Be HTTPs by October or Chrome will show "not secure" flag

Forum Moderators: Robert Charlton & goodroi

Message Too Old, No Replies

Be HTTPs by October or Chrome will show "not secure" flag

goodroi

3:05 pm on Aug 18, 2017 (gmt 0)

Google Chrome 56 has been labeling http password & credit card inputs as "not secure". Starting in October, Chrome 62 will flag any http form & all http pages in incognito mode with a "not secure" warning. This was first announced in April and now Google is reminding http webmasters that October is quickly approaching.

Scared that https will hurt rankings? This is false. Https migration does not hurt rankings when properly implemented. Don't take my word for it, check it out for yourself. The initial wave of complaints was due mostly to a combination of Google reducing the value of redirected links & webmaster error (ie redirect loops, mixed content pages, & orphaned pages). Google has resolved the redirected link juice issues and webmasters now have many https guides to help them avoid mistakes. So start migrating before October is here.

aristotle

2:34 pm on Oct 17, 2017 (gmt 0)

Be HTTPs by October or Chrome will show "not secure" flag

What does "by October" mean?

I don't use Chrome, so can't check if the "not secure" flag is showing yet or not.

I've been wondering if this flag will have any noticeable effect on the traffic to my sites, which are still http, but as of today Oct 17, all of them are still going strong.

keyplyr

6:39 pm on Oct 17, 2017 (gmt 0)

Since Chrome is the most widely used browser, would it not be wise to have a copy on your machine, if for nothing else but to test?

I keep a copy of all the major browsers for testing. This is how people view my sites and I don't want to have my head in the sand.

aristotle

8:07 pm on Oct 17, 2017 (gmt 0)

keyplyr wrote:
I don't want to have my head in the sand.

Most people feel the same as you do. I got some sand in my hair once and it's hard to wash out.

browndog

8:42 pm on Oct 17, 2017 (gmt 0)

I see the following in the address bar of my chrome browser.

i Not secure followed by the url

It's not actually that obvious unless you look.

It's more obvious in Firefox where I see a grey padlock with a red line through it on non-secure sites.

I'm slowly migrating my .com.au over to .com, which is also https. So far I've not noticed a drop, but that could be due to the https or the.com helping things along.

keyplyr

9:15 pm on Oct 17, 2017 (gmt 0)

The announcement pertained to Chrome 62, which AFAIK hasn't been released to the public yet.

Starting in October, Chrome 62 will flag any http form & all http pages in incognito mode with a "not secure" warning.

I'm using 61.0.3163.100 (Official Build) (64-bit) but I see plenty of warning for non-secure web content. When Chrome 62 is released, the warning are supposed to be more severe.

...Google is moving from a reward system to a punitive one. Websites using SSL continue to get an SEO boost since it became a confirmed ranking signal in 2014, but we noticed a few months ago that Google was blacklisting non-HTTPS websites that allowed password fields and credit card forms to be filled.... Chrome version 62 will be released, and websites with any kind of text input will require an SSL certificate if they want to avoid a �Not Secure� warning in the address bar.

[blog.sucuri.net...]

This seems to be just the next step toward blacklisting all non-secure content.

HereWeGo123

11:44 pm on Oct 17, 2017 (gmt 0)

I just updated my Chrome to v62, relaunched and visited a website that was http yet had many input fields. No �non-secure� messages.

keyplyr

12:51 am on Oct 18, 2017 (gmt 0)

Yup happened just now - Chrome 62.0.3202.62 (Official Build) (64-bit)

They must be following this thread :)

Not Secure labels for some HTTP pages

As we announced previously, starting in Chrome 62, when a user enters data on an HTTP page, Chrome will mark the page as "Not Secure" with a label in the address bar. This label will also be shown in Incognito Mode for all HTTP pages.

[developers.google.com...]

Currently...

Your connection to this site is not secure.

You should not enter any sensitive information on this site (for example, passwords or credit cards), because it could be stolen by attackers.

Looks like the more severe warnings haven't kicked in yet, giving webmasters some more needed time.

- - -

NickMNS

2:25 am on Oct 18, 2017 (gmt 0)

Yup I got the upgrade as well.

I just tested out my non-https site, that is purely static with no forms and it does not show any warnings. Simply the "i" in a circle.

My https sites show the pad lock with a big "Secure" next to it and then a pipe and the domain name.

I then went to non-https site with a sign-up form and it warns "Not Secure".

keyplyr

2:47 am on Oct 18, 2017 (gmt 0)

I then went to non-https site with a sign-up form and it warns "Not Secure".

I'm having trouble finding a non-https site with a sign-up form.

MayankParmar

4:57 am on Oct 18, 2017 (gmt 0)

I just opened a HTTP Spanish site and on their contact form page, I'm not seeing "NOT SECURE" label even after I have filed it and it is opened in incognito.

