Welcome to WebmasterWorld Guest from 3.231.228.109

Forum Moderators: Robert Charlton & goodroi

Message Too Old, No Replies

Be HTTPs by October or Chrome will show "not secure" flag

     
3:05 pm on Aug 18, 2017 (gmt 0)

Administrator from US 

WebmasterWorld Administrator goodroi is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:June 21, 2004
posts:3509
votes: 387


Google Chrome 56 has been labeling http password & credit card inputs as "not secure". Starting in October, Chrome 62 will flag any http form & all http pages in incognito mode with a "not secure" warning. This was first announced in April and now Google is reminding http webmasters that October is quickly approaching.

Scared that https will hurt rankings? This is false. Https migration does not hurt rankings when properly implemented. Don't take my word for it, check it out for yourself. The initial wave of complaints was due mostly to a combination of Google reducing the value of redirected links & webmaster error (ie redirect loops, mixed content pages, & orphaned pages). Google has resolved the redirected link juice issues and webmasters now have many https guides to help them avoid mistakes. So start migrating before October is here.
2:34 pm on Oct 17, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3661
votes: 374


Be HTTPs by October or Chrome will show "not secure" flag

What does "by October" mean?

I don't use Chrome, so can't check if the "not secure" flag is showing yet or not.

I've been wondering if this flag will have any noticeable effect on the traffic to my sites, which are still http, but as of today Oct 17, all of them are still going strong.
6:39 pm on Oct 17, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


Since Chrome is the most widely used browser, would it not be wise to have a copy on your machine, if for nothing else but to test?

I keep a copy of all the major browsers for testing. This is how people view my sites and I don't want to have my head in the sand.
8:07 pm on Oct 17, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3661
votes: 374


keyplyr wrote:
I don't want to have my head in the sand.

Most people feel the same as you do. I got some sand in my hair once and it's hard to wash out.
8:42 pm on Oct 17, 2017 (gmt 0)

Full Member

Top Contributors Of The Month

joined:Mar 10, 2017
posts:340
votes: 152


I see the following in the address bar of my chrome browser.

i Not secure followed by the url

It's not actually that obvious unless you look.

It's more obvious in Firefox where I see a grey padlock with a red line through it on non-secure sites.

I'm slowly migrating my .com.au over to .com, which is also https. So far I've not noticed a drop, but that could be due to the https or the.com helping things along.
9:15 pm on Oct 17, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


The announcement pertained to Chrome 62, which AFAIK hasn't been released to the public yet.
Starting in October, Chrome 62 will flag any http form & all http pages in incognito mode with a "not secure" warning.
I'm using 61.0.3163.100 (Official Build) (64-bit) but I see plenty of warning for non-secure web content. When Chrome 62 is released, the warning are supposed to be more severe.

...Google is moving from a reward system to a punitive one. Websites using SSL continue to get an SEO boost since it became a confirmed ranking signal in 2014, but we noticed a few months ago that Google was blacklisting non-HTTPS websites that allowed password fields and credit card forms to be filled.... Chrome version 62 will be released, and websites with any kind of text input will require an SSL certificate if they want to avoid a “Not Secure” warning in the address bar.
[blog.sucuri.net...]

This seems to be just the next step toward blacklisting all non-secure content.
11:44 pm on Oct 17, 2017 (gmt 0)

Junior Member

Top Contributors Of The Month

joined:Aug 9, 2017
posts:152
votes: 20


I just updated my Chrome to v62, relaunched and visited a website that was http yet had many input fields. No “non-secure” messages.
12:51 am on Oct 18, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


Yup happened just now - Chrome 62.0.3202.62 (Official Build) (64-bit)

They must be following this thread :)

Not Secure labels for some HTTP pages

As we announced previously, starting in Chrome 62, when a user enters data on an HTTP page, Chrome will mark the page as "Not Secure" with a label in the address bar. This label will also be shown in Incognito Mode for all HTTP pages.
[developers.google.com...]

Currently...
Your connection to this site is not secure.

You should not enter any sensitive information on this site (for example, passwords or credit cards), because it could be stolen by attackers.
Looks like the more severe warnings haven't kicked in yet, giving webmasters some more needed time.


- - -
2:25 am on Oct 18, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Apr 1, 2016
posts:2714
votes: 823


Yup I got the upgrade as well.

I just tested out my non-https site, that is purely static with no forms and it does not show any warnings. Simply the "i" in a circle.

My https sites show the pad lock with a big "Secure" next to it and then a pipe and the domain name.

I then went to non-https site with a sign-up form and it warns "Not Secure".
2:47 am on Oct 18, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


I then went to non-https site with a sign-up form and it warns "Not Secure".
I'm having trouble finding a non-https site with a sign-up form.
4:57 am on Oct 18, 2017 (gmt 0)

Senior Member from IN 

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Apr 30, 2017
posts:1563
votes: 315


I just opened a HTTP Spanish site and on their contact form page, I'm not seeing "NOT SECURE" label even after I have filed it and it is opened in incognito.

