Be HTTPs by October or Chrome will show "not secure" flag

Forum Moderators: Robert Charlton & goodroi

Message Too Old, No Replies

Be HTTPs by October or Chrome will show "not secure" flag

goodroi

3:05 pm on Aug 18, 2017 (gmt 0)

Google Chrome 56 has been labeling http password & credit card inputs as "not secure". Starting in October, Chrome 62 will flag any http form & all http pages in incognito mode with a "not secure" warning. This was first announced in April and now Google is reminding http webmasters that October is quickly approaching.

Scared that https will hurt rankings? This is false. Https migration does not hurt rankings when properly implemented. Don't take my word for it, check it out for yourself. The initial wave of complaints was due mostly to a combination of Google reducing the value of redirected links & webmaster error (ie redirect loops, mixed content pages, & orphaned pages). Google has resolved the redirected link juice issues and webmasters now have many https guides to help them avoid mistakes. So start migrating before October is here.

aristotle

1:44 pm on Sep 5, 2017 (gmt 0)

The purpose is to make the Internet safer

Do you mean that's why Chrome and Firefox are going to require that all certificates issued in October 2017 and onward will have to be logged in CT logs or they won't be trusted?

Shaddows

1:58 pm on Sep 5, 2017 (gmt 0)

Having an untrusted Cert is much worse than having no Cert.

It is right to be flagged as such.

But I have never worried that my Cert will be flagged as untrusted, nor have I ever seen a trustworthy site be flagged*

*I lie. I once saw a WinXP machine flag various sites as untrusted because there was a date/time issue, and it flagged all sites as "Cert not yet valid"

aristotle

4:07 pm on Sep 5, 2017 (gmt 0)

Having an untrusted Cert is much worse than having no Cert

Can you explain this more fully? Is it the warning that makes it much worse? Or does it have to do with the protocol, or perhaps some inherent problem with the site.

The reason I'm wondering is because a popup warning might scare people away even if the site is safe.

Shaddows

4:29 pm on Sep 5, 2017 (gmt 0)

A plain vanilla HTTP site is making no claims and expects no trust, from a data-handling POV.

If a site it using https, it is claiming to be trusted.

It's a bit like claiming to be a doctor, when you're not. Masquerading as something you are not deserves to be highlighted.

So:
No Cert = no claims to be trusted
Untrusted Cert = Invalid claim to be trusted
Trusted Cert = Valid claim to be trusted

Note: Untrusted Certs are not necessarily bad actors, but neither are they definitely to be trusted.

jetteroheller

7:04 am on Sep 6, 2017 (gmt 0)

There is always one bug more at changing many sites.
Just discovered why a certain script does not work.

It was loaded by "https://MY_SITE/cgi-bin/my_script.pl".
Chrome showed "not loaded insecure "http://www.MY_SITE/cgi-bin/my_script.pl"
The solution:

in .htaceess was a redirect from not www to www. But this redirect was to http

Whatagreatdayitis

9:01 pm on Sep 11, 2017 (gmt 0)

The old adsense ads that use javascript are not showing up with https. This has reduced my revenue quite dramatically. Is there a way I can fix this without having to change out all of my old ads? I'm planning on rebuilding the site but in the meantime I have to find a quick fix. Thanks.

RedBar

11:36 pm on Sep 11, 2017 (gmt 0)

The old adsense ads that use javascript are not showing up with https.

Over quite some time I have converted many sites to https and not had a single problem with ads not displaying. As much as I knock G I'd be surprised if it's their fault.

Which implementation of https have you used?

keyplyr

12:17 am on Sep 12, 2017 (gmt 0)

The old adsense ads that use javascript are not showing up with https.

Whatagreatdayiti - you need to change your Adsense code... either

Replace the HTTP with HTTPS
- or -
Remove the HTTP and just leave the //pagead2.googlesyndication.com...

This was part of the basic instructions to switch to HTTPS:

- Generic Steps to Switch from HTTP to HTTPS -

� Read all info at your host concerning certificates & switching to HTTPS and when applicable, follow those instructions.

� Install security certificate.

� Have your host enable HTTPS (if needed.) This will enable access from both HTTP & HTTPS allowing normal access while you test.

� Go through site, page by page & make sure all file paths are relative (no protocol.) Test by accessing site using HTTPS and look for any browser alerts.

