It's an extremely dangerous and slippery path that browsers are taking now, quite simply they are doing a job that is not theirs to do.

A malware site, a fake bank, a data hoovering site, all now being triumphantly called SECURE by google.

I've seen everyday users actually say "and you know they're not ripping you off, look there's the padlock"

They've stepped into territory they had no right to go into.

A malware site, a fake bank, a data hoovering site, all now being triumphantly called SECURE by google.

Please don't post URLs, but if you've verified this, which sites has Google said are secure but are malware, fake banks & a data hoovering site?

I think you're missing the point. With TLS your *connection* is secure. This does not protect you from making stupid decisions.

No security will stop people from using their birthdate as their password or stop them from giving their bank account info to Nigerian Princes

But we can make the tranafere of data a bit more secure.

G calls them "secure" just because they've got a free Let's Encrypt cert. That's the point, you and I know what that really means, your average Joe sees "secure" and thinks, "oh great, this isn't a rip off site".

tl;dr It's not google's job to label sites secure or insecure when the use of those words, widely misunderstood, can create a very false impression.

I don't get it at all. Say a site which is quite simple with just a blog in it. And it uses only a email subscription window which ask for the name and email address. Now according to google the site has to add a SSL certificate. I mean why? The site doesn't need your banking information or your home address or not even your phone number. Then why pressurize the site owner to spend more money which on the contrary isn't making much profit after paying the hosting and domain renewal bills.

Now, here comes the fun fact, a site which is well known and reputable is considered as a threat by showing 'Not Secure' sign because it doesn't have SSL installed. And another site which is used by the site owner just to capture some email leads and sale it to people who have no idea about what they are buying is safe, why? Because the later site is using the so called Lets Encrypts free SSL.

@ChanandlerBong, I completely agree with you mate. Its neither their place or field to take actions.

What's the point of arguing over the "Secure" label when it's scheduled to disappear in Chrome 69, due to be released in September? The "Secure" label will be gone, the lock will turn grey, and HTTPS will be the standard. We're in a transition phase. And I hope you're not going to try to argue that HTTP is as secure as HTTPS. Or that a free certificate from Let's Encrypt is less valuable than any other DV certificate just because it's free.

email subscription window which ask for the name and email address

You're saying names and e-mail addresses are not worth protecting? I think your users might disagree. But most webmasters opposing HTTPS are not thinking of their users, they're thinking of the "hassle" involved for them. You should be excited, for the Web, for the protection of users (yourself included), for the opportunity to employ HTTP/2, etc.

I don't get it at all.

That much is clear from your post. And that is the real issue. If you as webmaster do not get it, how can one expect the average user to get it.

But with that said, it is important to get it, to understand why TLS is important for all websites. From your example:

Say a site which is quite simple with just a blog in it. And it uses only a email subscription window which ask for the name and email address. Now according to google the site has to add a SSL certificate. I mean why?

But forget about the forms or emails or anything, just take a simple blog. Currently if there is no TLS certificate (https:) Google will show it as not secure. Why?
Because an actor, malicious or not, maybe just greedy can sneak in and see or manipulate the communication between your webserver and your user's computer. "But I have nothing to hide!". Say your blog shows ads. Your user is traveling and staying at a hotel and accessing your website using the the hotel Wifi. The hotel can (and some do) strip out your ads from your pages and inject their own ads, thus robbing you of your ad revenue. You will have no way of knowing.

So you may not have anything to hide, you may not be transferring personal data, but you really have no way of knowing whether your users are seeing what you want them to see or seeing something completely different. So even if you run a basic blog your site should be secured with TLS. This has nothing to do with Google.

G calls them "secure" just because they've got a free Let's Encrypt cert.

As Robzilla mentioned the fact that a certificate is free does not mean that its less valuable. But what the availability of free certificates is, is one less excuse for webmaster not to secure their websites.

Why HTTPS Matters [developers.google.com]

This is a way to dig users away from unencrypted sites, users will be warned that the http site they are access is not secure might scare people to navigate on your site. I think they are trying to endorse https since its secure.

Hello smwebsol and welcome to WebmasterWorld [webmasterworld.com]

This is a way to dig users away from unencrypted sites, users will be warned that the http site they are access is not secure might scare people to navigate on your site. I think they are trying to endorse https since its secure.

Absolutely.

You don't need HTTPS for ranking purposes...

There was a ranking benefit promised for HTTPS sites early on. Sorry, I can't find the source, but it was discussed here several times.

I'm sure the ranking boost was subtle or it would have gained more attention.

Even the smallest suggestion that something could boost rankings is usually enough to get people jumping on the bandwagon. Still, it's probably part of the recipe; HTTPS is, after all, by definition a better user experience.

why dont they just make this standard now, like when you started a website its automatically HTTPS most people are not tech savvy and just do blogging, especially people who are mommy bloggers or focus more on typing articles, im surprised some host servers haven't provided this free and implement it for them it would lure more people to those hosts.

