Is there a link to source for the re-announcement?

[Edit - was going to add the original link, but nomis5 beat me to the punch]

[edited by: Shaddows at 3:48 pm (utc) on Aug 18, 2017]

Here's one source

[blog.chromium.org...]

[blog.chromium.org...]

Hmm... When I look at the image on that page, I don't see a "not secure" warning anywhere.
does anyone know how big and prominent the warning will be?

I have migrated nearly all of my sites to https, however there are still issues with loss of traffic.

I recently migrated one of sites back to http after 4 months of traffic and income loss, and the traffic returned to the previous level within a week.
Although I kept the part of the site that users can login to on https.

This site is hosted on an older version of iis, and I am currently testing to see if moving a similar site to a newer version of iis, solves the issue. It may be something to do with the way older versions of iis handle certs, or not. Whatever it is, there was a real loss of traffic and income.

I don't see a "not secure" warning anywhere.

Check your browser settings. It's an animated gif; the opening frames are without the "not secure" element. But you can see what it looks like in the preceding picture, the one in a 3x2 grid showing the before-and-after options.

Thanks Lucy
Eventually I'll probably have to take care of this on my sites, even though all the pages are static html with no forms of any kind.. It's part of having to deal with the growing pains of the young web.

I'm scary with this new, the last website that I changed to https was in Google news, after the change it is out... I only have one site pending to go to https and I do not change it for fear that I get it out from google news.

I've got no problem with what they're doing (it's their search engine), but the e-mail's wording was poorly thought out. It included the phrase:

"The following URLs on your site include text input fields (such as < input type="text" > or < input type="email" >) that will trigger the new Chrome warning. "

That statement was followed by a list of sample pages that don't have input fields of any kind.

First the good news: My site search is in a roboted-out directory, so G### can't see its non-secure input form.

Now the bad news: I use Google Custom Search, so they already know about it. Surprisingly, they have not yet sent out a generic message.

They also know that there exists an URL ending in "contact.html". Although they have not seen the actual page, it does not take vast computing resources to flag anything in the form http:// .. contact as highly likely non-secure content.

Posting this again for currency...

- Generic Steps to Switch from HTTP to HTTPS -

• Read all info at your host concerning certificates & switching to HTTPS and when applicable, follow those instructions.

• Install security certificate.

• Have you host enable HTTPS (if needed.) This will enable access from both HTTP & HTTPS.

• Go through site, page by page & make sure all file paths are relative (no protocol.) Test by accessing site using HTTPS and look for any browser alerts.

• Install 301 code in .htaccess file

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Note: your server may require a different code

• Go through site again, page by page, and test. Any remote absolute links will need to be HTTPS including those found in scripts & pluggins. If you publish Adsence or other advertising, links in these scripts need to be HTTPS also (or just remove the protocol altogether.)

• Update sitemap.xml (if applicable) and submit to appropriate agencies (Google, Bing, Yandex, etc)

• In Google Search Council create a new site using HTTPS (do not use the Change of Address form.) It will take a few days to start populating information. This is normal & traffic to old site (HTTP) will drop off accordingly.

• Bing Webmaster Tools, Yandex & others should update automatically once they crawl your new pages. Updating/re-submitting sitemap.xml should speed up this process.

Related discussion: What Will Happen if I Don't Switch to HTTPS? [webmasterworld.com]

- - -

Lucy:
Surprisingly, they have not yet sent out a generic message.

Do you mean that you're expecting a message from google about your site?

I've never gotten a message from google about anything

I know they send out messages about Custom Search, because earlier in the year I got a notification that I needed to upgrade from whatever ancient version of the software I was using. (Search is one of those things I installed once--timestamp says it was in June 2013--and haven't looked at since.) So you'd think it is only a matter of time before they start yapping at people who use any form of their Search in http sites.

So you'd think it is only a matter of time before they start yapping at people who use any form of their Search in http sites.

Somehow this idea seems amusing to me -- that google would use its bots to check all the pages using their custom search and then send a message to the owners if it isn't being used properly LOL

People all over are reporting Google emailing them to remind them of the upcoming change to the Chrome browser message:

I received a note from Google this morning advocating for site wide HTTPS and warning about the Chrome update coming in October that will identify every HTTP site as untrustworthy.

They should have written "every HTTP page" but you get the idea.

People all over are reporting Google emailing them to remind them of the upcoming change to the Chrome browser message:

Well I'm still waiting, but not very hopefully LOL. Actually, for one of my sites I think google would have to use whois records to get the email I use for that site.

I've not read anywhere that everyone with a web page will be notified by Google regarding the upcoming changes. Those who have been emailed likely have account with Google with an active contact email address.

