Welcome to WebmasterWorld Guest from 107.22.109.65

Forum Moderators: open

Message Too Old, No Replies

Google Chrome Will Mark HTTP Sites Transmitting Passwords or Credit Cards as Non Secure

     
4:25 pm on Sep 8, 2016 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:24342
votes: 554


From January 2017, Google Chrome is going to mark HTTP sites that communicate passwords and or credit card info as non-secure.

https://4.bp.blogspot.com/-rBbNGiLQzMw/V9CudVXYkjI/AAAAAAAAAWk/SIol_AChYQITBcYJ34xcGsC0a7_VP755gCLcB/s640/blog%2Bimage%2B1.png
Studies show that users do not perceive the lack of a “secure” icon as a warning, but also that users become blind to warnings that occur too frequently. Our plan to label HTTP sites more clearly and accurately as non-secure will take place in gradual steps, based on increasingly stringent criteria. Starting January 2017, Chrome 56 will label HTTP pages with password or credit card form fields as "not secure," given their particularly sensitive nature.Google Chrome Will Mark HTTP Sites Transmitting Passwords or Credit Cards as Non Secure [security.googleblog.com]


https://3.bp.blogspot.com/-DG70U0Y-y9w/V9Cwuym53AI/AAAAAAAAAW0/6zO81T_hqWMjdAF_YYK7dfXV-26DL7OYACLcB/s400/blog%2Bimage%2B2.png
10:09 pm on Sept 8, 2016 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:Oct 12, 2000
posts:14978
votes: 131


Some of the commentary headlines out there make it seem like this is Google pushing all sites to have HTTPS on all of their pages. Sending password credentials really should be done over a secure connection, so I doubt many will have issues with this.
4:00 am on Sept 9, 2016 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts:2648
votes: 85


It does fix the peculiarity that the average user is quite happy to type their password into an http page, but not into an https page that has an invalid certificate.

It is also possible that there are enough sites out there that accept passwords over http for users to become blind to this.
6:28 pm on Sept 13, 2016 (gmt 0)

Moderator from GB 

WebmasterWorld Administrator mack is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:June 15, 2001
posts:7649
votes: 28


Recent chrome builds have started showing a fairly large warning whenever you submit anything over a non-secure connection. I ended up moving all my sites to https just to avoid this. Realistically there is no reason not to use https now.

Mack.
3:43 am on Sept 14, 2016 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:Oct 12, 2000
posts: 14978
votes: 131


You moved the entire sites, or just the form submission areas?
12:04 am on Sept 15, 2016 (gmt 0)

Moderator from GB 

WebmasterWorld Administrator mack is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:June 15, 2001
posts:7649
votes: 28


I moved the entire sites to HTTPS. Probably not a must for now, but for me it made sense. I feel it is something we all need to do, so decided to bite the bullet and just go for it. In fairness, the entire process took less than an hour and I have seen no adverse traffic effects. I have forms on many pages, so for the end user, it makes sense to secure the site.

Mack.
12:43 am on Sept 15, 2016 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:Oct 12, 2000
posts: 14978
votes: 131


I've been toying with the idea for several sites on shared hosting as a lot of the cPanel installs are starting to incorporate Let's Encrypt free certs. On my larger established sites on dedicated servers would involve a lot more work to fully switch over. However on those I've always has the forms on HTTPS anyway, so this change in Chrome isn't going to impact me either way.
2:40 pm on Sept 15, 2016 (gmt 0)

Moderator from GB 

WebmasterWorld Administrator mack is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:June 15, 2001
posts:7649
votes: 28


A bit more work on dedicated boxes, but for sites on shared hosting it's really just a few clicks.

