Google "knows" if a site is brochureware, or actually has something with a security implication like a form submit.
There's no reason to put https on a brochureware site: 100% of all the content on those sites is meant to be viewed.

I think a principal difficulty in this is that in the public view there is a general conflation of "secure" with "safe".

HTTPS is a connection protocol, not a guarantee that you won't be fleeced by the site on the other end of the connection.

There are good reasons to have a secure connection if you are exchanging credit card details or exploitable personal information over it, but not if you are looking at a free cake recipe. The free informational recipe site will be viewed as "unsafe" if Google says "not secure".

In my view, the very fact that this debate is possible at all shows that Google's present power is unsafe.

Surely this is defamation?

Depends on your jurisdiction..and does one take the jurisdiction to be that where the browser displays, or that where G is sending from ( usually the law says the former case applies ) in the UK it would be libel..libel being defamation in writing..damages for loss of revenue or trade or affected business or reputation due to G adding "non-secure" to a URL in the address bar would, no doubt, also be taken into account..

Stupid arrogant idea from G..but not the first time that they have demonstrated hubris on a massive scale..

Nearest thing that they could think of to a G seal of approval, but in negative form ?..Next they'll probably become ( or buy out ) a cert authority and offer ( for a fee ) a way to avoid them showing "non-secure" next to your site name..

Yea, it's a PITA, but I think we're heading to all SSL eventually anyway.

And I'm reasonably sure that if IE were still the prevalent browser, Microsoft would be likely to do the very same thing.

I think Google is listening to the non computer literate users. I had a woman call and she wanted to buy something but she said the site was insecure. Her reasoning was there was no little lock. The site has EV and is secure but only when they actually go into the checkout.

I see these issues a lot anymore. I am sorry to say but the idiots are multiplying at an alarming rate (not just computer illiterate issues). I personally think the ipad has created a lot of new users that probably shouldn't be on the net for their own safety. You can put all the SSLs you want on and it still won't matter if these people don't use secure Wi FI connections etc. I have seen this with older people who think they are all computer literate etc. with their Ipad yet are using public Wi-Fi connections at the nursing home etc. and sitting their using the Ipad and checking their bank accounts. The other factor is SSLs are cheap. Spammers, Thieves etc. can gladly afford the cheap SSLs and still make sites that will fool these computer illiterate people.

In my view, the very fact that this debate is possible at all shows that Google's present power is unsafe.

Amen! To think that one single company has this power blows my mind!

In fact they are proposing exactly opposite of this - HTTPS to be "Business as usual" and show nothing, whereas HTTP would show "not secure".

And if your monetising your site in any way, and they implement this, guess what? You better make it HTTPS as fast as you possibly can.

Nothing will kill conversion worse than a display of "This site is non-secure". In todays world "non secure" means to Joe surfer all sorts of really bad things lurk here, and if you don't exit immediately you will have to beg your nephew one more time to cleanse your computer of evil viruses. It doesn't matter what you think, all that matters is what the visitors believe.

If they decide to move forward with this there is no fighting it, no resisting. They tried the "you will rank better if you move to HTTPS" and the rate of compliance didn't satisfy them.

Bottom line - get on with it, don't delay. Its their field, their ball and they make the rules.

Bottom line - get on with it, don't delay. Its their field, their ball and they make the rules.

Various governments around the world would disagree with that, and they have the ability and clout to call time out on G..in their fields, and using their rules..

Some governments may simply roll over for whatever G or the mega corps do..some already do..

And if your monetising your site in any way, and they implement this, guess what? You better make it HTTPS as fast as you possibly can.

It's impossible for such a change to be made without users learning to ignore it.

Why? Because they will quickly learn that it's a "cry wolf" indicator, there are plenty of frivolous/informational sites where HTTPS is just not relevant, and without a massive changeover to HTTPS all at once (not going to happen), then bombarding people with warnings where it isn't appropriate is just going to be counter-productive - i.e. they will start ignoring them even when they might be relevant. Or the alternative - scam/spam/dubious ecommerce sites will start being flagged as "secure".

That's not to mention the implied conflation of transport layer security with backend security, and (astonishingly) that the Adsense auction ad pool is reduced when you implement HTTPS.

Let's not start assuming that just because (one part of) Google say so, it has to be, or that you have to jump at their command. Sure, they are very powerful, but they have backtracked on plenty of stuff in the past (authorship being an especially significant example).

Why doesn't Google just bugger off and make its own version of the web and leave the rest of us alone? Oh, the web is Google, fancy that, I never knew they'd been hired to dictate to all and sundry that there was only their version of the web and no one else's.