� Install 301 code in .htaccess file
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Note: your server may require a different code

� Go through site again, page by page, and test. Any remote absolute links will need to be HTTPS including those found in scripts & pluggins. If you publish Adsence or other advertising, links in these scripts need to be HTTPS also (or just remove the protocol altogether.)

� Update sitemap.xml (if applicable) and submit to appropriate agencies (Google, Bing, Yandex, etc)

� In Google Search Council create a new site using HTTPS (do not use the Change of Address form.) It will take a few days to start populating information. This is normal & traffic to old site (HTTP) will drop off accordingly.

� Bing Webmaster Tools, Yandex & others should update automatically once they crawl your new pages. Updating/re-submitting sitemap.xml should speed up this process.

Whatagreatdayitis

12:40 pm on Sep 13, 2017 (gmt 0)

Thanks Keyplyr. I had done almost everything on this list except for the second-to-last item. This is going to be a tedious process, but I can already see good results. I must have missed the memo from Google explaining that the switch to https was going to require a little tweaking of their ad code.

MayankParmar

3:59 pm on Sep 29, 2017 (gmt 0)

Finally switched to https now.

I have one problem: sitemap is still in HTTP, it is generated using Yoast SEO. What should I do now?

Also if it is possible for anyone, please open my (URL in profile) and check if it is working fine, I will appreciate it. Thanks

MayankParmar

6:30 pm on Sep 29, 2017 (gmt 0)

Today looks like to be my bad day... installed SSL, all done but now the response time of SSL is 558ms! Site speed increased! :(

aristotle

6:47 pm on Sep 29, 2017 (gmt 0)

Also if it is possible for anyone, please open my (URL in profile) and check if it is working fine, I will appreciate it. Thanks

The name of your site is in your profile, but didn't see a URL. So I did a google search for the name of your site, and it ranked number 1. The google link is still http. But when I clicked it, the browser was re-directed to the https URL, and the page loaded with no problems. So everything looks good

lucy24

6:57 pm on Sep 29, 2017 (gmt 0)

sitemap is still in HTTP, it is generated using Yoast SEO

Surely there's a simple setting you can change?

[edited by: Robert_Charlton at 7:18 pm (utc) on Sep 30, 2017]
[edit reason] Edit made at poster's request [/edit]

Peter_S

10:37 pm on Sep 29, 2017 (gmt 0)

now the response time of SSL is 558ms

Do you mean TTFB (Time To First Byte)?

From what I understood you are using CloudFlare as frontend, since I never used them, I am not sure how it works between CloudFlare and "your" server.

But on your own site, to improve TLS speed , you can use HTTP/2, you can refine your cipher list to keep only the strict minimum (for example AES128-GCM and CHACHA20-POLY1305), if your page loads plenty of .js. and .css files, you should try to merge them to limit the number of requests, you can use preload server header, to load blocking resources in parallel (which with some sever software will exploit the HTTP/2 push feature), you can also use ECDSA certificates, they are smaller, and faster compared to RSA, etc... Also, if your site is running on a old server (or shared host), it's possible the encryption is exhausting the CPU

MayankParmar

5:19 am on Sep 30, 2017 (gmt 0)

Aristotle thank you!

lucy24 Yes. It was actually a Yoast SEO bug. I just disabled and re-enabled, this did the trick :D

@Peter When I tested the site on Pingdom, I got to know the wait or response time of SSL. Check here [imgur.com...]

aristotle

2:01 pm on Sep 30, 2017 (gmt 0)

Mayank Parmar -- Some members of Webmaster World have reported that their google traffic dropped shortly after switching a site to https.

MayankParmar

5:57 pm on Sep 30, 2017 (gmt 0)

Aristotle, It seems same for me. I will have same or more page views than previous Saturday. Keeping an eye though.

HereWeGo123

7:00 pm on Sep 30, 2017 (gmt 0)

Hello, Does anyone know if this starts Oct 1 or just �sometime early October� ? Thanks

nomis5

11:49 am on Oct 1, 2017 (gmt 0)

Chrome v 62 is scheduled for 17th October. This is the version which will mark some http web pages as insecure.

MayankParmar

2:00 pm on Oct 1, 2017 (gmt 0)

Is there any chance of my rank to change after HTTPS? I just want them to remain stable.

samwest

4:12 pm on Oct 1, 2017 (gmt 0)

This might be a dumb question, but I wonder if Google will look at shared certificates like Let's Encrypt or those provided by Cloudflare to free accounts as legitimate or as "sub standard" certificates. Does a paid high assurance certificate make any difference? I would suspect it could be a trust trigger point. Documented replies preferred...not assumption...like I'm doing. lol

I guess my point here is that many report losses of traffic when they go to https (hope they are not gong by their GWT old http site settings...gotta update it to https.)
How many of those that loss traffic are using free certificates and how many are using paid certs. I am interested to know...

