Welcome to WebmasterWorld Guest from 54.198.108.19

Forum Moderators: Robert Charlton & goodroi

Featured Home Page Discussion

Be HTTPs by October or Chrome will show "not secure" flag

     
3:05 pm on Aug 18, 2017 (gmt 0)

Administrator from US 

WebmasterWorld Administrator goodroi is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:June 21, 2004
posts:3316
votes: 242


Google Chrome 56 has been labeling http password & credit card inputs as "not secure". Starting in October, Chrome 62 will flag any http form & all http pages in incognito mode with a "not secure" warning. This was first announced in April and now Google is reminding http webmasters that October is quickly approaching.

Scared that https will hurt rankings? This is false. Https migration does not hurt rankings when properly implemented. Don't take my word for it, check it out for yourself. The initial wave of complaints was due mostly to a combination of Google reducing the value of redirected links & webmaster error (ie redirect loops, mixed content pages, & orphaned pages). Google has resolved the redirected link juice issues and webmasters now have many https guides to help them avoid mistakes. So start migrating before October is here.
1:44 pm on Sept 5, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3281
votes: 244


The purpose is to make the Internet safer

Do you mean that's why Chrome and Firefox are going to require that all certificates issued in October 2017 and onward will have to be logged in CT logs or they won't be trusted?
1:58 pm on Sept 5, 2017 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:Aug 11, 2008
posts:1526
votes: 186


Having an untrusted Cert is much worse than having no Cert.

It is right to be flagged as such.

But I have never worried that my Cert will be flagged as untrusted, nor have I ever seen a trustworthy site be flagged*

*I lie. I once saw a WinXP machine flag various sites as untrusted because there was a date/time issue, and it flagged all sites as "Cert not yet valid"
4:07 pm on Sept 5, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3281
votes: 244


Having an untrusted Cert is much worse than having no Cert

Can you explain this more fully? Is it the warning that makes it much worse? Or does it have to do with the protocol, or perhaps some inherent problem with the site.

The reason I'm wondering is because a popup warning might scare people away even if the site is safe.
4:29 pm on Sept 5, 2017 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:Aug 11, 2008
posts:1526
votes: 186


A plain vanilla HTTP site is making no claims and expects no trust, from a data-handling POV.

If a site it using https, it is claiming to be trusted.

It's a bit like claiming to be a doctor, when you're not. Masquerading as something you are not deserves to be highlighted.

So:
No Cert = no claims to be trusted
Untrusted Cert = Invalid claim to be trusted
Trusted Cert = Valid claim to be trusted

Note: Untrusted Certs are not necessarily bad actors, but neither are they definitely to be trusted.
7:04 am on Sept 6, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member jetteroheller is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 22, 2005
posts:3042
votes: 6


There is always one bug more at changing many sites.
Just discovered why a certain script does not work.

It was loaded by "https://MY_SITE/cgi-bin/my_script.pl".
Chrome showed "not loaded insecure "http://www.MY_SITE/cgi-bin/my_script.pl"
The solution:

in .htaceess was a redirect from not www to www. But this redirect was to http
9:01 pm on Sept 11, 2017 (gmt 0)

Junior Member

5+ Year Member

joined:Apr 7, 2012
posts:76
votes: 13


The old adsense ads that use javascript are not showing up with https. This has reduced my revenue quite dramatically. Is there a way I can fix this without having to change out all of my old ads? I'm planning on rebuilding the site but in the meantime I have to find a quick fix. Thanks.
11:36 pm on Sept 11, 2017 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Oct 14, 2013
posts:2749
votes: 327


The old adsense ads that use javascript are not showing up with https.


Over quite some time I have converted many sites to https and not had a single problem with ads not displaying. As much as I knock G I'd be surprised if it's their fault.

Which implementation of https have you used?
12:17 am on Sept 12, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:10090
votes: 548


The old adsense ads that use javascript are not showing up with https.

Whatagreatdayiti - you need to change your Adsense code... either

Replace the HTTP with HTTPS
- or -
Remove the HTTP and just leave the //pagead2.googlesyndication.com...

This was part of the basic instructions to switch to HTTPS:
- Generic Steps to Switch from HTTP to HTTPS -


• Read all info at your host concerning certificates & switching to HTTPS and when applicable, follow those instructions.

• Install security certificate.

• Have your host enable HTTPS (if needed.) This will enable access from both HTTP & HTTPS allowing normal access while you test.

• Go through site, page by page & make sure all file paths are relative (no protocol.) Test by accessing site using HTTPS and look for any browser alerts.

• Install 301 code in .htaccess file
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Note: your server may require a different code

• Go through site again, page by page, and test. Any remote absolute links will need to be HTTPS including those found in scripts & pluggins. If you publish Adsence or other advertising, links in these scripts need to be HTTPS also (or just remove the protocol altogether.)

