New here; hello all.
As to the security warning - I got the notification last week via email and a notice in GWT.
I don't collect any personal info - no email signups, no contact form - nothing.
I turned up a mention on Webmaster Central that for sites that have comments enabled; the "not secure" warning will appear.
I'm about to migrate a number of sites to a new host; I'm going to go ahead and switch to https at the same time.

Just tested one of my Let's Encrypt https pages with an old smartphone from 2011.
Several warnings about the certificate had been shown.

Hello Area_Man and welcome to WebmasterWorld [webmasterworld.com]

Yes, All pages need to be secure, not just those with LogIn or Credit Card forms. It seems this is being rolled out little by little.

@lucy24 - our host assures me the upgrade to Apache 2.4+ and HTTP/2 for shared hosting is scheduled the 3rd quarter of 2017. They told me that in January and again a month ago. You can also see that I've been badgering them in their support forums (look at Suggestions.)

Seeing as we're in the final month of that time element, academically we should see the upgrade any time now.

However I have also just learned that the next thing they're going to do is upgrade Ngnix on the VPS boxes. Depending on how long that takes, the Shared space upgrade could be kicked down the road further.

But, as I said, all hosts I contacted said they will be supporting HTTP/2 so just for the competition factor alone, we should feel confident it will get done.

In my browsing I see a lot more warnings from https sites than from http sites. Most of these warnings are for non-secure content, but some are for invalid or expired certificates.

@aristotle - interesting. I haven't seen this. I guess a lot of site owners are still figuring this out.

keyplyr -- your browser settings may be different from mine. Or maybe some browsers are more strict than others.

But if people get used to seeing these warnings, they may start ignoring most warnings.

@jetteroheller

Just tested one of my Let's Encrypt https pages with an old smartphone from 2011.
Several warnings about the certificate had been shown.

Which kind of warnings? The certificate itself? The handshake? The protocol? Some servers (software) are disabling by default old protocols, which are considered unsafe (SSL1/2/3 and TLSv1.0), but which can still be used by old devices. Same for the cipher list,

If it's not yet the case, you can test your site : [ssllabs.com...] .

[edited by: Peter_S at 9:06 pm (utc) on Sep 3, 2017]

if people get used to seeing these warnings, they may start ignoring most warnings.

Well I don't expect anyone will be ignoring Not Secure right up there in the address bar.

[blog.chromium.org...]

i usually don't look at the address bar.

The warnings I see for invalid or expired certicicates are small popups in the middle of the screen. For non-secure content, the warnings are at the bottom of the screen, and you have to click "show all content" to see it.

Well I don't expect anyone will be ignoring Not Secure right up there in the address bar.

That's assuming for the sake of discussion that people even look at the address bar. I can't think of any reliable way to find out; an opt-in survey would obviously involve self-selected respondents. (“How many WebmasterWorld readers look at each site’s address bar?” followed by ROFL emoticon of your choice.)

i usually don't look at the address bar.

assuming for the sake of discussion that people even look at the address bar

? Well that's what this entire thread is about.

In October Chrome will advance to the next step with its address bar warnings for non-secure pages (see link I posted above.)

I disagree with the idea that people do not look at the address bar. That would be like crossing a street without looking. Pretty dangerous. How else would you be sure about where you are if not the address bar?

Our plan to label HTTP sites as non-secure is taking place in gradual steps, based on increasingly broad criteria.

[blog.chromium.org...]

After the October update, I wonder how long before *all* HTTP pages are tagged as Not Secure. I'm guessing about this time next year in 2018.

That would be like crossing a street without looking. Pretty dangerous.

Preaching to the choir. Isn't this thread about the actual behavior of actual humans? Otherwise it would be like surveying a group of automotive engineers and then enacting policies based on the assumption that they are representative of average drivers.

Anyway, it's not about agreeing or disagreeing, because it's not an “idea”. It's a question of fact which has yet to be answered.

Well it's not a question as far as I'm concerned. Remember, I don't agree that people don't look at the address bar.

Unless you're on a Search Engine home page, the address bar is also where you search from. Most pages have a big green Secure up there which catches the eye pretty good.

However, I agree the grayish info circle that has so far accompanied the HTTP pages is downplay. Even when they add the Not Secure to it in a couple weeks, IMO it's rather bland. But remember this will evolve :)

I fully expect that Not Secure icon to become more blatant. Google is not going to stop with this. Their "gradual steps" will continue to get more and more explicit.

I think many of the opinions to the contrary are defensive, which is only natural as we get closer to when the hammer falls.

