Most hosts do offer SSL for free but I do agree with you. Sites like those business brochure type sites (even with a simple contact form) that do not request any information from the visitor do not need to use https.

Also to most users labeling a site "Secure" like Chrome does now leads them to believe that the site is completely 100% secure. They have no idea that it is just referring to the type of protocol it uses to transport the data back and forth between their browser and the web server.

There are many ways the site could be unsecure and leak data to outside source including:

- buggy code
- not using HTTPS for data the website needs from other sources
- site has been hacked
- storing user personal data unencrypted
- and the list could go on....

Chrome does now leads them to believe that the site is completely 100% secure. They have no idea that it is just referring to the type of protocol it uses to transport the data back and forth between their browser and the web server.

I do agree, but this should only be temporary, as Chrome will be dropping the "Secure" label down the line.

Most hosts do offer SSL for free

Many, I hope, but some large hosts have still decided to use this as a scare tactic, upselling their customers with pricey certificates that have no benefits over free ones.

Still waiting for a definitive answer on this one: will the warning apply to all http URLs, or only to https URLs that do not in fact have a security certificate in place? (Analogous to FF's long-standing infuriating messsage about the site being “configured incorrectly”, which is most charitably described as a lie.)

What you're describing is an interstitial, this is "just" a "Not secure" warning in the address bar for all HTTP URLs. I don't think we'll be seeing an interstitial type warning for that for quite some time.

Related discussions:

Have we seen the promised warning when the site is not secure? [webmasterworld.com]

What Will Happen if I Don't Switch to HTTPS? [webmasterworld.com]

Downsides of not using HTTPS [webmasterworld.com]

Why HTTPS Matters [developers.google.com]

Lets Encrypt FREE Security Certificates [letsencrypt.org]

- - -

I still believe it's an over-the-top alert - it should just have been "secure" or nothing, imho.

it should have been more accurately labeled "(non) encrypted".

it should have been more accurately labeled "(non) encrypted".

But does the average Joe knows what it means to "encrypted" ?

Probably not, but I agree with phranque that the term "secure" is misleading the user to think the site is safe from all threats.

In all events, it's only a transition period. In a near future, access to non HTTPS site will be blocked, or at least a big message will show up asking an explicit approval by the visitor to access it. (same kind of message as when a TLS certificate is not valid)

I guess the SSL just encrypts the your submitted data on the browser. But if the site have suspicious code. Google will still warn you. SSL is just making your password and PIN secure. Hacker wont get your confidential information.

I guess the SSL just encrypts the your submitted data on the browser. But if the site have suspicious code. Google will still warn you. SSL is just making your password and PIN secure. Hacker wont get your confidential information.

"TLS" encrypts the data exchanged between the server and the client, so both the data sent from the client to the server, and the data received from the server by the client are encrypted. This prevent Man-in-the-middle attack for example. This is important , because encrypting your login credentials is one thing, but its also important that the data served be encrypted too. The data sent by the server (pages) can contain confidential information, etc... and without TLS, a hacker, can intercept these information, and can also modify them on the fly.

Well, I guess one of these days they’ll roll out the new Mac version and then we’ll see what all the excitement is about. (Currently 67.lots-of-decimals, “up to date”.)

"TLS"

Without HTTPS, your pages can be modified on the fly, by hackers, if they compromised something between your server and the client accessing your site. They can inject malicious code for example.

[edited by: Robert_Charlton at 4:52 am (utc) on Jul 28, 2018]
[edit reason] Removed reference to earlier post that's gotten deleted. [/edit]

(Currently 67.lots-of-decimals, “up to date”.)

Mine updated to 68.0.3440.75 yesterday.

My Website doesn't have any information to secure it and we are accepting of information from the users.

I once subscribed to that opinion, when I was still naively and blissfully unaware of all the nefarious possibilities that unencrypted communication opens you up to. It was a self-centered perspective. Now I'm convinced there's really no excuse for not protecting the privacy of your users and the integrity of your website.

It's a popular opinion that static, purely informative websites don't need encryption, but really you're not in a position to decide that for your users. To decide against HTTPS is to decide for every user you serve that they don't require their data to be handled securely, but do you really know how that might affect all your users individually? The answer is no. Furthermore, do you know that the information your server sends out is the same as what your users are downloading? Again, the answer is no. Middlemen may be injecting ads or malware into your pages, changing your content, tracking your users, and you'll never even know it. It's fine if you don't care about any of that, and noone's actually forcing you to make the switch, but obviously that's going to reflect poorly on you in various ways.

See also: Here's Why Your Static Website Needs HTTPS [youtu.be]

without HTTPS, your pages can be modified on the fly, by hackers, if they compromised something between your server and the client accessing your site.

Good point, it does make sense to encrypt all traffic then.

Mine updated to 68.0.3440.75 yesterday.

Mine insists it’s up to date with 67.0.3396.87. Is it possible that, like Safari, Chrome is tied in with OS version, and 10.9* won’t go past Chrome/67?


* I am NEVER “upgrading” my OS again. Every time I do so, I lose some functionalities I’d come to rely on.

