How non HTTPS resources can harm end user security and revenues

Over the course of the past year, Google Chrome launched a multi-stage plan to ensure that HTTPS pages could only load secure HTTPS subresources. In October 2019 they began this process as highlighted in their Chromium Blog entitled “No more mixed messages about HTTPS” that both announced the planned changes and mapped out a timeline for implementation:

Chrome 79 - This update introduced a setting allowing users to unblock mixed content, including mixed scripts and iframes that were previously blocked in Chrome by default.

Chrome 80 - Mixed audio and video resources would now be auto-upgraded to https://, however those resources that failed to load in https:// would be blocked by default, within users still having the option to unblock these resources as mentioned above. This release still allowed mixed image resources to load, but brought with it the display of a “Not Secure” chip in the Chrome omnibox.

Chrome 81 - Here the original plan was to auto-upgrade mixed image resources to https:// with Chrome default blocking them if they failed to load. However, this change was delayed until the release of Chrome 84 in June 2020.

As of today, all mixed content resources in Chrome are now either auto-upgraded to https:// or blocked by default if they failed to load over https://. And while there are still ways for users to unblock mixed content, most don’t for fear of putting their digital security at risk. 

What does this mean for digital ads?

While many digital ad campaigns today are delivered using HTTPS for primary resources, non-secure HTTP subresources can still be present, increasing the chances that ads where these non-secure resources are present will be blocked on websites in Chrome when they fail the auto-upgrade process. Ever wonder why a particular ad campaign didn’t convert as expected? This might be the reason. Going beyond the clear security implications, the presence of HTTP subresources in your ads can also very much impact both how a target user sees them, or if they see them at all.

AdSecure spent some time analysing the presence of non HTTPS subresources in all analyses performed, and found that these non-secure content resources are at play more often than platforms and publishers likely realise.

We determined that, across all unique ads monitored during the month of September, 18.51% contained non-secure HTTP mixed content requests, exactly the type of resources that will either be auto-upgraded to HTTPS, or automatically blocked in Chrome if they fail to load in HTTPS.

Drilling down further, we can see which types of non HTTPS requests are most often in play:

  • Document: HTTP document resources appeared in 68.20% of all ads analysed, and can negatively impact the initial load of an ad when blocked.
  • Image: These HTTP image resources appeared in 19.49% of analysed ads. These can impact both the overall ad display and tracking performance metrics.
  • Script: HTTP script resources were present in 15.36% of ads. These scripts can cause issues with the  initial load of an ad,  tracking metrics, and even impact where the user is redirected upon click.
  • Stylesheet: Not nearly as prevalent as the previous three at 0.64% but can also affect the overall ad display.
  • Font: Appearing in a relatively minor 0.08% of all ads analysed, HTTP font resources can additionally impact the ad display.

The potential for these HTTP resources to negatively impact on user interaction is quite high, but also quite unnecessary. Monitoring for non HTTPS resources within a given ad campaign is incredibly simple with AdSecure.

SSL non-compliant is among the many detections available within our platform suite, and when applied as an alert rule within a project or API analysis, this detection will let you know each and every time a non HTTPS resource is present in the redirection path of a campaign, allowing your ad operations team to keep to eliminate HTTP resources early in the campaign verification process,  and to monitor the potential impact they can have on offer conversion once the campaign is live.
Identifying and eliminating HTTP resources isn’t just a best practice when it comes to providing security to users, but also for securing your revenue and making sure each campaign you're running is optimised for user engagement, and successful conversion.

If you would like to learn more about how AdSecure can help you maintain HTTPS compliant ads, or any other solution we offer for maintaining high ad quality through safeguarding the user experience, please reach out to We would love to hear from you! 

Recommended Posts