The vast majority don't pay attention to the grey icons, but if something pops up saying 'not secure', they certainly do.
At the moment, the Google pistol aimed at webmaster's heads is half-cocked...it will be fully cocked in 2018 and by 2019 the trigger on http will be pulled, with Not Secure in bold red beside a broken padlock appearing on sites left behind.

Hello TheEnigma and welcome to WebmasterWorld [webmasterworld.com]

So either people are crying wolf or the end of the world is coming. LOL

As I said, at this point nearly all of the warnings I see are for https sites. Either for non-secure content (bottom of screen) or invalid or expired certificates (popups in center of screen.

As I said, at this point nearly all of the warnings I see are for https sites. Either for non-secure content (bottom of screen) or invalid or expired certificates (popups in center of screen.

I didn't understand your remark. What kind of other warnings are you expecting to see?

The only warning which are showing right now on non HTTPS are, when there is a form, with login information.

With Google chrome, when such form is showing on a page, and the site is not in HTTPS, the label insecure appears in front of the address bar.

In FireFox, when you type something into a field, there is a message message above / under the field mentioning the connection is insecure and login info could be compromised.

I didn't understand your remark. What kind of other warnings are you expecting to see?

My point is that, in general browsing, I see far more warnings at https aites than at http sites. Usually these warnings at https sites appear immediately after I reach the site. These warnings (non-secure content and invalid or expired certificates) have nothing to do with forms.

As for http sites, I see very few warnings of any kind.

But as I mentioned, which warnings you see could depend on your browser settings. If you have your browser set for high security, you will likely see more warnings than if it is set at a lower security level.

P.S. In my opinion, a popup warning in the center of the screen, as happens with invalid or expired certificates, is far more likely to scare away visitors than is a non-secure label in the address bar, which many people won't even notice anyway..

P.S. In my opinion, a popup warning in the center of the screen, as happens with invalid or expired certificates, is far more likely to scare away visitors than is a non-secure label in the address bar, which many people won't even notice anyway

Indeed. As it should be.

But I would rather have a valid cert than no cert, as neither will cause that prompt.

My point is that, in general browsing, I see far more warnings at https aites than at http sites /.../

If so, this is perfectly normal; there is no reason to see a warning on HTTP pages, and it's obvious that a misconfigured HTTPS page will show a warning.

The only warning, that Firefox or Chrome are showing, as for HTTP page with login form (when they succeed to identify a login form). So this is not a lot of pages being concerned. Now, the point of this topic is to discuss about the "future" release of Chrome, due to be released next month. From what I understand, the insecure label, which is actually only for pages with login form, will be extended to all pages on which there is a form, no matter the purpose this one (for example a contact form, but also all forms to post comments, etc...). But all this is for next month, not right now.

Also, it's a beginning, no one can tell how it's going to evolve, "may be" one one day, web browsers will start asking for a confirmation that you want to visit an HTTP-only site, another day, it might be Antivirus which will start warming when you visit none HTTPS site, it's hard to tell what the future will be made of.

What kind of other warnings are you expecting to see?

Warnings on HTTP sites that say “this site is not secure: anyone could read your cookies”. That's the step that hasn't come yet.

So either people are crying wolf or the end of the world is coming.

Remember Y2K? As it developed, it became a no-win situation: either everyone takes the trouble to successfully address all issues in good time--and then people blather about it being an imaginary made-up hypothetical non-problem--or someone somewhere fails to address some issue--and then there is a problem. Either way, you can't win.

Lucy -- it was other people here who were talking like the world is coming to an end, not me. I'm not worried about this at all at this point. Maybe I'll do something eventually but I don't feel any urgency to do anything now.

Peter S -- We can speculate all we want about what might happen in the future. What I know for sure is what I see now -- and I see far more warnings, and scarier warnings, for https sites than for http sites.

Peter S -- We can speculate all we want about what might happen in the future.

This is exactly the purpose of this topic. It's not about how things are today, it's how things will be next month, with the next update of Chrome...

it's how things will be next month

Most likely what I reported, i.e. the current situation regarding the warnings encountered at https sites, will still be a part of what we'll see next month.

I haven't see any warnings on HTTPS websites, and I go to several dozen sites a day. Most sites that I visit are HTTPS. I run a directory with a couple thousand sites, They're all HTTPS.

However, if I did see an invalid cert warning, I'd check it out to see why.

keyplyr wrote:
Chrome and Firefox are going to require that all certificates issued in October 2017 and onward will have to be logged in CT logs or they won't be trusted.

So another thing that might happen next month is that Chrome and Firefox could start giving more warnings about invalid (untrusted) certificates.

The purpose is to make the Internet safer and faster*, not easier.


* "faster", when you can use HTTP/2, as well as the future TLSv1.3 and again futher QUIC.