Welcome to WebmasterWorld Guest from 54.226.23.160

Forum Moderators: Robert Charlton & goodroi

Message Too Old, No Replies

Google Proposes Chrome Browser Marks HTTP Site it Shows as Non Secure

     
12:30 pm on Dec 17, 2014 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:25841
votes: 847


Well, what do you think of the proposal. How would your site fair if it shows as non-secure? This would be especially bad for sites that do retain good security.

Perhaps we should define "security."


We, the Chrome Security Team, propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure. We intend to devise and begin deploying a transition plan for Chrome in 2015.Google Proposing Marking HTTP Sites as non Secure [chromium.org]


Roughly speaking, there are three basic transport layer security states for web origins:

  • Secure (valid HTTPS, other origins like (*, localhost, *));

  • Dubious (valid HTTPS but with mixed passive resources, valid HTTPS with minor TLS errors); and

  • Non-secure (broken HTTPS, HTTP).



  • Further clarification:

  • Google intends to change Chrome Browser to mark "HTTP" URLs whose page is being shown as "not secure" (think opposite of https green bar)

  • Google also proposes that other User Agents (translated: other browsers such as FF, IE, Safari, etc ) consider doing the same:
    UA vendors who agree with this proposal should decide how best to phase in the UX changes given the needs of their users and their product design constraints.

    [edited by: aakk9999 at 11:19 pm (utc) on Dec 17, 2014]
    [edit reason] Added clarification [/edit]

  • 1:13 pm on Dec 17, 2014 (gmt 0)

    Moderator from US 

    WebmasterWorld Administrator martinibuster is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

    joined:Apr 13, 2002
    posts:14871
    votes: 478


    The worst case outcome is Google scaring people away from sites that don't need to be secure.
    1:29 pm on Dec 17, 2014 (gmt 0)

    Senior Member from US 

    WebmasterWorld Senior Member netmeg is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

    joined:Mar 30, 2005
    posts:13010
    votes: 222


    Exactly. Geezopete.
    2:10 pm on Dec 17, 2014 (gmt 0)

    Senior Member from GB 

    WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

    joined:Apr 30, 2008
    posts:2630
    votes: 191


    If they do something like this, it would be better that it is limited to pages that post the content back using forms or similar. As mb and netmeg say - if the page does not need to be secure, why scare user away (and most would not know any better).

    How would this affect Adwords if it is perceived that Google is sending users to pages that then show as non-secure in browser?
    2:20 pm on Dec 17, 2014 (gmt 0)

    Preferred Member

    5+ Year Member

    joined:Jan 12, 2012
    posts:397
    votes: 0


    This sounds like a really bad plan, unless they plan on applying it only to specific search phrases that are likely to result in the exchange of financial information (ecommerce, credit card applications, and things like that).
    3:13 pm on Dec 17, 2014 (gmt 0)

    Senior Member

    WebmasterWorld Senior Member 10+ Year Member

    joined:Sept 22, 2002
    posts:1751
    votes: 0


    Bad idea. Many users will think that "non-secure" means "infected with viruses" or "may harm your computer".
    3:13 pm on Dec 17, 2014 (gmt 0)

    Senior Member

    WebmasterWorld Senior Member editorialguy is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

    joined:June 28, 2013
    posts:3365
    votes: 707


    As long as they want to scare users, why not warn people about sites that plant cookies or use tracking code? :-)
    3:22 pm on Dec 17, 2014 (gmt 0)

    Preferred Member

    5+ Year Member Top Contributors Of The Month

    joined:June 26, 2013
    posts:454
    votes: 69


    Google already includes https in the url of listings and most browsers display a secure lock icon. Why is there a need to punitively mark sites as non-secure? I would think if full disclosure and protecting users is important, Google should disclose their relationship to websites in the search results they display (paid and organic). That's what I call transparency and information users would find useful and rather enlightening.
    3:53 pm on Dec 17, 2014 (gmt 0)

    Senior Member

    WebmasterWorld Senior Member editorialguy is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

    joined:June 28, 2013
    posts:3365
    votes: 707


    I see two practical problems with the proposal (my apologies for the alliteration):

    1) Visual clutter (the Web equivalent of "sign pollution") tends to be counterproductive. The more cluttered the browser interface becomes, the more likely it is that users will ignore icons, labels, etc.

