Welcome to WebmasterWorld Guest from 54.80.87.166

Forum Moderators: Robert Charlton & goodroi

Google Chrome "HTTP Not Secure" Warnings Start

     
9:22 am on Jul 25, 2018 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:25606
votes: 771


We've all been well aware of the coming of HTTP not secure warning in Chrome. Well, it's now rolling out, and i'm sure there's going to be some confusion amongst consumers, and some frustration from site owners that haven't switched, either because they don't process any data, or don't have the funds to make the change: I know of quite a few that run on a shoestring budget. Oh, btw, if you're processing a users data, such as in banking, etc., it's essential.

I still believe it's an over-the-top alert - it should just have been "secure" or nothing, imho.

[blog.google...]
12:44 pm on July 25, 2018 (gmt 0)

Preferred Member

10+ Year Member Top Contributors Of The Month

joined:Feb 5, 2004
posts: 476
votes: 44


Most hosts do offer SSL for free but I do agree with you. Sites like those business brochure type sites (even with a simple contact form) that do not request any information from the visitor do not need to use https.

Also to most users labeling a site "Secure" like Chrome does now leads them to believe that the site is completely 100% secure. They have no idea that it is just referring to the type of protocol it uses to transport the data back and forth between their browser and the web server.

There are many ways the site could be unsecure and leak data to outside source including:

- buggy code
- not using HTTPS for data the website needs from other sources
- site has been hacked
- storing user personal data unencrypted
- and the list could go on....
3:47 pm on July 25, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:1947
votes: 320


Chrome does now leads them to believe that the site is completely 100% secure. They have no idea that it is just referring to the type of protocol it uses to transport the data back and forth between their browser and the web server.

I do agree, but this should only be temporary, as Chrome will be dropping the "Secure" label down the line.

Most hosts do offer SSL for free

Many, I hope, but some large hosts have still decided to use this as a scare tactic, upselling their customers with pricey certificates that have no benefits over free ones.
4:23 pm on July 25, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15176
votes: 679


Still waiting for a definitive answer on this one: will the warning apply to all http URLs, or only to https URLs that do not in fact have a security certificate in place? (Analogous to FF's long-standing infuriating messsage about the site being “configured incorrectly”, which is most charitably described as a lie.)
5:02 pm on July 25, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:1947
votes: 320


What you're describing is an interstitial, this is "just" a "Not secure" warning in the address bar for all HTTP URLs. I don't think we'll be seeing an interstitial type warning for that for quite some time.
9:17 pm on July 25, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12776
votes: 874


Related discussions:

Have we seen the promised warning when the site is not secure? [webmasterworld.com]

What Will Happen if I Don't Switch to HTTPS? [webmasterworld.com]

Downsides of not using HTTPS [webmasterworld.com]

Why HTTPS Matters [developers.google.com]

Lets Encrypt FREE Security Certificates [letsencrypt.org]

- - -
3:10 am on July 26, 2018 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:11430
votes: 170


I still believe it's an over-the-top alert - it should just have been "secure" or nothing, imho.

it should have been more accurately labeled "(non) encrypted".
10:05 am on July 26, 2018 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:Nov 13, 2016
posts:596
votes: 89


it should have been more accurately labeled "(non) encrypted".

But does the average Joe knows what it means to "encrypted" ?
10:11 am on July 26, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12776
votes: 874


Probably not, but I agree with phranque that the term "secure" is misleading the user to think the site is safe from all threats.
10:13 am on July 26, 2018 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:Nov 13, 2016
posts:596
votes: 89


In all events, it's only a transition period. In a near future, access to non HTTPS site will be blocked, or at least a big message will show up asking an explicit approval by the visitor to access it. (same kind of message as when a TLS certificate is not valid)
11:37 am on July 26, 2018 (gmt 0)

New User

joined:July 24, 2018
posts: 5
votes: 1


I guess the SSL just encrypts the your submitted data on the browser. But if the site have suspicious code. Google will still warn you. SSL is just making your password and PIN secure. Hacker wont get your confidential information.
1:43 pm on July 26, 2018 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:Nov 13, 2016
posts:596
votes: 89


I guess the SSL just encrypts the your submitted data on the browser. But if the site have suspicious code. Google will still warn you. SSL is just making your password and PIN secure. Hacker wont get your confidential information.