Is it possible that, like Safari, Chrome is tied in with OS version, and 10.9* won’t go past Chrome/67?

Apparently so. [productforums.google.com]

_{Edit: had to update the link because the # in the URL throws off the WebmasterWorld redirector. I'd also like to take this opportunity to vent my frustration with the Google forums, an infuriatingly slow, Google-unworthy ghastly beast of a product.}

Heh. They must not have discovered the problem until after I'd moved from 65 to 66 ... and then again from 66 to 67. (Admittedly, it may well have been a single jump from, say, 52 to 67. I don’t use Chrome very often.)

I spent a year "training" returning site visitors from around the World about the fact that their browsers does not support HTTPS on this one site. Home Page was available as None-HTTPS with a big red message that the rest of the site is not accessible with older browser versions. Flipped the switch last week. It takes time.

I'm using the free SSL from CloudFlare, haven't had any issues with that. It does require a little configuration, but people should go for it since it's free anyway and it benefits SEO as well as security.

It does require a little configuration

And consequently proxying all your traffic through their servers...

...which is fine if that benefits you in other ways, but not so much for just enabling HTTPS.

...which is fine if that benefits you in other ways, but not so much for just enabling HTTPS

Agreed.

Sticking a CDN (like CloudFlare) in front of your site and using their TLS certificate & URL forwarding to avoid actually editing your pages is *not* an efficient method of making your site secure. In affect, your site is *not* secure, only the front-facing servers.

In affect, your site is *not* secure, only the front-facing servers.

So, my webhost supplies free SSL with Plesk, am I ok or are some of you saying that there is something wrong with this?

All my sites are brochureware, nothing ecommerce, do I need to be questioning what I have or is this "merely pedantics"?

Everything looks fine for my SERPs.

Oh, and BTW, I am seeing loads of sites ranking well with "Not Secure"!

@lucy24 - If you launch Chrome, then from the "Customize and Control Chrome: (the three vertical dots upper-right) choose "Help" then choose "About Google Chrome" this will sometimes jump-start an update.

I see: Chrome Version 68.0.3440.75 (Official Build) (64-bit) probably updated in the last couple days.

@RedBar - you quoted out of context. If your pages are secure (all links HTTPS) and your security certificate validates for your pages & all files, then your site is considered "secure."

Oh, and BTW, I am seeing loads of sites ranking well with "Not Secure"!

I don't see that... far from it.

from the "Customize and Control Chrome: (the three vertical dots upper-right) choose "Help" then choose "About Google Chrome" this will sometimes jump-start an update.

Yes, this is a somewhat convoluted way of reaching the same “about” box that is accessible directly from the Chrome menu. Either way, it names the version number, makes a quick visit to headquarters, and then declares that I'm up to date.

Their web page [google.com] says flatly “This computer will no longer receive Google Chrome updates because Mac OS X 10.6 - 10.9 are no longer supported”. You can’t even download it manually; I tried (using the only visible Download button, as I couldn't find a list of successive versions) and it gave me ... Chrome 65.

:: irritably imagining an auto repair shop refusing to work on vehicles older than 5 years ::

Edit: Would someone care to post a screenshot so we can see what we're missing?

Yes, this is a somewhat convoluted way of reaching the same “about” box that is accessible directly from the Chrome menu.

It *is* "directly from the Chrome menu" but anyway, if an update is available, that usually works but if your OS is that intransigent, sorry.

You're not missing much. Instead of the green lock icon along with "Secure" aside the URL, a grey info icon along with "Not secure" is displayed. The screenshots are here: [blog.google...]

However, for over a month I've seen some pages/sites get a huge red warning overlay, blocking access. This is likely something additional causing this. Maybe the page has been reported for malice.

It *is* "directly from the Chrome menu"

I meant the Chrome menu (by that name) in the ordinary menu bar which is visible and directly accessible all the time, rather than in a sub-sub-menu hidden behind the three dots.

In any case, the beginning of this thread made it sound as if there would be some kind of warning directly in the SERP, before you get as far as the offending page--which doesn't seem to be the case?

the beginning of this thread made it sound as if there would be some kind of warning directly in the SERP, before you get as far as the offending page--which doesn't seem to be the case?

I agree.

The Title of this thread:

Google "HTTP Not Secure" Warnings Start

...is misleading. It is not Google (SERP) that is displaying the warning (yet.)

It is the Chrome browser, as Engine posted in the OP:

HTTP not secure warning in Chrome

I meant the Chrome menu (by that name) in the ordinary menu bar

Only Mac has this, keyplyr is probably on Windows, where the "convoluted way" is the only way :-)

Oh, and BTW, I am seeing loads of sites ranking well with "Not Secure"!

I don't see that... far from it.

I see both, it doesn't really seem to matter much at this point. You don't need HTTPS for ranking purposes, it's beside the point, but if subtly instilling the fear of losing rankings is what it takes to get the "SEO-mindful" masses to make the switch, that's fine by me really. With time you'll see more and more HTTPS in prime positions because more sites have enabled HTTPS, not because they've been rewarded by the algorithm. (HTTP is already a minority, traffic-wise).