    2) Giving mafia-scam dot com a green light because it used HTTPS could easily create a false sense of security for the user. (It's easy to imagine a scenario where crooks would take advantage of a "This site is secure" icon or label.)

    Side note: Just because the Chromium Security Team has floated this idea doesn't mean it will become a reality. I'd guess that the idea probably wouldn't survive user testing, but in the meantime, it's probably useful (from Google's point of view) if it encourages site owners and developers to consider using HTTPS.
    3:54 pm on Dec 17, 2014 (gmt 0)

    Senior Member from US 

    WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

    joined:Apr 9, 2011
    posts:15443
    votes: 738


    Secure (valid HTTPS, other origins like (*, localhost, *))

    I'm tickled by the implication that google is planning to index my personal hard drive-- which would be the least secure thing in the world if any passing search engine could poke around at will. But I don't suppose that is what they meant.

    limited to pages that post the content back using forms or similar

    Even then, not all POSTs are alike. Hate to break it to you, dear user, but spammers already know your email address.
    4:12 pm on Dec 17, 2014 (gmt 0)

    Senior Member from GB 

    WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

    joined:Apr 30, 2008
    posts:2630
    votes: 191


    I'm tickled by the implication that google is planning to index my personal hard drive

    The way I understood, it is not Google SERPs that would display "site secure" icon. The proposal is that User Agents do it, therefore it would be shown in browser next to the address bar, based on what the browser shows.

    So if you use browser to open a file on your hard disk (e.g. your local version of .html page or even an image you have locally and decide to view it using a browser) and likewise, if you use "localhost", it would get marked as "secure".
    5:06 pm on Dec 17, 2014 (gmt 0)

    Full Member

    5+ Year Member

    joined:Dec 11, 2013
    posts:258
    votes: 49


    Unless there is a hidden goal, it would not be a good marketing strategy for Chrome browser:

    Customer: "I see your website shows as not secure?"

    Business: "Chrome is broken. View our website in Firefox, IE, Opera, or Safari."
    5:16 pm on Dec 17, 2014 (gmt 0)

    Senior Member from GB 

    WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

    joined:Apr 30, 2008
    posts:2630
    votes: 191


    ^^^ The proposal is for all browsers to align on this.
    5:27 pm on Dec 17, 2014 (gmt 0)

    Administrator from GB 

    WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

    joined:May 9, 2000
    posts:25841
    votes: 847


    Yes, this is a browser-specific proposal: In this instance, Chrome.

    Google's initiative, imho, comes from the top. The company wants to protect its own data from hacking, and it's in their interest to encourage all sites to go https. See this thread [webmasterworld.com...]

    I do not believe it would be a good move unless it was fully understood what was meant by security.

    I agree, the general public do not fully understand that, and the result of such action would make sites look bad, and ultimately it would affect traffic of http sites.

    So many smaller sites, already under pressure, would suffer further should this proposal go through.
    6:42 pm on Dec 17, 2014 (gmt 0)

    Senior Member from US 

    WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

    joined:Apr 9, 2011
    posts:15443
    votes: 738


    But why in the world would Google, of all people, believe that the average user even looks at their browser's address bar? The trend is toward giving less information, for example by displaying only the hostname (omitting both protocol and path), and by blurring the difference between address and search.

    Even if you're paying attention, you probably don't really notice security-related stuff unless the browser puts up an alert involving mixed content or an unknown/expired certificate. And, come to think of it, I have no idea how the ordinary human responds to this type of alert. (For present purposes, nobody reading this thread counts as an ordinary human.)
    6:53 pm on Dec 17, 2014 (gmt 0)

    Senior Member from US 

    WebmasterWorld Senior Member netmeg is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

    joined:Mar 30, 2005
    posts:13010
    votes: 222


    Don't know, but I'm pretty sure even my 84yr old mom would respond to something that said "non secure" when visited a site.

    and guess who she'd be responding to to come fix it, too?
    7:09 pm on Dec 17, 2014 (gmt 0)

    Senior Member from US 

    WebmasterWorld Senior Member themadscientist is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

    joined:Apr 14, 2008
    posts:2910
    votes: 62


    It's such an absolutely moronic and unnecessary idea it'll probably pass and give us just what we need: another round of headaches for everyone, courtesy of Google!
    7:23 pm on Dec 17, 2014 (gmt 0)

    Senior Member from FR 

    WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

    joined:Feb 15, 2004
    posts:7139
    votes: 410


    So..G are going to warn surfers when adwords lead to non HTTPS sites are they ? ..Hmmmm..I thought not..
    10:25 pm on Dec 17, 2014 (gmt 0)

    Junior Member

    10+ Year Member

    joined:Nov 28, 2005
    posts:128
    votes: 0


    There would be so many warnings that users would just become blind to it and thus decrease the effect when real security issues are highlighted by the browser.

