Welcome to WebmasterWorld Guest from 34.238.192.150

Forum Moderators: Robert Charlton & goodroi

Message Too Old, No Replies

Be HTTPs by October or Chrome will show "not secure" flag

     
3:05 pm on Aug 18, 2017 (gmt 0)

Administrator from US 

WebmasterWorld Administrator goodroi is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:June 21, 2004
posts:3524
votes: 398


Google Chrome 56 has been labeling http password & credit card inputs as "not secure". Starting in October, Chrome 62 will flag any http form & all http pages in incognito mode with a "not secure" warning. This was first announced in April and now Google is reminding http webmasters that October is quickly approaching.

Scared that https will hurt rankings? This is false. Https migration does not hurt rankings when properly implemented. Don't take my word for it, check it out for yourself. The initial wave of complaints was due mostly to a combination of Google reducing the value of redirected links & webmaster error (ie redirect loops, mixed content pages, & orphaned pages). Google has resolved the redirected link juice issues and webmasters now have many https guides to help them avoid mistakes. So start migrating before October is here.
5:13 pm on Sept 2, 2017 (gmt 0)

New User

joined:Sept 2, 2017
posts:1
votes: 0


New here; hello all.
As to the security warning - I got the notification last week via email and a notice in GWT.
I don't collect any personal info - no email signups, no contact form - nothing.
I turned up a mention on Webmaster Central that for sites that have comments enabled; the "not secure" warning will appear.
I'm about to migrate a number of sites to a new host; I'm going to go ahead and switch to https at the same time.
6:25 pm on Sept 2, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member jetteroheller is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 22, 2005
posts:3062
votes: 6


Just tested one of my Let's Encrypt https pages with an old smartphone from 2011.
Several warnings about the certificate had been shown.
6:46 pm on Sept 2, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


Hello Area_Man and welcome to WebmasterWorld [webmasterworld.com]

Yes, All pages need to be secure, not just those with LogIn or Credit Card forms. It seems this is being rolled out little by little.
7:03 pm on Sept 2, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


@lucy24 - our host assures me the upgrade to Apache 2.4+ and HTTP/2 for shared hosting is scheduled the 3rd quarter of 2017. They told me that in January and again a month ago. You can also see that I've been badgering them in their support forums (look at Suggestions.)

Seeing as we're in the final month of that time element, academically we should see the upgrade any time now.

However I have also just learned that the next thing they're going to do is upgrade Ngnix on the VPS boxes. Depending on how long that takes, the Shared space upgrade could be kicked down the road further.

But, as I said, all hosts I contacted said they will be supporting HTTP/2 so just for the competition factor alone, we should feel confident it will get done.
8:03 pm on Sept 3, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3671
votes: 374


In my browsing I see a lot more warnings from https sites than from http sites. Most of these warnings are for non-secure content, but some are for invalid or expired certificates.
8:09 pm on Sept 3, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


@aristotle - interesting. I haven't seen this. I guess a lot of site owners are still figuring this out.
8:51 pm on Sept 3, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3671
votes: 374


keyplyr -- your browser settings may be different from mine. Or maybe some browsers are more strict than others.

But if people get used to seeing these warnings, they may start ignoring most warnings.
9:04 pm on Sept 3, 2017 (gmt 0)

Full Member

Top Contributors Of The Month

joined:Apr 20, 2017
posts:334
votes: 73


@jetteroheller
Just tested one of my Let's Encrypt https pages with an old smartphone from 2011.
Several warnings about the certificate had been shown.

Which kind of warnings? The certificate itself? The handshake? The protocol? Some servers (software) are disabling by default old protocols, which are considered unsafe (SSL1/2/3 and TLSv1.0), but which can still be used by old devices. Same for the cipher list,

If it's not yet the case, you can test your site : [ssllabs.com...] .

[edited by: Peter_S at 9:06 pm (utc) on Sep 3, 2017]

9:06 pm on Sept 3, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


if people get used to seeing these warnings, they may start ignoring most warnings.
Well I don't expect anyone will be ignoring Not Secure right up there in the address bar.

[blog.chromium.org...]
9:27 pm on Sept 3, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3671
votes: 374


i usually don't look at the address bar.