"TLS" encrypts the data exchanged between the server and the client, so both the data sent from the client to the server, and the data received from the server by the client are encrypted. This prevent Man-in-the-middle attack for example. This is important , because encrypting your login credentials is one thing, but its also important that the data served be encrypted too. The data sent by the server (pages) can contain confidential information, etc... and without TLS, a hacker, can intercept these information, and can also modify them on the fly.
5:19 pm on July 26, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15176
votes: 679


Well, I guess one of these days they’ll roll out the new Mac version and then we’ll see what all the excitement is about. (Currently 67.lots-of-decimals, “up to date”.)
12:49 pm on July 27, 2018 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:Nov 13, 2016
posts:596
votes: 89


"TLS"

Without HTTPS, your pages can be modified on the fly, by hackers, if they compromised something between your server and the client accessing your site. They can inject malicious code for example.


[edited by: Robert_Charlton at 4:52 am (utc) on Jul 28, 2018]
[edit reason] Removed reference to earlier post that's gotten deleted. [/edit]

1:33 pm on July 27, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:1947
votes: 320


(Currently 67.lots-of-decimals, “up to date”.)

Mine updated to 68.0.3440.75 yesterday.

My Website doesn't have any information to secure it and we are accepting of information from the users.

I once subscribed to that opinion, when I was still naively and blissfully unaware of all the nefarious possibilities that unencrypted communication opens you up to. It was a self-centered perspective. Now I'm convinced there's really no excuse for not protecting the privacy of your users and the integrity of your website.

It's a popular opinion that static, purely informative websites don't need encryption, but really you're not in a position to decide that for your users. To decide against HTTPS is to decide for every user you serve that they don't require their data to be handled securely, but do you really know how that might affect all your users individually? The answer is no. Furthermore, do you know that the information your server sends out is the same as what your users are downloading? Again, the answer is no. Middlemen may be injecting ads or malware into your pages, changing your content, tracking your users, and you'll never even know it. It's fine if you don't care about any of that, and noone's actually forcing you to make the switch, but obviously that's going to reflect poorly on you in various ways.

See also: Here's Why Your Static Website Needs HTTPS [youtu.be]
6:10 pm on July 27, 2018 (gmt 0)

Preferred Member

10+ Year Member Top Contributors Of The Month

joined:Feb 5, 2004
posts: 476
votes: 44


without HTTPS, your pages can be modified on the fly, by hackers, if they compromised something between your server and the client accessing your site.


Good point, it does make sense to encrypt all traffic then.
7:01 pm on July 27, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15176
votes: 679


Mine updated to 68.0.3440.75 yesterday.
Mine insists it’s up to date with 67.0.3396.87. Is it possible that, like Safari, Chrome is tied in with OS version, and 10.9* won’t go past Chrome/67?


* I am NEVER “upgrading” my OS again. Every time I do so, I lose some functionalities I’d come to rely on.
9:39 pm on July 27, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:1947
votes: 320


Is it possible that, like Safari, Chrome is tied in with OS version, and 10.9* won’t go past Chrome/67?

Apparently so. [productforums.google.com]

Edit: had to update the link because the # in the URL throws off the WebmasterWorld redirector. I'd also like to take this opportunity to vent my frustration with the Google forums, an infuriatingly slow, Google-unworthy ghastly beast of a product.
12:50 am on July 28, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15176
votes: 679


Heh. They must not have discovered the problem until after I'd moved from 65 to 66 ... and then again from 66 to 67. (Admittedly, it may well have been a single jump from, say, 52 to 67. I don’t use Chrome very often.)
1:33 pm on July 29, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2004
posts:1963
votes: 65


I spent a year "training" returning site visitors from around the World about the fact that their browsers does not support HTTPS on this one site. Home Page was available as None-HTTPS with a big red message that the rest of the site is not accessible with older browser versions. Flipped the switch last week. It takes time.
8:28 pm on July 29, 2018 (gmt 0)

New User from DE 

joined:May 23, 2018
posts:10
votes: 1


I'm using the free SSL from CloudFlare, haven't had any issues with that. It does require a little configuration, but people should go for it since it's free anyway and it benefits SEO as well as security.
10:34 pm on July 29, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:1947
votes: 320


It does require a little configuration

And consequently proxying all your traffic through their servers...

...which is fine if that benefits you in other ways, but not so much for just enabling HTTPS.
11:32 pm on July 29, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12776
votes: 874


...which is fine if that benefits you in other ways, but not so much for just enabling HTTPS
Agreed.

