The Threat
While the entire world is moving in the direction of secure Internet connections and using HTTPS for almost all web sites, people may become less cautious believing that they are secured. This introduces attackers with easier ways to steal private information or take over users’ machines control.
Mixed content web sites are looking protected while some of the resources used by them are downloaded via the unsecured HTTP protocol. Files downloaded via HTTP from web applications served with the secure HTTPS protocol are even more serious threats for the end-users.
Google Chrome
As Google is always concerned with user privacy and web content security, last October they announced measures to tighten security rules in the Chrome browser to deal with the mixed content problem. Step by step, they made Chrome block all HTTP resources (images, videos, etc.) in HTTPS web pages if these resources are not available over a secure connection. This process ends with the Chrome 86 release that will completely block images loaded via the unsecured connections.
The next step is to deal with the files that are loaded via HTTP and linked from a secure page. The first Chrome update that will affect how files are downloaded will be 82. Here is the Google plan for this:
Chrome version 84 that is going to start blocking archives will be released in August 2020. The story will end in October with the release of version 86.
What Does This Mean?
If you do not have web sites or applications with mixed content or if all your applications use HTTPS - you do not need to care about this. However, if any of your web resources still do not work via HTTPS, this is a good time to stop using HTTP and improve security. So, don’t lose time and go for an SSL certificate.
What About ClickHelp?
If you are a ClickHelp user, do these changes affect you? No - all ClickHelp resources including customer documentation portals are secured with a valid TLS certificate and we do not use HTTP protocol anywhere.
A little bit of a different situation takes place when you apply custom domain mapping settings to your portal. In this case, you need to care about secure connections. For this, get a valid certificate for the custom documentation portal domain (e.g. help.product.org) and apply it in your portal’s Domain Management settings.
Do You Have to Pay for a Certificate?
Usually, you need to purchase a TLS certificate from one of the trusted authorities (e.g. Comodo, GoDaddy, GlobalSign, etc.). As a rule, a specific domain certificate that does not have wildcards is quite affordable and can be purchased for $10-250 per year. However, there is an option for those who do not want to pay for ‘air’, or for whom the procedure of paying for a certificate through the Finance department is complicated enough to avoid this.
We are talking about the Let’s Encrypt certificate authority. This non-profit service is provided by the Internet Security Research Group (ISRG) and offers TLS certificates for everybody for free. It is possible to generate both default and wildcard DV certificates that are trusted by all modern browsers and services. Certificates generated by this service are valid for 90 days and so need to be updated within this period. There are a lot of client applications that work with the service using the ACME protocol and allow automating the renewal process.
So, you can either buy a certificate or get one for free from Let’s Encrypt, it’s up to you. But we encourage you to stop using HTTP and switch to a protected way of communication if you have not yet. Be secure. Stay safe.
Good luck with your technical writing!
ClickHelp Team
Author, host and deliver documentation across platforms and devices