Welcome to WebmasterWorld Guest from 54.224.102.26

Forum Moderators: Robert Charlton & goodroi

Featured Home Page Discussion

Be HTTPs by October or Chrome will show "not secure" flag

     
3:05 pm on Aug 18, 2017 (gmt 0)

Administrator from US 

WebmasterWorld Administrator goodroi is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:June 21, 2004
posts:3317
votes: 243


Google Chrome 56 has been labeling http password & credit card inputs as "not secure". Starting in October, Chrome 62 will flag any http form & all http pages in incognito mode with a "not secure" warning. This was first announced in April and now Google is reminding http webmasters that October is quickly approaching.

Scared that https will hurt rankings? This is false. Https migration does not hurt rankings when properly implemented. Don't take my word for it, check it out for yourself. The initial wave of complaints was due mostly to a combination of Google reducing the value of redirected links & webmaster error (ie redirect loops, mixed content pages, & orphaned pages). Google has resolved the redirected link juice issues and webmasters now have many https guides to help them avoid mistakes. So start migrating before October is here.
3:41 pm on Aug 18, 2017 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:Aug 11, 2008
posts:1533
votes: 193


Is there a link to source for the re-announcement?

[Edit - was going to add the original link, but nomis5 beat me to the punch]

[edited by: Shaddows at 3:48 pm (utc) on Aug 18, 2017]

3:44 pm on Aug 18, 2017 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Apr 29, 2005
posts:2016
votes: 82


Here's one source

[blog.chromium.org...]
4:16 pm on Aug 18, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3290
votes: 246


[blog.chromium.org...]

Hmm... When I look at the image on that page, I don't see a "not secure" warning anywhere.
does anyone know how big and prominent the warning will be?
5:01 pm on Aug 18, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:July 7, 2003
posts:673
votes: 75


I have migrated nearly all of my sites to https, however there are still issues with loss of traffic.

I recently migrated one of sites back to http after 4 months of traffic and income loss, and the traffic returned to the previous level within a week.
Although I kept the part of the site that users can login to on https.

This site is hosted on an older version of iis, and I am currently testing to see if moving a similar site to a newer version of iis, solves the issue. It may be something to do with the way older versions of iis handle certs, or not. Whatever it is, there was a real loss of traffic and income.
5:27 pm on Aug 18, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:14261
votes: 552


I don't see a "not secure" warning anywhere.

Check your browser settings. It's an animated gif; the opening frames are without the "not secure" element. But you can see what it looks like in the preceding picture, the one in a 3x2 grid showing the before-and-after options.
7:00 pm on Aug 18, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3290
votes: 246


Thanks Lucy
Eventually I'll probably have to take care of this on my sites, even though all the pages are static html with no forms of any kind.. It's part of having to deal with the growing pains of the young web.
12:57 pm on Aug 19, 2017 (gmt 0)

Junior Member

5+ Year Member

joined:Dec 19, 2009
posts: 54
votes: 1


I'm scary with this new, the last website that I changed to https was in Google news, after the change it is out... I only have one site pending to go to https and I do not change it for fear that I get it out from google news.
4:02 pm on Aug 19, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member editorialguy is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month

joined:June 28, 2013
posts:3052
votes: 581


I've got no problem with what they're doing (it's their search engine), but the e-mail's wording was poorly thought out. It included the phrase:

"The following URLs on your site include text input fields (such as < input type="text" > or < input type="email" >) that will trigger the new Chrome warning. "

That statement was followed by a list of sample pages that don't have input fields of any kind.
6:53 pm on Aug 19, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:14261
votes: 552


First the good news: My site search is in a roboted-out directory, so G### can't see its non-secure input form.

Now the bad news: I use Google Custom Search, so they already know about it. Surprisingly, they have not yet sent out a generic message.

They also know that there exists an URL ending in "contact.html". Although they have not seen the actual page, it does not take vast computing resources to flag anything in the form http:// .. contact as highly likely non-secure content.
7:25 pm on Aug 19, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:10119
votes: 551


Posting this again for currency...

- Generic Steps to Switch from HTTP to HTTPS -

Read all info at your host concerning certificates & switching to HTTPS and when applicable, follow those instructions.

Install security certificate.

