Welcome to WebmasterWorld Guest from 54.156.58.187

Forum Moderators: Robert Charlton & andy langton & goodroi

Featured Home Page Discussion

Be HTTPs by October or Chrome will show "not secure" flag

     
3:05 pm on Aug 18, 2017 (gmt 0)

Administrator from US 

WebmasterWorld Administrator goodroi is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:June 21, 2004
posts:3274
votes: 220


Google Chrome 56 has been labeling http password & credit card inputs as "not secure". Starting in October, Chrome 62 will flag any http form & all http pages in incognito mode with a "not secure" warning. This was first announced in April and now Google is reminding http webmasters that October is quickly approaching.

Scared that https will hurt rankings? This is false. Https migration does not hurt rankings when properly implemented. Don't take my word for it, check it out for yourself. The initial wave of complaints was due mostly to a combination of Google reducing the value of redirected links & webmaster error (ie redirect loops, mixed content pages, & orphaned pages). Google has resolved the redirected link juice issues and webmasters now have many https guides to help them avoid mistakes. So start migrating before October is here.
1:44 pm on Sept 5, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3225
votes: 228


The purpose is to make the Internet safer

Do you mean that's why Chrome and Firefox are going to require that all certificates issued in October 2017 and onward will have to be logged in CT logs or they won't be trusted?
1:58 pm on Sept 5, 2017 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:Aug 11, 2008
posts:1482
votes: 168


Having an untrusted Cert is much worse than having no Cert.

It is right to be flagged as such.

But I have never worried that my Cert will be flagged as untrusted, nor have I ever seen a trustworthy site be flagged*

*I lie. I once saw a WinXP machine flag various sites as untrusted because there was a date/time issue, and it flagged all sites as "Cert not yet valid"
4:07 pm on Sept 5, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3225
votes: 228


Having an untrusted Cert is much worse than having no Cert

Can you explain this more fully? Is it the warning that makes it much worse? Or does it have to do with the protocol, or perhaps some inherent problem with the site.

The reason I'm wondering is because a popup warning might scare people away even if the site is safe.
4:29 pm on Sept 5, 2017 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:Aug 11, 2008
posts:1482
votes: 168


A plain vanilla HTTP site is making no claims and expects no trust, from a data-handling POV.

If a site it using https, it is claiming to be trusted.

It's a bit like claiming to be a doctor, when you're not. Masquerading as something you are not deserves to be highlighted.

So:
No Cert = no claims to be trusted
Untrusted Cert = Invalid claim to be trusted
Trusted Cert = Valid claim to be trusted

Note: Untrusted Certs are not necessarily bad actors, but neither are they definitely to be trusted.
7:04 am on Sept 6, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member jetteroheller is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 22, 2005
posts: 3040
votes: 5


There is always one bug more at changing many sites.
Just discovered why a certain script does not work.

It was loaded by "https://MY_SITE/cgi-bin/my_script.pl".
Chrome showed "not loaded insecure "http://www.MY_SITE/cgi-bin/my_script.pl"
The solution:

in .htaceess was a redirect from not www to www. But this redirect was to http
9:01 pm on Sept 11, 2017 (gmt 0)

Junior Member

5+ Year Member

joined:Apr 7, 2012
posts:75
votes: 13


The old adsense ads that use javascript are not showing up with https. This has reduced my revenue quite dramatically. Is there a way I can fix this without having to change out all of my old ads? I'm planning on rebuilding the site but in the meantime I have to find a quick fix. Thanks.
11:36 pm on Sept 11, 2017 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Oct 14, 2013
posts:2693
votes: 299


The old adsense ads that use javascript are not showing up with https.


Over quite some time I have converted many sites to https and not had a single problem with ads not displaying. As much as I knock G I'd be surprised if it's their fault.

Which implementation of https have you used?
12:17 am on Sept 12, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:9665
votes: 489


The old adsense ads that use javascript are not showing up with https.

Whatagreatdayiti - you need to change your Adsense code... either

Replace the HTTP with HTTPS
- or -
Remove the HTTP and just leave the //pagead2.googlesyndication.com...

This was part of the basic instructions to switch to HTTPS:
- Generic Steps to Switch from HTTP to HTTPS -


Read all info at your host concerning certificates & switching to HTTPS and when applicable, follow those instructions.

Install security certificate.

Have your host enable HTTPS (if needed.) This will enable access from both HTTP & HTTPS allowing normal access while you test.

Go through site, page by page & make sure all file paths are relative (no protocol.) Test by accessing site using HTTPS and look for any browser alerts.

Install 301 code in .htaccess file
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Note: your server may require a different code

Go through site again, page by page, and test. Any remote absolute links will need to be HTTPS including those found in scripts & pluggins. If you publish Adsence or other advertising, links in these scripts need to be HTTPS also (or just remove the protocol altogether.)

Update sitemap.xml (if applicable) and submit to appropriate agencies (Google, Bing, Yandex, etc)

In Google Search Council create a new site using HTTPS (do not use the Change of Address form.) It will take a few days to start populating information. This is normal & traffic to old site (HTTP) will drop off accordingly.

Bing Webmaster Tools, Yandex & others should update automatically once they crawl your new pages. Updating/re-submitting sitemap.xml should speed up this process.
12:40 pm on Sept 13, 2017 (gmt 0)

Junior Member

5+ Year Member

joined:Apr 7, 2012
posts:75
votes: 13


Thanks Keyplyr. I had done almost everything on this list except for the second-to-last item. This is going to be a tedious process, but I can already see good results. I must have missed the memo from Google explaining that the switch to https was going to require a little tweaking of their ad code.
This 99 message thread spans 4 pages: 99