Version 62.0.3202.62 (Official Build) (64-bit)
5:55 am on Oct 18, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15892
votes: 876


Huh. I tried a Contact form on one site and no warning of any kind, not even when I actually clicked Send. This isn't one of those deals where they roll out the Mac and Windows versions at different times, is it?

Maybe they think it's safe because they know the email will be eaten by my ISP. Oh, wait. That's not how any of this works.
7:44 am on Oct 18, 2017 (gmt 0)

Senior Member from IN 

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Apr 30, 2017
posts:1563
votes: 315


May be it depends on the contact form software?
12:09 pm on Oct 18, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Apr 1, 2016
posts:2714
votes: 823


I went to wnyc.org to their sign-up page
2:09 pm on Oct 18, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3661
votes: 374


NickMNS wrote:
I then went to non-https site with a sign-up form and it warns "Not Secure".

Did the warning scare you into leaving the site?
7:43 pm on Oct 18, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Apr 1, 2016
posts:2714
votes: 823


@aristotle
I can't really answer that question without bias. I went to that site specifically to find the warning. I had noticed, and was surprised, prior to the update that the site was not https. So after Keyplyr alerted me/us to the Chrome update I went specifically to check it out.

I will say that it doesn't appear as alarming as I had imagined. Had the text been red, like the secure is green it would be far more off putting. Also, it only appears on the sign up form. If you do not have any forms, then there is no "Not Secure" warning.
7:51 pm on Oct 18, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


If you do not have any forms, then there is no "Not Secure" warning.
Unless you are browsing "incognito."
This label will also be shown in Incognito Mode for all HTTP pages.
My stats say about 4% to 6% currently use it on my sites. The overall stats are a little higher I believe.
8:27 pm on Oct 18, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Apr 1, 2016
posts:2714
votes: 823


I don't see the "Not Secure" in incognito mode unless on a page with forms.
[imgur.com...]
10:23 pm on Oct 18, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


I'm still thinking this hasn't fully rolled out yet. I know that sounds odd with a browser feature, but there are too many mixed reports.
7:22 am on Oct 19, 2017 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Apr 29, 2005
posts:2112
votes: 122


I have an http site with forms. I only see the circled i. There is no "Not Secure". My version of Chrome is up to date - 62.0.3202.62,
11:40 am on Oct 19, 2017 (gmt 0)

Preferred Member

5+ Year Member

joined:Mar 22, 2011
posts:451
votes: 7


@nomis5

Same here. That same site received warning in G Search Console that in would be marked insecure.

I think it might be because I'm on a 32-bit OS. Version 62.0.3202.62 (Official Build) (32-bit)
12:23 pm on Oct 19, 2017 (gmt 0)

Senior Member from IN 

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Apr 30, 2017
posts:1563
votes: 315


Just tested another site in incognito, the pages without form are marked as Not Secure, it appears just before the site is almost loaded.

Not sure how it works. I see Not Secure on some sites while nothing on rest, may be it is fine on sites which haven't received the warning on Google Console?
3:40 pm on Oct 20, 2017 (gmt 0)

Full Member

10+ Year Member

joined:May 3, 2003
posts:278
votes: 22


Not seeing it on most sites - even ones that had the Google Console warning.

I did try wnyc.org like NickMNS suggested - and it is there on their signup form - but (so far) it's in grey, and quite subtle.

My guess is it's only showing on pages with a password field. (For now).
4:14 pm on Oct 20, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3661
votes: 374


I thought that Chrome incognito is supposed to show "not secure" on all http pages, even those that don't have forms. Isn't that what the announcement said?
7:33 pm on Oct 20, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


Again... all indication is showing a slow rollout. I'm seeing "Not Secure" on some pages with input forms, and not others.

I think MayankParmar's theory may be correct:
may be it is fine on sites which haven't received the warning on Google Console?
Googlebot may need to verify noncompliance in concert with the Chrome browser to display the "Not Secure" warning in the address bar. This is a good thing, and would help to avoid false positives.
8:58 pm on Oct 20, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15892
votes: 876


may be it is fine on sites which haven't received the warning on Google Console?
But what if a site doesn’t have a GSC account in the first place, so there’s nobody to warn? It seems a bit counterintuitive to give them a free pass, if this is ultimately supposed to be about protecting the user.
9:24 pm on Oct 20, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


so there’s nobody to warn?
I think everyone has been "warned" quite a bit over the last 2 or 3 years.
1:23 am on Oct 21, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15892
votes: 876


I think everyone has been "warned" quite a bit

For a given definition of “everyone”.

What proportion of websites have GSC accounts?

What proportion of webmasters read the present site--or other webmastering-oriented sites--on a regular basis?

:: insert relevant Hitchhiker quotation here ::
5:31 am on Oct 31, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member jetteroheller is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 22, 2005
posts: 3062
votes: 6


Where are the differences?
I teached somebody 2007 to create with my CMS his own site with AdSense.

I changed 2015 all to mobile frendly, he remained with the layout from 2007
I changed August 2017 all to https, he remained with http

I discussed with him to change his site to a mobile friendly system and to https.

Okay, let's do it, if there are indicators, that it's good to do it.

I found until now no indicator where his site develops bad compared to my sites.
This 148 message thread spans 5 pages: 148