At some point there may be an alert added to Google Search Console if your pages are not secure. And of course you'll see the warnings in your browser, and probably a sharp drop in traffic & ad revenue (speculation.)

[edited by: Robert_Charlton at 9:00 pm (utc) on Aug 22, 2017]
[edit reason] fixed typo [/edit]

I recently migrated one of sites back to http after 4 months of traffic and income loss, and the traffic returned to the previous level within a week.

Have you checked your SSL setup at ssllabs? Perhaps you have a stapling issue, SNI issue or older SSL encryption support on your server? There are a variety of things which can cause incompatibility with browsers, especially current versions of Firefox, and older versions of other browsers.

I've moved a dozen of my own sites and several for clients, not one bit of traffic loss.

I've moved a dozen of my own sites and several for clients, not one bit of traffic loss.

Agreed

If you saw traffic loss after switching protocol to HTTPS, something was done wrong and blocked that traffic, or as you say glitterball, it could be a server thing handling the cert.

Seems like you would have detected it during your testing phase though.

Have you checked your SSL setup at ssllabs? Perhaps you have a stapling issue, SNI issue or older SSL encryption support on your server? There are a variety of things which can cause incompatibility with browsers, especially current versions of Firefox, and older versions of other browsers.

Definitely not a SNI issue.
My original thinking was that it could be related to some kind of browser support issue, though I'm not so sure now. I did have chain issues, that were difficult to resolve with one site, so believe me when I say that this was tested extensively.
I certainly couldn't find any browser issues, it worked in ie8 and older android browsers as well as all of the modern ones.

One observation that I noted was that roughly one week after the change back to http, Google referrals doubled, however they have now subsequently dropped back again.
I also remember getting a big initial boost in traffic about a week after the original move to https, only for traffic to tank soon afterwards.

So it could be that some sort of filter is being triggered and my sites are getting penalised.

I've been looking at some information about a free version of Cloudflare which automatically converts a site to https. It can be setup and activated through my shared hosting account cPanel.

Apparently Cloudflare fetches all the files from my server and caches them, then applies their own SSL certificate system to them. It also provides some statistics about page views etc.

At first glance this looks like a simple, easy, free way to convert a site to https. Has anyone had any experience with this or know of any pitfalls?

convert a site to https

What's to convert? You add one line to your existing domain-name-canonicalization redirect (in Apache it would be an added RewriteCond), and double-check that none of your internal links are absolute (which they should never have been in the first place).

Within 5 or 10 years, certificates will probably be a built-in part of shared hosting: something they do by default, like DNS, unless you expressly ask them not to.

I have an affiliate network of 24 sites that will need the switch to HTTPS. Is there cost effective way to do this when it comes to buying or applying the certs? All of the cart functions are already secure and hosted by the companies I represent. It seems it could become a bit costly to secure what is essentially static content and contact forms on the pages I host. Your thoughts or suggestions are greatly appreciated.

@Jon_King checkout Letsencrypt they offer free certs. They are as good as any.

@Editorial Guy, same here, received the warning for having a quick contact us form on every page, and they call that a security issue? it sucks.

As NickMNS suggested, Lets Encrypt [letsencrypt.org] is free. In most cases there should not be any costs associated with switching protocols.

Downsides of not using HTTPS [webmasterworld.com]

Just noticed the name change to...
Google Chrome: Fast & Secure

I can't help but think... Google (Chrome) pushing https to increase security, a benefit for the users. Didn't they actually created the MFAs? I don't mean Adsense, but the whole push on serps, blogs, and in a whole: MFAS, just like it's been said on other threads, Google is a monster where the left hand doesn't know what the right hand is doing, they should talk between them first, perhaps is a rant after the many things Google created and failed because nobody jumped in.

Google+ "do it or we won't backup that your site is yours yada yada".

To some extent we can fix things without jumping, but in other areas it means we will have to remove some stuff to avoid jumping in. Google has tried to play a dominant part (to abuse) and it's been warned about it (and penalized), yet the free stuff such as Chrome has positioned and will (yes I could say "could", but here it applies a WILL), yes they WILL use that power to push or try to push new "standards"

This is much bigger than MFAs explorador.

All pages, whether you publish Adsense or not, must be secure. All pages, whether they have a Log In or not, must be secure. All pages, whether they accept payment or not, must be secure... so all pages.

This has been in the making for several years, giving site owners enough time to make the changes. It's just finally coming to the point of enforcement.

@explorador: We don't have *any* forms on our pages. It's almost as if they decided to send out a mailing with sample pages chosen at random.