MayankParmar

4:31 pm on Oct 1, 2017 (gmt 0)

There is a problem! I have the COMODO SSL installed. On Internet Explorer and Microsoft Edge in Windows Phone 8 and Windows 10 Mobile respectively is showing an certificate error to old users (who haven�t cleared the cache). It works after clearing the browser history, I have tested it on 5 devices and that�s a solution. As a result, I�m seeing a -20% drop in direct traffic. I cannot ask viewers to clear the browser cache, I did clear WP Super cache but it is of no help!

My htaccess cache setting: [imgur.com...]

[edited by: MayankParmar at 5:08 pm (utc) on Oct 1, 2017]

aristotle

4:47 pm on Oct 1, 2017 (gmt 0)

There is a problem! I have the COMODO SSL installed. On Internet Explorer and Microsoft Edge in Windows Phone 8 and Windows 10 Mobile respectively is showing an certificate error to old users (who haven�t cleared the cache). It works after clearing the browser history, I have tested it on 5 devices and that�s a solution. As a result, I�m seeing a big drop in direct traffic. I cannot ask viewers to clear the browser cache, I did clear WP Super cache but it is of no help!

But if it's only those two browsers plus caches, wouldn't that just be a very small percentage of all users? So if you're a "big drop", maybe something else is also having an effect.

aristotle

4:56 pm on Oct 1, 2017 (gmt 0)

Also, even if real actual traffic from google stays the same, shouldn't reported google traffic increase, because of browser hehavior being different for https sites compared to http sites?

MayankParmar

5:11 pm on Oct 1, 2017 (gmt 0)

I should haven't stated it as a big drop, it appears that GA was stuck. The drop is 20% and only in direct traffic, Organic traffic is actually in green today, better than normal days.

May be I should wait for those readers to reset the browser? Hopefully they will do it soon as Edge, IE on Windows Phone becomes buggy if the cache is not cleared in every few days.

aristotle

5:16 pm on Oct 1, 2017 (gmt 0)

Your reported google traffic should increase even if the actual google traffic stays the same. Some of the "direct" traffic you saw before was actually google traffic.

MayankParmar

5:52 pm on Oct 1, 2017 (gmt 0)

@aristotle Ah, do I need to wait or is there something else that can be done? It is a very small portion of total traffic (Organic + Direct).

Or may be the direct traffic data shifted to organic section after the HTTPS change, is that possible?

seoskunk

6:22 pm on Oct 1, 2017 (gmt 0)

This might be a dumb question, but I wonder if Google will look at shared certificates like Let's Encrypt or those provided by Cloudflare to free accounts as legitimate or as "sub standard" certificates.

Not a dumb question at all Let's Encrypt are not shared certs but Cloudflare free accounts are. Google does not appear to have a problem with either Cloudflare or Let's Encrypt but I haven't analysed in any detail and this may not be the case with all SE's.

Penalised by association, when cloudflare first launched they hit a problem with Google as Google sometimes penalise all sites under the same ip address, so had to isolate penalised sites and migrate them under new ips. Its possible google could penalise everyone sharing the same certificate (although rather silly) due to one bad egg. I personally always pay for the dedicated cert on cloudflare.

aristotle

6:25 pm on Oct 1, 2017 (gmt 0)

Or may be the direct traffic data shifted to organic section after the HTTPS change, is that possible?

Yes I believe that's correct. The latest specifications for browsers allow them to report more information about referals to https sites, although many people are still using older browsers that don't comply.

SEOLeeds

3:17 pm on Oct 13, 2017 (gmt 0)

Any help would be great on this please.....

Recently moved my site over to https:// and every thing was fine for a few weeks.

Now i have lost my secure padlock on all pages and https:// is greyed out. So i ran a test on [jitbit.com...] Now it is showing an error on every single page in regard to fetching content from this unsecured source:
[maps.googleapis.com...]

Does anyone actually know what this is and why it is on every page of my site, i know it is something to do with google map api's but i don't have that on every page?

thanks in advance

This 148 message thread spans 5 pages: 148