiative to disallow sites to serve mixed content. This process is already in motion. There are a couple of key callouts for Pardot users:

  • The latest version of Chrome – Chrome 86 – automatically attempts to upgrade mixed-content images to HTTPS. While this should be innocuous, there may be unintended side effects of this Chrome change that affect the browsing experience.
  • Chrome will eventually stop showing mixed-content images altogether. This is planned to happen in Chrome 88, scheduled for deployment in January 2021.

There are other motivations for moving to encryption everywhere. Not only do search engines prioritize secure sites, this practice also promotes trust with your audience and helps to future-proof your sites against related browser and web changes.

How marketers can prepare for the changes ahead

According to my research, over 90% of Pardot users have websites served via HTTPS. This is good! My calls to action for you are:

  • Make sure that the marketing content you link to in your sites and emails is also served via HTTPS. Not sure how to do this? Learn how to turn on HTTPS for your marketing content.
  • Check out the Pardot product team’s Salesforce Knowledge Base Article about mixed content. We’ll update it as new information emerges.
  • Check your site for any resources, even those not served by Pardot, that need to be secured.

At Salesforce Pardot, we believe that a secure, trusted experience in everyone’s best interest. For this reason, we’re actively exploring other ways to promote security for our users and for their customers. Stay tuned for more communication as events unfold!

This blog post is part of our security, privacy, and technology series.