I don't know about anyone else however I'm sick to death of this company assuming that it knows absolutely everything...but, of course, they do since they stole it from us!

what if Google Chrome showed the word "SECURE SITE" next to the existing padlock icon and displayed the whole address line with a green background, a smiley face, and a flashing thumbs-up sign? Non-HTTPS sites would have a tough time winning defamation lawsuits, because Google wouldn't be commenting negatively on their sites

Mmnn, not so sure about that.
"Subject A: A fine, upstanding citizen.
Subject B: A fine, upstanding citizen.
Subject C: A fine, upstanding citizen.
Subject D: No comment."
You don't think Subject D would be able to make a case?

My guess: In a month (or maybe even a week or two), we won't even be talking about this. It'll be just another flash fire on the forum that ignited, burned out, and was forgotten when the next conflagration came along.

Not talking about and/or discussing something and forgetting about it are two different things -- Guaranteed, whenever the discussion ends, at least one of us won't forget the topic of this one and where Google is pushing things.

what if Google Chrome showed the word "SECURE SITE" next to the existing padlock icon

They are never going to do it that way round, as it would leave them open to claims from anyone who suffered losses after going to a site they said was secure, but wasn't.

They can't track the status of all sites in real time, so can't guarantee the current security of any site. Safer by far to say it isn't secure, as "Google didn't say it wasn't secure" isn't going to win any claims.

Probably a good time to be in the SSL business.

They can't track the status of all sites in real time

? A browser certainly can and should know whether a site's security certificate is valid at time of use.
browser != search engine ... even when one is called Chrome and the other is called Google.

A browser certainly can and should know whether a site's security certificate is valid at time of use

It can when it interacts with the server, but the SERPs rely on cached information: Google isn't querying every server in its results, but intends displaying information about security for every result.

What do SERPs have to do with anything? This thread is about browser behavior.

What do SERPs have to do with anything? This thread is about browser behavior.

So it is! Sorry, I missed that bit.

I don't particularly have an issue with a browser telling me that something that ought to be secure is not - FF already tells me if a https page has elements that are not secure - but I don't expect http to be secure in the first place and, if I used Chrome, would very quickly get tired of being told what I already know.

I reckon they will rapidly lose market share unless all the other browsers follow suit, or unless all site-owners fall into line.

FF already tells me if a https page has elements that are not secure

Oh, it's a gecko thing then. I thought Camino* was being old-fashioned by complaining if an https page has http content. (Just how secure does a stylesheet have to be?!)


* Firefox Lite.

i quite like the idea of detecting the UA and warning users "The search engine that referred you is a rapacious advertising company that sells your data and habits to advertisers, it also owns the chrome browser - consider changing your browser and search engine"

At best this would only work if you could exceptionally accurately detect certain features associated with the need for a secure connection, such as a sign-in form that is on a credit union's website as a combination. You don't need to wear a hardhat while sleeping.

- John

Bad idea.

Further idle query: Will someone shortly be handing down a directive to all server administrators, instructing them to listen for https/443 requests if they don't currently do so?

The NSA revelations changed perspectives on digital security, and were probably the ultimate cause of this move. So in that sense I can appreciate the attempt to make the web more secure by (theoretically) making SSL universal. It wouldn't be the first time G successfully improved the internet in a way that benefited everyone and made them no direct revenue. Chrome's initial impact on browser page rendering times and, especially, javascript rendering efficiency is a good example. It made the modern web possible. Left up to MS and Firefox it would have taken years longer.

So they have some credibility in that sense... But this is a bit different. The problem is that SSL isn't free. Which is to say there aren't any certificates available that are both free and recognized by all major browsers.

If G wants to make this push they should also launch a CA that offers entry level certificates, which have universal recognition, for free. It wouldn't be difficult or even all that expensive.

Otherwise it's the first sign of them losing touch with the concept of a free and open internet with a low barrier to entry. I completely agree with the point made by many in this thread that a "non-secure" stamp would probably send the wrong message to the paranoid masses and could hurt sites that don't want/don't know how to spend money on a certificate.

The other, smaller, issue is that SSL is expensive in terms of speed. A 3x increase in latency on the initial connection is not negligible. Add to that 6%+ extra bandwidth use and a CPU load increase on both the server and client sides.

It isn't really noticeable to someone with a low latency connection and a modern PC. But it can make a VERY noticeable difference on a slower connection or a lower end mobile device/netbook.

Shouldn't a move this big be taking those kinds of users into consideration?

Bad idea. Many users will think that "non-secure" means "infected with viruses" or "may harm your computer".

This ...

I agree.

The layperson has every reason to interpret "secure" as "safe to visit" and "non-secure" as "not safe to visit".

This is priceless! The preverbial fox guarding the henhouse.

My Firefox already does this for some sites and at times makes me jump through hoops to get to where I want to be which I know is 100% safe.

Is this similar to what Google is proposing?

Does anyone else have this with Firefox and have gotten so used to clicking "continue" that it may as well not be there?

If so then all we'll have for a few weeks is telling customers and friends that there isn't a problem and then all their "hard work" will have been for nothing as no one will believe anything unless it is their antivirus/malware/security/etc which they will then trust more than Google.

Shoot...foot...loss of credibility for G?