• Update sitemap.xml (if applicable) and submit to appropriate agencies (Google, Bing, Yandex, etc)

• In Google Search Council create a new site using HTTPS (do not use the Change of Address form.) It will take a few days to start populating information. This is normal & traffic to old site (HTTP) will drop off accordingly.

• Bing Webmaster Tools, Yandex & others should update automatically once they crawl your new pages. Updating/re-submitting sitemap.xml should speed up this process.
12:40 pm on Sept 13, 2017 (gmt 0)

Junior Member

5+ Year Member

joined:Apr 7, 2012
posts:76
votes: 13


Thanks Keyplyr. I had done almost everything on this list except for the second-to-last item. This is going to be a tedious process, but I can already see good results. I must have missed the memo from Google explaining that the switch to https was going to require a little tweaking of their ad code.
3:59 pm on Sept 29, 2017 (gmt 0)

Preferred Member from IN 

Top Contributors Of The Month

joined:Apr 30, 2017
posts:476
votes: 67


Finally switched to https now.

I have one problem: sitemap is still in HTTP, it is generated using Yoast SEO. What should I do now?

Also if it is possible for anyone, please open my (URL in profile) and check if it is working fine, I will appreciate it. Thanks
6:30 pm on Sept 29, 2017 (gmt 0)

Preferred Member from IN 

Top Contributors Of The Month

joined:Apr 30, 2017
posts:476
votes: 67


Today looks like to be my bad day... installed SSL, all done but now the response time of SSL is 558ms! Site speed increased! :(
6:47 pm on Sept 29, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3281
votes: 244


Also if it is possible for anyone, please open my (URL in profile) and check if it is working fine, I will appreciate it. Thanks

The name of your site is in your profile, but didn't see a URL. So I did a google search for the name of your site, and it ranked number 1. The google link is still http. But when I clicked it, the browser was re-directed to the https URL, and the page loaded with no problems. So everything looks good
6:57 pm on Sept 29, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:14246
votes: 550


sitemap is still in HTTP, it is generated using Yoast SEO

Surely there's a simple setting you can change?


[edited by: Robert_Charlton at 7:18 pm (utc) on Sep 30, 2017]
[edit reason] Edit made at poster's request [/edit]

10:37 pm on Sept 29, 2017 (gmt 0)

Full Member

Top Contributors Of The Month

joined:Apr 20, 2017
posts:297
votes: 55


now the response time of SSL is 558ms

Do you mean TTFB (Time To First Byte)?

From what I understood you are using CloudFlare as frontend, since I never used them, I am not sure how it works between CloudFlare and "your" server.

But on your own site, to improve TLS speed , you can use HTTP/2, you can refine your cipher list to keep only the strict minimum (for example AES128-GCM and CHACHA20-POLY1305), if your page loads plenty of .js. and .css files, you should try to merge them to limit the number of requests, you can use preload server header, to load blocking resources in parallel (which with some sever software will exploit the HTTP/2 push feature), you can also use ECDSA certificates, they are smaller, and faster compared to RSA, etc... Also, if your site is running on a old server (or shared host), it's possible the encryption is exhausting the CPU
5:19 am on Sept 30, 2017 (gmt 0)

Preferred Member from IN 

Top Contributors Of The Month

joined:Apr 30, 2017
posts:476
votes: 67


Aristotle thank you!

lucy24 Yes. It was actually a Yoast SEO bug. I just disabled and re-enabled, this did the trick :D

@Peter When I tested the site on Pingdom, I got to know the wait or response time of SSL. Check here [imgur.com...]
2:01 pm on Sept 30, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3281
votes: 244


Mayank Parmar -- Some members of Webmaster World have reported that their google traffic dropped shortly after switching a site to https.
5:57 pm on Sept 30, 2017 (gmt 0)

Preferred Member from IN 

Top Contributors Of The Month

joined:Apr 30, 2017
posts:476
votes: 67


Aristotle, It seems same for me. I will have same or more page views than previous Saturday. Keeping an eye though.
7:00 pm on Sept 30, 2017 (gmt 0)

Junior Member

joined:Aug 9, 2017
posts:52
votes: 6


Hello, Does anyone know if this starts Oct 1 or just “sometime early October” ? Thanks
11:49 am on Oct 1, 2017 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Apr 29, 2005
posts:2016
votes: 82


Chrome v 62 is scheduled for 17th October. This is the version which will mark some http web pages as insecure.
2:00 pm on Oct 1, 2017 (gmt 0)

Preferred Member from IN 

Top Contributors Of The Month

joined:Apr 30, 2017
posts:476
votes: 67


Is there any chance of my rank to change after HTTPS? I just want them to remain stable.
4:12 pm on Oct 1, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Feb 3, 2014
posts:1063
votes: 243