Sticking a CDN (like CloudFlare) in front of your site and using their TLS certificate & URL forwarding to avoid actually editing your pages is *not* an efficient method of making your site secure. In affect, your site is *not* secure, only the front-facing servers.
12:00 am on July 30, 2018 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member redbar is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Oct 14, 2013
posts:3014
votes: 424


In affect, your site is *not* secure, only the front-facing servers.


So, my webhost supplies free SSL with Plesk, am I ok or are some of you saying that there is something wrong with this?

All my sites are brochureware, nothing ecommerce, do I need to be questioning what I have or is this "merely pedantics"?

Everything looks fine for my SERPs.

Oh, and BTW, I am seeing loads of sites ranking well with "Not Secure"!
1:03 am on July 30, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12776
votes: 874


@lucy24 - If you launch Chrome, then from the "Customize and Control Chrome: (the three vertical dots upper-right) choose "Help" then choose "About Google Chrome" this will sometimes jump-start an update.

I see: Chrome Version 68.0.3440.75 (Official Build) (64-bit) probably updated in the last couple days.

@RedBar - you quoted out of context. If your pages are secure (all links HTTPS) and your security certificate validates for your pages & all files, then your site is considered "secure."
Oh, and BTW, I am seeing loads of sites ranking well with "Not Secure"!
I don't see that... far from it.
1:41 am on July 30, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15176
votes: 679


from the "Customize and Control Chrome: (the three vertical dots upper-right) choose "Help" then choose "About Google Chrome" this will sometimes jump-start an update.
Yes, this is a somewhat convoluted way of reaching the same “about” box that is accessible directly from the Chrome menu. Either way, it names the version number, makes a quick visit to headquarters, and then declares that I'm up to date.

Their web page [google.com] says flatly “This computer will no longer receive Google Chrome updates because Mac OS X 10.6 - 10.9 are no longer supported”. You can’t even download it manually; I tried (using the only visible Download button, as I couldn't find a list of successive versions) and it gave me ... Chrome 65.

:: irritably imagining an auto repair shop refusing to work on vehicles older than 5 years ::

Edit: Would someone care to post a screenshot so we can see what we're missing?
2:04 am on July 30, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12776
votes: 874


Yes, this is a somewhat convoluted way of reaching the same “about” box that is accessible directly from the Chrome menu.
It *is* "directly from the Chrome menu" but anyway, if an update is available, that usually works but if your OS is that intransigent, sorry.

You're not missing much. Instead of the green lock icon along with "Secure" aside the URL, a grey info icon along with "Not secure" is displayed. The screenshots are here: [blog.google...]

However, for over a month I've seen some pages/sites get a huge red warning overlay, blocking access. This is likely something additional causing this. Maybe the page has been reported for malice.
4:04 am on July 30, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15176
votes: 679


It *is* "directly from the Chrome menu"
I meant the Chrome menu (by that name) in the ordinary menu bar which is visible and directly accessible all the time, rather than in a sub-sub-menu hidden behind the three dots.

In any case, the beginning of this thread made it sound as if there would be some kind of warning directly in the SERP, before you get as far as the offending page--which doesn't seem to be the case?
4:54 am on July 30, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12776
votes: 874


the beginning of this thread made it sound as if there would be some kind of warning directly in the SERP, before you get as far as the offending page--which doesn't seem to be the case?
I agree.

The Title of this thread:
Google "HTTP Not Secure" Warnings Start
...is misleading. It is not Google (SERP) that is displaying the warning (yet.)

It is the Chrome browser, as Engine posted in the OP:
HTTP not secure warning in Chrome
9:02 am on July 30, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:1947
votes: 320


I meant the Chrome menu (by that name) in the ordinary menu bar

Only Mac has this, keyplyr is probably on Windows, where the "convoluted way" is the only way :-)

Oh, and BTW, I am seeing loads of sites ranking well with "Not Secure"!

I don't see that... far from it.

I see both, it doesn't really seem to matter much at this point. You don't need HTTPS for ranking purposes, it's beside the point, but if subtly instilling the fear of losing rankings is what it takes to get the "SEO-mindful" masses to make the switch, that's fine by me really. With time you'll see more and more HTTPS in prime positions because more sites have enabled HTTPS, not because they've been rewarded by the algorithm. (HTTP is already a minority, traffic-wise).
This 61 message thread spans 3 pages: 61
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members