    That alone makes it a really bad idea but then again google rarely applies common sense to it's ideas.
    11:22 pm on Dec 17, 2014 (gmt 0)

    Senior Member from GB 

    WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

    joined:Apr 30, 2008
    posts:2630
    votes: 191


    So..G are going to warn surfers when adwords lead to non HTTPS sites are they ? ..Hmmmm..I thought not..

    Not exactly. AFTER the user lands on Adwords landing page, if the page is HTTP, it will show as "not secure" probably somewhere next to (or as a part of) the address bar.

    Think kind of the opposite to how the green bar for HTTPS page is currently displayed .

    I have added the clarification to Neil's opening post.
    11:46 pm on Dec 17, 2014 (gmt 0)

    Senior Member

    WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

    joined:May 22, 2005
    posts:657
    votes: 20


    so Google are trying to set www standards now ?
    12:23 am on Dec 18, 2014 (gmt 0)

    Senior Member from FR 

    WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

    joined:Feb 15, 2004
    posts:7139
    votes: 410


    I can see some sites with deep pockets that would sue them back to the garage if they add "non-secure" or "unsecure" next to their site in the address bar..Not all the really big money corps have sites that are HTTPS..and I suspect that in the EU such a move would result in yet another smack from the legislators..

    Libel laws and defamation of character can be applied to corps and organisations as well as individuals, writing "non-secure" or "insecure" next to links in serps or in the address bar would seem to constitute libel and defamation of character, damaging to company, organisation, personal reputation, with loss of trade etc ..

    Hiding the definition of "non-secure" or "insecure" behind another click or in the small print would not make it more legally acceptable..except maybe in G land..
    2:09 am on Dec 18, 2014 (gmt 0)

    Senior Member from US 

    WebmasterWorld Senior Member Top Contributors Of The Month

    joined:Nov 2, 2014
    posts:654
    votes: 313


    Apparently the slight rank boost Google promised was not enough to compel people to make the switch to https. The carrot obviously did not work so it's time for Google to use the stick and give non-https websites a black mark/strike against them.
    2:29 am on Dec 18, 2014 (gmt 0)

    Senior Member

    WebmasterWorld Senior Member editorialguy is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

    joined:June 28, 2013
    posts:3365
    votes: 707


    I can see some sites with deep pockets that would sue them back to the garage if they add "non-secure" or "unsecure" next to their site in the address bar.


    The Chrome browser team's proposal is just that: a proposal. It could be revised and implemented in any number of ways.

    For example, what if Google Chrome showed the word "SECURE SITE" next to the existing padlock icon and displayed the whole address line with a green background, a smiley face, and a flashing thumbs-up sign? Non-HTTPS sites would have a tough time winning defamation lawsuits, because Google wouldn't be commenting negatively on their sites: It would just be showing its love for sites that did use HTTPS.
    2:54 am on Dec 18, 2014 (gmt 0)

    Senior Member from FR 

    WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

    joined:Feb 15, 2004
    posts:7139
    votes: 410


    Cute idea, but that really is a desperate "what if" to counter with..
    What if they said "visit this site and we'll save a kitten from the pound", or "if they added " eco friendly next to the padlock" would be equally as silly to posit..

    Or "visit this site and we'll give you a free pony", or "visit this site and we'll give you the moon on a stick"
    ( the char count might be a bit long on that one to fit in the address bar along side the padlock and the URL though ) ..

    Better ( and more realistic) to stick to discussing what they have said is their proposal, rather than trying to hand them passes based upon what they might say or show..

    The cert authorities might also wish to comment about what G think is a good idea, and as someone said elsewhere ..the first time that someone got infected etc from a site that G had given an "extra seal" of approval over and above the one other browsers get..G would also be risking being sued..especially in the USA ( which is very very litigious )..I suspect G will think a bit more about this one ..and say ..whoops..nope ..forget we said that..or restrict it to the USA only..and then they might run afoul of international trade agreements and "interference with trade" etc ..