This might be a dumb question, but I wonder if Google will look at shared certificates like Let's Encrypt or those provided by Cloudflare to free accounts as legitimate or as "sub standard" certificates. Does a paid high assurance certificate make any difference? I would suspect it could be a trust trigger point. Documented replies preferred...not assumption...like I'm doing. lol

I guess my point here is that many report losses of traffic when they go to https (hope they are not gong by their GWT old http site settings...gotta update it to https.)
How many of those that loss traffic are using free certificates and how many are using paid certs. I am interested to know...
4:31 pm on Oct 1, 2017 (gmt 0)

Preferred Member from IN 

Top Contributors Of The Month

joined:Apr 30, 2017
posts:476
votes: 67


There is a problem! I have the COMODO SSL installed. On Internet Explorer and Microsoft Edge in Windows Phone 8 and Windows 10 Mobile respectively is showing an certificate error to old users (who haven’t cleared the cache). It works after clearing the browser history, I have tested it on 5 devices and that’s a solution. As a result, I’m seeing a -20% drop in direct traffic. I cannot ask viewers to clear the browser cache, I did clear WP Super cache but it is of no help!

My htaccess cache setting: [imgur.com...]

[edited by: MayankParmar at 5:08 pm (utc) on Oct 1, 2017]

4:47 pm on Oct 1, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3281
votes: 244


There is a problem! I have the COMODO SSL installed. On Internet Explorer and Microsoft Edge in Windows Phone 8 and Windows 10 Mobile respectively is showing an certificate error to old users (who haven’t cleared the cache). It works after clearing the browser history, I have tested it on 5 devices and that’s a solution. As a result, I’m seeing a big drop in direct traffic. I cannot ask viewers to clear the browser cache, I did clear WP Super cache but it is of no help!

But if it's only those two browsers plus caches, wouldn't that just be a very small percentage of all users? So if you're a "big drop", maybe something else is also having an effect.
4:56 pm on Oct 1, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3281
votes: 244


Also, even if real actual traffic from google stays the same, shouldn't reported google traffic increase, because of browser hehavior being different for https sites compared to http sites?
5:11 pm on Oct 1, 2017 (gmt 0)

Preferred Member from IN 

Top Contributors Of The Month

joined:Apr 30, 2017
posts:476
votes: 67


I should haven't stated it as a big drop, it appears that GA was stuck. The drop is 20% and only in direct traffic, Organic traffic is actually in green today, better than normal days.

May be I should wait for those readers to reset the browser? Hopefully they will do it soon as Edge, IE on Windows Phone becomes buggy if the cache is not cleared in every few days.
5:16 pm on Oct 1, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3281
votes: 244


Your reported google traffic should increase even if the actual google traffic stays the same. Some of the "direct" traffic you saw before was actually google traffic.
5:52 pm on Oct 1, 2017 (gmt 0)

Preferred Member from IN 

Top Contributors Of The Month

joined:Apr 30, 2017
posts:476
votes: 67


@aristotle Ah, do I need to wait or is there something else that can be done? It is a very small portion of total traffic (Organic + Direct).

Or may be the direct traffic data shifted to organic section after the HTTPS change, is that possible?
6:22 pm on Oct 1, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:Sept 14, 2011
posts:921
votes: 96


This might be a dumb question, but I wonder if Google will look at shared certificates like Let's Encrypt or those provided by Cloudflare to free accounts as legitimate or as "sub standard" certificates.


Not a dumb question at all Let's Encrypt are not shared certs but Cloudflare free accounts are. Google does not appear to have a problem with either Cloudflare or Let's Encrypt but I haven't analysed in any detail and this may not be the case with all SE's.

Penalised by association, when cloudflare first launched they hit a problem with Google as Google sometimes penalise all sites under the same ip address, so had to isolate penalised sites and migrate them under new ips. Its possible google could penalise everyone sharing the same certificate (although rather silly) due to one bad egg. I personally always pay for the dedicated cert on cloudflare.
6:25 pm on Oct 1, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3281
votes: 244


Or may be the direct traffic data shifted to organic section after the HTTPS change, is that possible?

Yes I believe that's correct. The latest specifications for browsers allow them to report more information about referals to https sites, although many people are still using older browsers that don't comply.
3:17 pm on Oct 13, 2017 (gmt 0)

New User from GB 

joined:Aug 17, 2017
posts: 4
votes: 0


Any help would be great on this please.....

Recently moved my site over to https:// and every thing was fine for a few weeks.

Now i have lost my secure padlock on all pages and https:// is greyed out. So i ran a test on [jitbit.com...] Now it is showing an error on every single page in regard to fetching content from this unsecured source:
[maps.googleapis.com...]

Does anyone actually know what this is and why it is on every page of my site, i know it is something to do with google map api's but i don't have that on every page?

thanks in advance
This 148 message thread spans 5 pages: 148