Have you host enable HTTPS (if needed.) This will enable access from both HTTP & HTTPS.

Go through site, page by page & make sure all file paths are relative (no protocol.) Test by accessing site using HTTPS and look for any browser alerts.

Install 301 code in .htaccess file
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Note: your server may require a different code

Go through site again, page by page, and test. Any remote absolute links will need to be HTTPS including those found in scripts & pluggins. If you publish Adsence or other advertising, links in these scripts need to be HTTPS also (or just remove the protocol altogether.)

Update sitemap.xml (if applicable) and submit to appropriate agencies (Google, Bing, Yandex, etc)

In Google Search Council create a new site using HTTPS (do not use the Change of Address form.) It will take a few days to start populating information. This is normal & traffic to old site (HTTP) will drop off accordingly.

Bing Webmaster Tools, Yandex & others should update automatically once they crawl your new pages. Updating/re-submitting sitemap.xml should speed up this process.

Related discussion: What Will Happen if I Don't Switch to HTTPS? [webmasterworld.com]

- - -
9:05 pm on Aug 19, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3290
votes: 246


Lucy:
Surprisingly, they have not yet sent out a generic message.


Do you mean that you're expecting a message from google about your site?

I've never gotten a message from google about anything
11:55 pm on Aug 19, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:14261
votes: 552


I know they send out messages about Custom Search, because earlier in the year I got a notification that I needed to upgrade from whatever ancient version of the software I was using. (Search is one of those things I installed once--timestamp says it was in June 2013--and haven't looked at since.) So you'd think it is only a matter of time before they start yapping at people who use any form of their Search in http sites.
12:30 am on Aug 20, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3290
votes: 246


So you'd think it is only a matter of time before they start yapping at people who use any form of their Search in http sites.

Somehow this idea seems amusing to me -- that google would use its bots to check all the pages using their custom search and then send a message to the owners if it isn't being used properly LOL
12:33 am on Aug 20, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:10119
votes: 551


People all over are reporting Google emailing them to remind them of the upcoming change to the Chrome browser message:
I received a note from Google this morning advocating for site wide HTTPS and warning about the Chrome update coming in October that will identify every HTTP site as untrustworthy.

They should have written "every HTTP page" but you get the idea.
12:46 am on Aug 20, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3290
votes: 246


People all over are reporting Google emailing them to remind them of the upcoming change to the Chrome browser message:

Well I'm still waiting, but not very hopefully LOL. Actually, for one of my sites I think google would have to use whois records to get the email I use for that site.
3:59 am on Aug 22, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:10119
votes: 551


I've not read anywhere that everyone with a web page will be notified by Google regarding the upcoming changes. Those who have been emailed likely have account with Google with an active contact email address.

At some point there may be an alert added to Google Search Console if your pages are not secure. And of course you'll see the warnings in your browser, and probably a sharp drop in traffic & ad revenue (speculation.)


[edited by: Robert_Charlton at 9:00 pm (utc) on Aug 22, 2017]
[edit reason] fixed typo [/edit]

3:28 am on Aug 23, 2017 (gmt 0)

Preferred Member

10+ Year Member

joined:Mar 10, 2004
posts:436
votes: 29


I recently migrated one of sites back to http after 4 months of traffic and income loss, and the traffic returned to the previous level within a week.


Have you checked your SSL setup at ssllabs? Perhaps you have a stapling issue, SNI issue or older SSL encryption support on your server? There are a variety of things which can cause incompatibility with browsers, especially current versions of Firefox, and older versions of other browsers.

I've moved a dozen of my own sites and several for clients, not one bit of traffic loss.
3:48 am on Aug 23, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:10119
votes: 551


I've moved a dozen of my own sites and several for clients, not one bit of traffic loss.
Agreed

If you saw traffic loss after switching protocol to HTTPS, something was done wrong and blocked that traffic, or as you say glitterball, it could be a server thing handling the cert.

Seems like you would have detected it during your testing phase though.
3:28 pm on Aug 23, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:July 7, 2003
posts:673
votes: 75


Have you checked your SSL setup at ssllabs? Perhaps you have a stapling issue, SNI issue or older SSL encryption support on your server? There are a variety of things which can cause incompatibility with browsers, especially current versions of Firefox, and older versions of other browsers.