    If they do try this ..I'm making popcorn..:)

    [edited by: Leosghost at 3:00 am (utc) on Dec 18, 2014]

    2:55 am on Dec 18, 2014 (gmt 0)

    Senior Member from GB 

    WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

    joined:Apr 30, 2008
    posts:2630
    votes: 191


    @EditorialGuy, please read the proposal OP is linking to carefuly.

    It actually very explicitely says that they want to emphasise the HTTP site is not secure rather than emphasising a secure site (which is what is happening now). Emphasis mine:
    ...propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure.

    It goes on further, suggesting that in time the secure sites (HTTPS) will not be marked as they are now (for instance, no green bar or paddlock) and instead HTTP sites will be marked as non-secure by browser(s):
    Ultimately, we can even imagine a long term in which secure origins are so widely deployed that we can leave them unmarked (as HTTP is today), and mark only the rare non-secure origins

    Therefore, regarding this from your post:
    Non-HTTPS sites would have a tough time winning defamation lawsuits, because Google wouldn't be commenting negatively on their sites

    In fact they are proposing exactly opposite of this - HTTPS to be "Business as usual" and show nothing, whereas HTTP would show "not secure".
    3:07 am on Dec 18, 2014 (gmt 0)

    Senior Member from FR 

    WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

    joined:Feb 15, 2004
    posts:7139
    votes: 410


    Would make browser exploits ( changing what and how the browser operates and what it displays catastrophic ) if they went with what they are proposing..and chrome has had some vulnerabilities, as have the platforms that it runs on, and no doubt others will be found if the stakes are high enough to make the exploit writers time and effort worthwhile..

    The cert authorities who currently issue ( and charge for ) the green bars and the padlocks will not take kindly to G trying to remove their revenue source..
    3:35 am on Dec 18, 2014 (gmt 0)

    Senior Member

    WebmasterWorld Senior Member editorialguy is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

    joined:June 28, 2013
    posts:3365
    votes: 707


    aakk999, it's merely a proposal. Remember, too, that it's a proposal for "UA vendors," which means it requires buy-in from people outside Google. That's why the proposal states:

    We’d like to hear everyone’s thoughts on this proposal, and to discuss with the web community about how different transition plans might serve users.


    What's more, it's entirely possible that, by the time this proposal is implemented (if it ever is), HTTPS will be a lot more widespread than it is now.
    4:38 am on Dec 18, 2014 (gmt 0)

    Senior Member from US 

    WebmasterWorld Senior Member themadscientist is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

    joined:Apr 14, 2008
    posts:2910
    votes: 62


    ...it's merely a proposal.

    For other browser vendors. Not for Chrome.

    What's more, it's entirely possible that, by the time this proposal is implemented (if it ever is), HTTPS will be a lot more widespread than it is now.

    HTTPS better take off quick for that to be the case...

    Emphasis Added
    We intend to devise and begin deploying a transition plan for Chrome in 2015.

    What do they mean by transition plan?

    ...the transition plan could be time-based:

    T0 (now): Non-secure origins unmarked

    T1: Non-secure origins marked as Dubious

    T2: Non-secure origins marked as Non-secure

    T3: Secure origins unmarked
    6:26 am on Dec 18, 2014 (gmt 0)

    New User from IN 

    joined:Dec 18, 2014
    posts: 2
    votes: 0


    On topic, Google, I appreciate the focus on security, but stop deciding to simply implement however YOU THINK the web should be working. Ok, technically, it's just a change in the browser, but the semantics are obviously meant to "encourage" everyone to switch to HTTPS. However a good idea some of us think that is, it's not up to you.

    This is why people are getting freaked out about the power you hold. You're starting to demonstrate that you're not afraid to *use* that influence to simply push things to work however you want them to. You've already done that once already by pushing forward an SSL-related change far ahead of when it really needed to be, and now it looks like you're floating a trial balloon to go one step further.

    Am I overreacting here? Or is Google going too far, too fast with this?
    This 66 message thread spans 3 pages: 66
     

    Join The Conversation

    Moderators and Top Contributors

    Hot Threads This Week

    Featured Threads

    Free SEO Tools

    Hire Expert Members