The warnings I see for invalid or expired certicicates are small popups in the middle of the screen. For non-secure content, the warnings are at the bottom of the screen, and you have to click "show all content" to see it.
9:29 pm on Sept 3, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15928
votes: 884


Well I don't expect anyone will be ignoring Not Secure right up there in the address bar.

That's assuming for the sake of discussion that people even look at the address bar. I can't think of any reliable way to find out; an opt-in survey would obviously involve self-selected respondents. (“How many WebmasterWorld readers look at each site’s address bar?” followed by ROFL emoticon of your choice.)
9:33 pm on Sept 3, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


i usually don't look at the address bar.
assuming for the sake of discussion that people even look at the address bar
? Well that's what this entire thread is about.

In October Chrome will advance to the next step with its address bar warnings for non-secure pages (see link I posted above.)

I disagree with the idea that people do not look at the address bar. That would be like crossing a street without looking. Pretty dangerous. How else would you be sure about where you are if not the address bar?
10:36 pm on Sept 3, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


Our plan to label HTTP sites as non-secure is taking place in gradual steps, based on increasingly broad criteria.
[blog.chromium.org...]

After the October update, I wonder how long before *all* HTTP pages are tagged as Not Secure. I'm guessing about this time next year in 2018.
12:29 am on Sept 4, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15928
votes: 884


That would be like crossing a street without looking. Pretty dangerous.

Preaching to the choir. Isn't this thread about the actual behavior of actual humans? Otherwise it would be like surveying a group of automotive engineers and then enacting policies based on the assumption that they are representative of average drivers.

Anyway, it's not about agreeing or disagreeing, because it's not an “idea”. It's a question of fact which has yet to be answered.
12:52 am on Sept 4, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


Well it's not a question as far as I'm concerned. Remember, I don't agree that people don't look at the address bar.

Unless you're on a Search Engine home page, the address bar is also where you search from. Most pages have a big green Secure up there which catches the eye pretty good.

However, I agree the grayish info circle that has so far accompanied the HTTP pages is downplay. Even when they add the Not Secure to it in a couple weeks, IMO it's rather bland. But remember this will evolve :)

I fully expect that Not Secure icon to become more blatant. Google is not going to stop with this. Their "gradual steps" will continue to get more and more explicit.

I think many of the opinions to the contrary are defensive, which is only natural as we get closer to when the hammer falls.
6:10 am on Sept 4, 2017 (gmt 0)

New User

joined:May 3, 2017
posts:22
votes: 10


The vast majority don't pay attention to the grey icons, but if something pops up saying 'not secure', they certainly do.
At the moment, the Google pistol aimed at webmaster's heads is half-cocked...it will be fully cocked in 2018 and by 2019 the trigger on http will be pulled, with Not Secure in bold red beside a broken padlock appearing on sites left behind.
6:29 am on Sept 4, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


Hello TheEnigma and welcome to WebmasterWorld [webmasterworld.com]
10:45 am on Sept 4, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3671
votes: 374


So either people are crying wolf or the end of the world is coming. LOL

As I said, at this point nearly all of the warnings I see are for https sites. Either for non-secure content (bottom of screen) or invalid or expired certificates (popups in center of screen.
11:03 am on Sept 4, 2017 (gmt 0)

Full Member

Top Contributors Of The Month

joined:Apr 20, 2017
posts:334
votes: 73


As I said, at this point nearly all of the warnings I see are for https sites. Either for non-secure content (bottom of screen) or invalid or expired certificates (popups in center of screen.

I didn't understand your remark. What kind of other warnings are you expecting to see?

The only warning which are showing right now on non HTTPS are, when there is a form, with login information.

With Google chrome, when such form is showing on a page, and the site is not in HTTPS, the label insecure appears in front of the address bar.

In FireFox, when you type something into a field, there is a message message above / under the field mentioning the connection is insecure and login info could be compromised.
12:59 pm on Sept 4, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3671
votes: 374


I didn't understand your remark. What kind of other warnings are you expecting to see?

My point is that, in general browsing, I see far more warnings at https aites than at http sites. Usually these warnings at https sites appear immediately after I reach the site. These warnings (non-secure content and invalid or expired certificates) have nothing to do with forms.

As for http sites, I see very few warnings of any kind.