Definitely not a SNI issue.
My original thinking was that it could be related to some kind of browser support issue, though I'm not so sure now. I did have chain issues, that were difficult to resolve with one site, so believe me when I say that this was tested extensively.
I certainly couldn't find any browser issues, it worked in ie8 and older android browsers as well as all of the modern ones.

One observation that I noted was that roughly one week after the change back to http, Google referrals doubled, however they have now subsequently dropped back again.
I also remember getting a big initial boost in traffic about a week after the original move to https, only for traffic to tank soon afterwards.

So it could be that some sort of filter is being triggered and my sites are getting penalised.
3:55 pm on Aug 23, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3290
votes: 246


I've been looking at some information about a free version of Cloudflare which automatically converts a site to https. It can be setup and activated through my shared hosting account cPanel.

Apparently Cloudflare fetches all the files from my server and caches them, then applies their own SSL certificate system to them. It also provides some statistics about page views etc.

At first glance this looks like a simple, easy, free way to convert a site to https. Has anyone had any experience with this or know of any pitfalls?
5:15 pm on Aug 23, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:14261
votes: 552


convert a site to https

What's to convert? You add one line to your existing domain-name-canonicalization redirect (in Apache it would be an added RewriteCond), and double-check that none of your internal links are absolute (which they should never have been in the first place).

Within 5 or 10 years, certificates will probably be a built-in part of shared hosting: something they do by default, like DNS, unless you expressly ask them not to.
1:28 pm on Aug 24, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 16, 2002
posts:2136
votes: 1


I have an affiliate network of 24 sites that will need the switch to HTTPS. Is there cost effective way to do this when it comes to buying or applying the certs? All of the cart functions are already secure and hosted by the companies I represent. It seems it could become a bit costly to secure what is essentially static content and contact forms on the pages I host. Your thoughts or suggestions are greatly appreciated.
1:41 pm on Aug 24, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Apr 1, 2016
posts:1245
votes: 368


@Jon_King checkout Letsencrypt they offer free certs. They are as good as any.
5:24 pm on Aug 24, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Mar 30, 2006
posts:1472
votes: 87


@Editorial Guy, same here, received the warning for having a quick contact us form on every page, and they call that a security issue? it sucks.
6:30 pm on Aug 24, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:10119
votes: 551


As NickMNS suggested, Lets Encrypt [letsencrypt.org] is free. In most cases there should not be any costs associated with switching protocols.

Downsides of not using HTTPS [webmasterworld.com]
8:15 pm on Aug 24, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:10119
votes: 551


Just noticed the name change to...
Google Chrome: Fast & Secure
11:48 pm on Aug 24, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Mar 30, 2006
posts:1472
votes: 87


I can't help but think... Google (Chrome) pushing https to increase security, a benefit for the users. Didn't they actually created the MFAs? I don't mean Adsense, but the whole push on serps, blogs, and in a whole: MFAS, just like it's been said on other threads, Google is a monster where the left hand doesn't know what the right hand is doing, they should talk between them first, perhaps is a rant after the many things Google created and failed because nobody jumped in.

Google+ "do it or we won't backup that your site is yours yada yada".

To some extent we can fix things without jumping, but in other areas it means we will have to remove some stuff to avoid jumping in. Google has tried to play a dominant part (to abuse) and it's been warned about it (and penalized), yet the free stuff such as Chrome has positioned and will (yes I could say "could", but here it applies a WILL), yes they WILL use that power to push or try to push new "standards"
11:57 pm on Aug 24, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:10119
votes: 551


This is much bigger than MFAs explorador.

All pages, whether you publish Adsense or not, must be secure. All pages, whether they have a Log In or not, must be secure. All pages, whether they accept payment or not, must be secure... so all pages.

This has been in the making for several years, giving site owners enough time to make the changes. It's just finally coming to the point of enforcement.
2:14 am on Aug 25, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member editorialguy is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month

joined:June 28, 2013
posts:3052
votes: 581


@explorador: We don't have *any* forms on our pages. It's almost as if they decided to send out a mailing with sample pages chosen at random.
This 148 message thread spans 5 pages: 148
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members