In the first few posts, back on July 25, you can find out where and how to get that kind of hosting. Hosts that offer
Lets Encrypt FREE Security Certificates which anyone who can manage their site with ControlPanel interface can set up a free certificate. The list of hosts is at the Lets Encrypt site, just need to click the link and read.

I think he meant doing it by default without having to be asked, since the average website owner doesn’t know to ask. And sure, 10 years down the line that’s what will be happening.

why dont they just make this standard now, like when you started a website its automatically HTTPS most people are not tech savvy and just do blogging, especially people who are mommy bloggers or focus more on typing articles, im surprised some host servers haven't provided this free and implement it for them it would lure more people to those hosts.

I think that's likely to happen pretty soon. As it is, anyone can sign up for a free CloudFlare account and get "Flexible SSL," which is brain-dead easy to implement and is plenty good enough for blogs and other content sites.

I made the update to 68 on my Android, but I haven't be able so far to see this message, I see everything like it was previously, anyone now in my situation?

I believe it should be essential for banking, ecommerce or any thing related to transaction. Google shouldn't apply this on a information or education websites.

Do not forget that HTTPS is protecting the data sent from the client device (the visitor) to the server (hosting your site), ... BUT, it also protects the data that your server sends to the client. If hackers compromised any equipment between your server and the client, then they can inject malicious code into your pages.

Additionally :
- there are free-for-all TLS certificates (Let's encrypt for example)
- nearly all, if not all control panels can make the switch for you, by simply clicking a button,(for those administrating their site using WYSIWYG panels)
- this also allows you to use HTTP/2 which has better performance than HTTP1.1 (and the great feature which is the PUSH directive)

So I really do not see reason not to make the switch.

Here's a message that Firefox has shown several times lately when I tried to visit pages on LARGE WELL-KNOWN HTTPS SITES:

Secure Connection Failed
An error occurred during a connection to www.example.com. SSL peer reports incorrect Message Authentication Code. Error code: SSL_ERROR_BAD_MAC_ALERT

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

Please contact the website owners to inform them of this problem.
Learn more…
Report errors like this to help Mozilla identify and block malicious sites

So for an https site, it blocks you from seeing the page and gives a big warning instead.

Here's a message that Firefox has shown several times lately when I tried to visit pages on LARGE WELL-KNOWN HTTPS SITES:

(.....)

So for an https site, it blocks you from seeing the page and gives a big warning instead.

Bad / incorrect cert installation on those sites ? or a mix of "secure" and "unsecure" content ? BBC is an egregious offender with the latter.

Re Firefox's error message: I got the message when I upgraded my Bitdefender antivirus software to the 2019 version. Although the message came from Firefox, it occurred because of the "Encrypted Web Scan" feature in Bitdefender 2019.

Although the message came from Firefox, it occurred because of the "Encrypted Web Scan" feature in Bitdefender 2019.

Do you mean that you got that error message at every site you tried to visit?

In any case, I don't have any addon anti-virus software in my Firefox, so that wouldn't explain the error messages that I've seen.

or a mix of "secure" and "unsecure" content?

By default, Firefox (specifically) doesn't care about passive/static non-secure content (I forget the term they use, though I was reading their explanation only a day or two ago, figures)--things like http images on an https site. You'll see a different icon in the address bar, but no warnings.

I didn't know if the latest versions had changed that..what you describe is what my FF 51.0.1 does on "mixed content" ( yellow padlock with a diagonal bar in red ) I don't update it because some add ons I have don't work with the new "improved "FF..and if used with all scripts blocked , as mine is it.. is no less secure, if fact it is probably more secure than the supposedly more secure newer versions are "out of the box" ..and I'm running it on linux, ( with additional "lock downs" ) most malware tends to target win "something"..

Here we go, the "Secure" label has now been dropped (in v69).

"Not secure" is still there though, which was the main topic here afaik.

It's there, and it won't be going away anytime soon. You could argue that the "Secure" label was misleading, but there's no denying that HTTP, like FTP, telnet and many other protocols, is "Not secure".

This little "not secure" warning is so small and pale that hardly anyone notices it. My sites are still http, and there's still just as much visitor engagement now as there was before the warning was there.

Most people judge the trustworthiness of a site in other ways, such as the presence of spammy-looking content and ads, overall visual appearance, etc.

I have a site that serves static pages and does not serve cookies or have any user interaction at all. I left this site as http because there isn't any reason to go https.

Chrome is not reporting an insecure connection. Also, for this 12 year old site it has not affected rankings in any way I can tell, traffic was even solid right through the recent major update and through all of the Panda and Penguin stuff too. High quality evergreen stuff and not product related, if that matters.

I have a site that serves static pages and does not serve cookies or have any user interaction at all. I left this site as http because there isn't any reason to go https.

I have a site that's similar (no static pages, no forms, no forums), but I switched to https because there was no reason not to.

Standards evolve, and https: is the new norm.