But as I mentioned, which warnings you see could depend on your browser settings. If you have your browser set for high security, you will likely see more warnings than if it is set at a lower security level.
1:10 pm on Sept 4, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3671
votes: 374


P.S. In my opinion, a popup warning in the center of the screen, as happens with invalid or expired certificates, is far more likely to scare away visitors than is a non-secure label in the address bar, which many people won't even notice anyway..
1:23 pm on Sept 4, 2017 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Aug 11, 2008
posts:1717
votes: 263


P.S. In my opinion, a popup warning in the center of the screen, as happens with invalid or expired certificates, is far more likely to scare away visitors than is a non-secure label in the address bar, which many people won't even notice anyway
Indeed. As it should be.

But I would rather have a valid cert than no cert, as neither will cause that prompt.
2:07 pm on Sept 4, 2017 (gmt 0)

Full Member

Top Contributors Of The Month

joined:Apr 20, 2017
posts:334
votes: 73


My point is that, in general browsing, I see far more warnings at https aites than at http sites /.../

If so, this is perfectly normal; there is no reason to see a warning on HTTP pages, and it's obvious that a misconfigured HTTPS page will show a warning.

The only warning, that Firefox or Chrome are showing, as for HTTP page with login form (when they succeed to identify a login form). So this is not a lot of pages being concerned. Now, the point of this topic is to discuss about the "future" release of Chrome, due to be released next month. From what I understand, the insecure label, which is actually only for pages with login form, will be extended to all pages on which there is a form, no matter the purpose this one (for example a contact form, but also all forms to post comments, etc...). But all this is for next month, not right now.

Also, it's a beginning, no one can tell how it's going to evolve, "may be" one one day, web browsers will start asking for a confirmation that you want to visit an HTTP-only site, another day, it might be Antivirus which will start warming when you visit none HTTPS site, it's hard to tell what the future will be made of.
4:28 pm on Sept 4, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15928
votes: 884


What kind of other warnings are you expecting to see?
Warnings on HTTP sites that say “this site is not secure: anyone could read your cookies”. That's the step that hasn't come yet.

So either people are crying wolf or the end of the world is coming.
Remember Y2K? As it developed, it became a no-win situation: either everyone takes the trouble to successfully address all issues in good time--and then people blather about it being an imaginary made-up hypothetical non-problem--or someone somewhere fails to address some issue--and then there is a problem. Either way, you can't win.
5:14 pm on Sept 4, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3671
votes: 374


Lucy -- it was other people here who were talking like the world is coming to an end, not me. I'm not worried about this at all at this point. Maybe I'll do something eventually but I don't feel any urgency to do anything now.

Peter S -- We can speculate all we want about what might happen in the future. What I know for sure is what I see now -- and I see far more warnings, and scarier warnings, for https sites than for http sites.
6:28 pm on Sept 4, 2017 (gmt 0)

Full Member

Top Contributors Of The Month

joined:Apr 20, 2017
posts:334
votes: 73


Peter S -- We can speculate all we want about what might happen in the future.

This is exactly the purpose of this topic. It's not about how things are today, it's how things will be next month, with the next update of Chrome...
7:35 pm on Sept 4, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3671
votes: 374


it's how things will be next month

Most likely what I reported, i.e. the current situation regarding the warnings encountered at https sites, will still be a part of what we'll see next month.
7:41 pm on Sept 4, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


I haven't see any warnings on HTTPS websites, and I go to several dozen sites a day. Most sites that I visit are HTTPS. I run a directory with a couple thousand sites, They're all HTTPS.

However, if I did see an invalid cert warning, I'd check it out to see why.
1:02 pm on Sept 5, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3671
votes: 374


keyplyr wrote:
Chrome and Firefox are going to require that all certificates issued in October 2017 and onward will have to be logged in CT logs or they won't be trusted.

So another thing that might happen next month is that Chrome and Firefox could start giving more warnings about invalid (untrusted) certificates.
1:31 pm on Sept 5, 2017 (gmt 0)

Full Member

Top Contributors Of The Month

joined:Apr 20, 2017
posts:334
votes: 73


The purpose is to make the Internet safer and faster*, not easier.


* "faster", when you can use HTTP/2, as well as the future TLSv1.3 and again futher QUIC.
This 148 message thread spans 5 pages: 148