Mack.
4:59 pm on Sept 15, 2016 (gmt 0)

New User

10+ Year Member

joined:Jan 14, 2007
posts:36
votes: 7


1. The most connection errors and timeouts I get are from https pages, specially on slow connections and on my mobile!
2. https pages are very error sensitive, you only need to have 1 (external) file on http and the browser tells you that the page is insecure! For sure that there are many persons who are not going to trust that, and no submit any info!
3. If you are having adsense on your site,... I would think twice before I go to https. Many people have report big adsense losses when turning to https (from 20% to 70% loss). Mostly because many advertisers are not https prepared. This is for me the most important reason not to use https.

And now there are so many sites that use https, and on the same moment they put all kind of external widget (most are data-mining widgets what is my eyes spy-ware) and external analytics programs on their sites. Why secure your site if you give all the information to 3th parties who are going to abuse that!

And I did not forget google saying that we need to have our sites mobile friendly, or we are going to lose a lot of traffic. So I have been spending 1 month to make all my pages, and especially my programs mobile friendly. With the great result that my mobile traffic is still the same (5%), and a loss of 30% of desktop traffic because of the loss of search-engine rankings. And that only because google wanted a bigger mobile friendly database.

I go to https when I think its time for it, not because google wants it! And especially not when google forge me to do so!
8:19 pm on Sept 18, 2016 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 25, 2003
posts:1045
votes: 218


I - probably - have no bone in this any more as I switched to HTTP/2 (with fallback to HTTP/1.1) two months ago.

The initial (January-2017) emphasis of bringing up the 'non-secure' from under the 'i' info icon for credit card takers! - really? - is obviously way way overdue; personally I'd plaster the page with a pop-up! Including simple non-secure log-in pages is OK if not as problematic.

The real kicker is the mention that somewhen down the line all HTTP connections will be brightly labelled as non-secure. This is not really necessary from a security/privacy rationale unless one is particularly paranoid; it is however, a good way to give a boot in the rear assist to move folks from HTTP/1.1 to HTTP/2 when that is considered sufficiently beneficial with regards to bandwidth, connectivity, and render speed.


For those not aware of the change some browsers have already replaced address bar favicons with either the 'lock' icon of a secure connection or an 'i' info icon. In FF:
* hovering the 'i' icon displays: 'show site information'.
* clicking displays: www.example.com
and in red: Connection is not Secure
* clicking the associated arrow displays: [ the foregoing plus ] Your connection to this site is not private. Information you submit could be viewed by others (like passwords, messages, credit cards, etc.).

The push to HTTPS is here a nudge, there a wink. And in January, a shot across the bow.

And may it not hit you as it is currently bludgeoning Target and Macy's:

Your connection is not secure

The owner of [ target.com | macys.com ] has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.
...
[ target.com | macys.com ] uses an invalid security certificate. The certificate is only valid for the following names: a248.e.akamai.net, *.akamaized.net, *.akamaihd-staging.net, *.akamaihd.net, *.akamaized-staging.net

Oops.

System

11:30 pm on Sept 18, 2016 (gmt 0)

redhat

 
 


The following message was cut out to new thread by engine. New thread at: google_chrome/4818986.htm [webmasterworld.com]
12:23 pm on Sep 19, 2016 (utc +1)
1:10 am on Jan 11, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:8917
votes: 404


As promised for January 2017, Google's Chrome desktop browser now displays either the green Secure and the lock icon for secure web sites or the gray circle info icon in the address bar for non-secure web sites.

Google's Chrome mobile browser displays the green lock and https for secure sites and just the www... for non-secure sites.

Google & Bing SERP have been displaying the site URLs as https:/www... for secure sites and just www.... for non-secure sites for several weeks.

So it has begun. Wonder when the next phase with the red warning will begin?

The icons are explained here: [support.google.com...]
7:18 am on Jan 23, 2017 (gmt 0)

Full Member

5+ Year Member Top Contributors Of The Month

joined:June 18, 2012
posts:341
votes: 1


Got a message in Google Search Console yesterday saying Google will mark pages that collect passwords or credit card details as “Not Secure” unless the pages are served over HTTPS. It says 'beginning in Jan 2017' while it only arrived yesterday and there was this active thread on Webmasterworld from Sep. So, just wondering if anybody got such a message and noticed the warning live in Chrome. Here's the screenshot of the message - [screencast.com...]