Version 62.0.3202.62 (Official Build) (64-bit)

lucy24

5:55 am on Oct 18, 2017 (gmt 0)

Huh. I tried a Contact form on one site and no warning of any kind, not even when I actually clicked Send. This isn't one of those deals where they roll out the Mac and Windows versions at different times, is it?

Maybe they think it's safe because they know the email will be eaten by my ISP. Oh, wait. That's not how any of this works.

MayankParmar

7:44 am on Oct 18, 2017 (gmt 0)

May be it depends on the contact form software?

NickMNS

12:09 pm on Oct 18, 2017 (gmt 0)

I went to wnyc.org to their sign-up page

aristotle

2:09 pm on Oct 18, 2017 (gmt 0)

NickMNS wrote:
I then went to non-https site with a sign-up form and it warns "Not Secure".

Did the warning scare you into leaving the site?

NickMNS

7:43 pm on Oct 18, 2017 (gmt 0)

@aristotle
I can't really answer that question without bias. I went to that site specifically to find the warning. I had noticed, and was surprised, prior to the update that the site was not https. So after Keyplyr alerted me/us to the Chrome update I went specifically to check it out.

I will say that it doesn't appear as alarming as I had imagined. Had the text been red, like the secure is green it would be far more off putting. Also, it only appears on the sign up form. If you do not have any forms, then there is no "Not Secure" warning.

keyplyr

7:51 pm on Oct 18, 2017 (gmt 0)

If you do not have any forms, then there is no "Not Secure" warning.

Unless you are browsing "incognito."

This label will also be shown in Incognito Mode for all HTTP pages.

My stats say about 4% to 6% currently use it on my sites. The overall stats are a little higher I believe.

NickMNS

8:27 pm on Oct 18, 2017 (gmt 0)

I don't see the "Not Secure" in incognito mode unless on a page with forms.
[imgur.com...]

keyplyr

10:23 pm on Oct 18, 2017 (gmt 0)

I'm still thinking this hasn't fully rolled out yet. I know that sounds odd with a browser feature, but there are too many mixed reports.

nomis5

7:22 am on Oct 19, 2017 (gmt 0)

I have an http site with forms. I only see the circled i. There is no "Not Secure". My version of Chrome is up to date - 62.0.3202.62,

Pjman

11:40 am on Oct 19, 2017 (gmt 0)

@nomis5

Same here. That same site received warning in G Search Console that in would be marked insecure.

I think it might be because I'm on a 32-bit OS. Version 62.0.3202.62 (Official Build) (32-bit)

MayankParmar

12:23 pm on Oct 19, 2017 (gmt 0)

Just tested another site in incognito, the pages without form are marked as Not Secure, it appears just before the site is almost loaded.

Not sure how it works. I see Not Secure on some sites while nothing on rest, may be it is fine on sites which haven't received the warning on Google Console?

7_Driver

3:40 pm on Oct 20, 2017 (gmt 0)

Not seeing it on most sites - even ones that had the Google Console warning.

I did try wnyc.org like NickMNS suggested - and it is there on their signup form - but (so far) it's in grey, and quite subtle.

My guess is it's only showing on pages with a password field. (For now).

aristotle

4:14 pm on Oct 20, 2017 (gmt 0)

I thought that Chrome incognito is supposed to show "not secure" on all http pages, even those that don't have forms. Isn't that what the announcement said?

keyplyr

7:33 pm on Oct 20, 2017 (gmt 0)

Again... all indication is showing a slow rollout. I'm seeing "Not Secure" on some pages with input forms, and not others.

I think MayankParmar's theory may be correct:

may be it is fine on sites which haven't received the warning on Google Console?

Googlebot may need to verify noncompliance in concert with the Chrome browser to display the "Not Secure" warning in the address bar. This is a good thing, and would help to avoid false positives.

lucy24

8:58 pm on Oct 20, 2017 (gmt 0)

may be it is fine on sites which haven't received the warning on Google Console?

But what if a site doesn�t have a GSC account in the first place, so there�s nobody to warn? It seems a bit counterintuitive to give them a free pass, if this is ultimately supposed to be about protecting the user.

keyplyr

9:24 pm on Oct 20, 2017 (gmt 0)

so there�s nobody to warn?

I think everyone has been "warned" quite a bit over the last 2 or 3 years.

lucy24

1:23 am on Oct 21, 2017 (gmt 0)

I think everyone has been "warned" quite a bit

For a given definition of �everyone�.

What proportion of websites have GSC accounts?

What proportion of webmasters read the present site--or other webmastering-oriented sites--on a regular basis?

:: insert relevant Hitchhiker quotation here ::

jetteroheller

5:31 am on Oct 31, 2017 (gmt 0)

Where are the differences?
I teached somebody 2007 to create with my CMS his own site with AdSense.

I changed 2015 all to mobile frendly, he remained with the layout from 2007
I changed August 2017 all to https, he remained with http

I discussed with him to change his site to a mobile friendly system and to https.

Okay, let's do it, if there are indicators, that it's good to do it.

I found until now no indicator where his site develops bad compared to my sites.

This 148 message thread spans 5 pages: 148