You should define https versions as canonical, that should do the trick :)

Thanks Ganzojin, you're right that would do the trick.

I'm more curious though as to why after 10+ years of listing http version google has now all of the sudden decided to force the https version. Is this part of their new push to an all secure web?

Are you sure there has not been a leak of URLs under https? Unless you have a 301 redirect from https to http for non-order pages, it is easy to leak the https pages out.

I just checked a site with a similar setup (https for the checkout process only) and Google is still indexing http version. Mind you, the rel canonical specifies http and there is a 301 permanent redirect from https to http for all non-checkout pages.

This particular site has no leaks, in fact we no longer have any live https pages on the site, customers are directed to our main site to order. This site does not have any redirects or canonical dealing with https to http, never had an issue with it before.

What ganzojin said.

Google isn't forcing you to use https, it's just defaulting to the https URL if one exists and you don't specify a preference. See:

[seroundtable.com...]

Google isn't forcing you to use https

EG, I never said google was forcing me to use https.

The article you linked to is confiming what I said, it seems now that if your site has an ssl certificate google will try to link to your site/pages as https.

This is something that many website owners may have never thought to deal with before. I know for our sites, pages that were not meant to be https may not work well, non secure resources may not load well or cause an error for example.

This has been happening for over a year. My advice is 301 quickly as any https pages will be duplicates of the http versions.

Google doesn't put nonexistent URLs in a SERP. If they're listing https, it means that the page in question can actually, in real fact, be reached via https. A quick look at access logs should confirm this. If the googlebot doesn't meet a 301 when requesting https:/ /example.com/ it will assume that https is valid.

<rel="canonical"> is for when a 301 isn't practical or possible, or for when you really don't care which form is used by humans.

Google doesn't put nonexistent URLs in a SERP

Yes, I'd agree with that.

In this case google has made a conscious decision to list a link to an https version of a page just because it can be accessed. There are no links to the https version of the page within the site. The https page ranks in the same place as the http version used to. If there are any external links to the https version (there are none that I can find) there certainly wouldn't be enough to cause the https version to out rank the http version.

Even more odd, in my opinion, the ssl cert for this site is a sha-1, the type of cert google is sun-setting in chrome, they are sending people to the https version and then telling visitors with chrome that the site is not fully secure.

Oh, nice. You mean they're linking to an URL that will result in a browser warning? That borders on willful sabotage. You haven't done something to offend Google have you? ;)

Little ole me, offend google, never ;)

Brief update: took one of our satellite sites the google was listing the httpS version in the serps, Did a re-direct on our side to force everything to http. Rankings and google traffic have since plummeted.

Redirected main site to httpS, rankings and google traffic remain mostly unchanged.