So, do you think this Chrome warning will be an overlay window like the one Chrome displays on malicious URLs currently or it will just add 'x' mark in the address bar on the left? Thanks!
9:49 am on Jan 23, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:8917
votes: 404


shaunm, look for youself it's been live for a couple weeks (see my post above yours.)

There wiil be several stages of implementation, eventually showing warnings for all sites not HTTPS.
10:14 am on Jan 23, 2017 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:10887
votes: 72


also note this more recent thread.

Nonsecure Collection of Passwords will trigger warnings in Chrome 56 - Webmaster General forum at WebmasterWorld:
https://www.webmasterworld.com/webmaster/4830145.htm [webmasterworld.com]
10:38 am on Jan 23, 2017 (gmt 0)

Full Member

5+ Year Member Top Contributors Of The Month

joined:June 18, 2012
posts:341
votes: 1


Thanks @keyplyr

So, this round info icon at the beginning of my URL in address bar, is that the warning? What's the next phase of updates includes, an overlay window blocking the view?!

Edit:
Wasn't the round info icon there all the time on all http sites, no matter whether it includes password fields or not?! I'm confused.
10:44 am on Jan 23, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:8917
votes: 404


As discussed earlier, eventually all sites not HTTPS will get a not-secure warning... the red triangle.

Links explained here: [support.google.com...]
10:53 am on Jan 23, 2017 (gmt 0)

Full Member

5+ Year Member Top Contributors Of The Month

joined:June 18, 2012
posts:341
votes: 1


eventually all sites not HTTPS will get a not-secure warning... the red triangle.
Is that really the case for all HTTP sites or the ones with password fields? I don't really see a reason for Chrome to display the red triangle on HTTP sites that doesn't have any input fields?!
10:58 am on Jan 23, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:8917
votes: 404


Starting with password sites but eventually all sites

This is what Google has said. They are championing the push to make all sites on the inteternet secure.

.
11:13 am on Jan 23, 2017 (gmt 0)

Full Member

5+ Year Member Top Contributors Of The Month

joined:June 18, 2012
posts:341
votes: 1


Just correct me if I'm wrong. There are four types of address bar notifications that Google is planning to push or has been doing already from the Google link you shared.

Secure - Green Lock Icon: HTTPS site with all HTTPS external links
Info - Gray Round Info Icon: HTTP sites without input fields
Not Secure - Red Triangle Icon: HTTP sites with input fields
Dangerous - Red Triangle Icon: HTTP (Or even HTTPS) sites found to be malicious which might also include an input field

This how I perceived and I know I can be entirely wrong. But, why should there be an 'Info Icon' if it's going to mark everything with a Red Triangle on the Google link? Thanks for the clarifications. Much appreciate!
11:29 am on Jan 23, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:8917
votes: 404


As previously discussed, all this will come in stages. We are in the 1st stage. Things will change.

Only Google knows what icons will stay and what icons will be temporary. No other info is available at this time AFAIK.
11:58 am on Jan 23, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:8917
votes: 404


Found this at Google Developers Groups:
Long term - Use HTTPS everywhere
Eventually, Chrome will show a Not Secure warning for all pages served over HTTP, regardless of whether or not the page contains sensitive input fields. Even if you adopt one of the more targeted resolutions above, you should plan to migrate your site to use HTTPS for all pages.

[developers.google.com...]
12:54 pm on Jan 23, 2017 (gmt 0)

Full Member

5+ Year Member Top Contributors Of The Month

joined:June 18, 2012
posts:341
votes: 1


Thanks. Not so happy to hear that. It made sense when it displayed the not secure warning on https pages with http links on it though.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members