Welcome to WebmasterWorld Guest from 23.22.61.134

Forum Moderators: open

Google Chrome Will Mark HTTP Sites Transmitting Passwords or Credit Cards as Non Secure

     
4:25 pm on Sep 8, 2016 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:23668
votes: 435


From January 2017, Google Chrome is going to mark HTTP sites that communicate passwords and or credit card info as non-secure.

https://4.bp.blogspot.com/-rBbNGiLQzMw/V9CudVXYkjI/AAAAAAAAAWk/SIol_AChYQITBcYJ34xcGsC0a7_VP755gCLcB/s640/blog%2Bimage%2B1.png
Studies show that users do not perceive the lack of a “secure” icon as a warning, but also that users become blind to warnings that occur too frequently. Our plan to label HTTP sites more clearly and accurately as non-secure will take place in gradual steps, based on increasingly stringent criteria. Starting January 2017, Chrome 56 will label HTTP pages with password or credit card form fields as "not secure," given their particularly sensitive nature.Google Chrome Will Mark HTTP Sites Transmitting Passwords or Credit Cards as Non Secure [security.googleblog.com]


https://3.bp.blogspot.com/-DG70U0Y-y9w/V9Cwuym53AI/AAAAAAAAAW0/6zO81T_hqWMjdAF_YYK7dfXV-26DL7OYACLcB/s400/blog%2Bimage%2B2.png
10:09 pm on Sept 8, 2016 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:Oct 12, 2000
posts:14923
votes: 120


Some of the commentary headlines out there make it seem like this is Google pushing all sites to have HTTPS on all of their pages. Sending password credentials really should be done over a secure connection, so I doubt many will have issues with this.
4:00 am on Sept 9, 2016 (gmt 0)

Senior Member from LK 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts:2603
votes: 63


It does fix the peculiarity that the average user is quite happy to type their password into an http page, but not into an https page that has an invalid certificate.

It is also possible that there are enough sites out there that accept passwords over http for users to become blind to this.
6:28 pm on Sept 13, 2016 (gmt 0)

Moderator from GB 

WebmasterWorld Administrator mack is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:June 15, 2001
posts:7626
votes: 23


Recent chrome builds have started showing a fairly large warning whenever you submit anything over a non-secure connection. I ended up moving all my sites to https just to avoid this. Realistically there is no reason not to use https now.

Mack.
3:43 am on Sept 14, 2016 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:Oct 12, 2000
posts: 14923
votes: 120


You moved the entire sites, or just the form submission areas?
12:04 am on Sept 15, 2016 (gmt 0)

Moderator from GB 

WebmasterWorld Administrator mack is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:June 15, 2001
posts:7626
votes: 23


I moved the entire sites to HTTPS. Probably not a must for now, but for me it made sense. I feel it is something we all need to do, so decided to bite the bullet and just go for it. In fairness, the entire process took less than an hour and I have seen no adverse traffic effects. I have forms on many pages, so for the end user, it makes sense to secure the site.

Mack.
12:43 am on Sept 15, 2016 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:Oct 12, 2000
posts: 14923
votes: 120


I've been toying with the idea for several sites on shared hosting as a lot of the cPanel installs are starting to incorporate Let's Encrypt free certs. On my larger established sites on dedicated servers would involve a lot more work to fully switch over. However on those I've always has the forms on HTTPS anyway, so this change in Chrome isn't going to impact me either way.
2:40 pm on Sept 15, 2016 (gmt 0)

Moderator from GB 

WebmasterWorld Administrator mack is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:June 15, 2001
posts:7626
votes: 23


A bit more work on dedicated boxes, but for sites on shared hosting it's really just a few clicks.

Mack.
4:59 pm on Sept 15, 2016 (gmt 0)

New User

10+ Year Member

joined:Jan 14, 2007
posts:33
votes: 4


1. The most connection errors and timeouts I get are from https pages, specially on slow connections and on my mobile!
2. https pages are very error sensitive, you only need to have 1 (external) file on http and the browser tells you that the page is insecure! For sure that there are many persons who are not going to trust that, and no submit any info!
3. If you are having adsense on your site,... I would think twice before I go to https. Many people have report big adsense losses when turning to https (from 20% to 70% loss). Mostly because many advertisers are not https prepared. This is for me the most important reason not to use https.

And now there are so many sites that use https, and on the same moment they put all kind of external widget (most are data-mining widgets what is my eyes spy-ware) and external analytics programs on their sites. Why secure your site if you give all the information to 3th parties who are going to abuse that!

And I did not forget google saying that we need to have our sites mobile friendly, or we are going to lose a lot of traffic. So I have been spending 1 month to make all my pages, and especially my programs mobile friendly. With the great result that my mobile traffic is still the same (5%), and a loss of 30% of desktop traffic because of the loss of search-engine rankings. And that only because google wanted a bigger mobile friendly database.

I go to https when I think its time for it, not because google wants it! And especially not when google forge me to do so!
8:19 pm on Sept 18, 2016 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 25, 2003
posts:982
votes: 162


I - probably - have no bone in this any more as I switched to HTTP/2 (with fallback to HTTP/1.1) two months ago.

The initial (January-2017) emphasis of bringing up the 'non-secure' from under the 'i' info icon for credit card takers! - really? - is obviously way way overdue; personally I'd plaster the page with a pop-up! Including simple non-secure log-in pages is OK if not as problematic.

The real kicker is the mention that somewhen down the line all HTTP connections will be brightly labelled as non-secure. This is not really necessary from a security/privacy rationale unless one is particularly paranoid; it is however, a good way to give a boot in the rear assist to move folks from HTTP/1.1 to HTTP/2 when that is considered sufficiently beneficial with regards to bandwidth, connectivity, and render speed.


For those not aware of the change some browsers have already replaced address bar favicons with either the 'lock' icon of a secure connection or an 'i' info icon. In FF:
* hovering the 'i' icon displays: 'show site information'.
* clicking displays: www.example.com
and in red: Connection is not Secure
* clicking the associated arrow displays: [ the foregoing plus ] Your connection to this site is not private. Information you submit could be viewed by others (like passwords, messages, credit cards, etc.).

The push to HTTPS is here a nudge, there a wink. And in January, a shot across the bow.

And may it not hit you as it is currently bludgeoning Target and Macy's:

Your connection is not secure

The owner of [ target.com | macys.com ] has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.
...
[ target.com | macys.com ] uses an invalid security certificate. The certificate is only valid for the following names: a248.e.akamai.net, *.akamaized.net, *.akamaihd-staging.net, *.akamaihd.net, *.akamaized-staging.net

Oops.

System

11:30 pm on Sept 18, 2016 (gmt 0)

redhat

 
 


The following message was cut out to new thread by engine. New thread at: google_chrome/4818986.htm [webmasterworld.com]
12:23 pm on Sep 19, 2016 (utc +1)
1:10 am on Jan 11, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:7317
votes: 213


As promised for January 2017, Google's Chrome desktop browser now displays either the green Secure and the lock icon for secure web sites or the gray circle info icon in the address bar for non-secure web sites.

Google's Chrome mobile browser displays the green lock and https for secure sites and just the www... for non-secure sites.

Google & Bing SERP have been displaying the site URLs as https:/www... for secure sites and just www.... for non-secure sites for several weeks.

So it has begun. Wonder when the next phase with the red warning will begin?

The icons are explained here: [support.google.com...]