Welcome to WebmasterWorld Guest from 54.158.194.80

Forum Moderators: open

Chrome 68 will mark all HTTP sites "not secure"

     
8:51 pm on Feb 8, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:1787
votes: 266


For the past several years, we’ve moved toward a more secure web by strongly advocating that sites adopt HTTPS encryption. And within the last year, we’ve also helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as “not secure”. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.
Source: A secure web is here to stay [security.googleblog.com]

No surprise here, of course. For those still on HTTP, you are now a minority [httparchive.org] (at least in the Alexa Top 1M).

A decent checklist for moving to HTTPS can be found here: HTTP to HTTPS: An SEO’s guide to securing a website [searchengineland.com]
10:12 am on Feb 13, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:1787
votes: 266


Looks like Cloudflare has a feature called "Automatic HTTPS Rewrites" that avoids mixed content and presumably also rewrites internal URLs from HTTP to HTTPS. Not a bad offering, but again you'd come to depend on them and their connection with your server remains insecure.
11:16 am on Feb 25, 2018 (gmt 0)

Senior Member from DE 

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 20, 2003
posts:890
votes: 6


"not secure | example.com" for some people looks like that the site is "not secure" (e.g. malware). However, just the communication is not secure. Several people will misunderstand the message and leave the site.
11:57 am on Feb 25, 2018 (gmt 0)

Junior Member

joined:Feb 22, 2018
posts:146
votes: 22


"not secure | example.com" for some people looks like that the site is "not secure" (e.g. malware). However, just the communication is not secure. Several people will misunderstand the message and leave the site.

It ends to be the same. When the connection is not secure, then it means the content of the page can have been altered between the sever and the client "Man-in-the-middle attack". Also, it means that all data exchanged between the sever and client are in plain text, and so anything along the path, can read these data.
12:21 pm on Feb 25, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:11480
votes: 692


^^ exactly ^^
3:46 pm on Feb 25, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:1787
votes: 266


Like POP3, IMAP and FTP, HTTP is insecure by definition, so the label seems appropriate enough. The other way around is a little more complicated: the "Secure" label can be interpreted too broadly, and I suspect they'll be phasing out the padlock and "Secure" label at some point, effectively making HTTPS the norm. Warnings for insecure HTTP, on the other hand, may only get stronger (but not obtrusive like an interstitial).
10:14 am on Feb 26, 2018 (gmt 0)

Full Member

Top Contributors Of The Month

joined:July 3, 2015
posts: 244
votes: 41


I just converted our biggest site to full https nearly a week ago (3-4 million uniques per month).

Our forum, with 225K users, has been https since last April or May I believe - but the rest of the site remained with http due to coding fixes that needed to be applied.

The rest of the site is on a framework, so it wasn't a simple switch. There was plenty of coding fixes to be done by my main developer.

That's why a lot of the major sites, like ESPN, TMZ, Dailymail, etc., are refusing to bow to Google's pressure, because those will be some serious recode jobs.

Once the coding was done on our site, I used Cloudflare to do the 301s and use their SSL certs so my servers don't have to issue the calls.

So far some of my major sections have lost a few places in rank, while other sections have had no effect so far and remain strong. Revenue appears the same more or less.

One thing I'll say, some of my competitors (who have logins on their main page), have had those "not secure" messages on their site for like a year it seems like, and they have felt zero effect in terms of traffic or revenue loss.

I think users pay very little attention to those "not secure" messages (especially on mobile) and it's really being overhyped that people will see it, get scared and run off.

However, I believe the Chrome warnings for http sites may get worse in the future or there will be other browser restrictions in the future. Rather than wait for that to happen, I just bit the bullet and made the switch.
10:32 am on Feb 26, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:11480
votes: 692


I think users pay very little attention to those "not secure" messages (especially on mobile) and it's really being overhyped that people will see it, get scared and run off.
My experience is the opposite, especially on mobile. I'm seeing non-secure sites dropping all the time, especially in my niche.

Proactively, I removed an affiliate because of their cavalier attitude about user safety regarding HTTPS. User safety (including privacy) is high on my list and I won't do business with those who feel otherwise.

I also see this as "web cred" (similar to "street cred".) I've seen SEO types boast what miracles they can do with ranking and when I look at their site it's often non-secure or has a bad mobile look.
10:45 am on Feb 26, 2018 (gmt 0)

Junior Member

joined:Feb 22, 2018
posts:146
votes: 22


Please excuse my ignorance, but :

- why do you keep talking about SSL, Since 1999 this is TLS, the standard. And SSL has been banned from the face of the web in 2014/15 following the POODLE attack. So I hope you are not using SSL 1, 2 or 3 for your sites.

- everybody who says that they use Cloudflare, for their TLS, does it mean that your site/data are being transmitted in plain text between your server and the servers of Cloudflare, before being encrypted ? If so, isn't it "half" bad ? The data can still be altered and intercepted anywhere between Cloudflare and your server.
1:36 pm on Feb 26, 2018 (gmt 0)

Senior Member from DE 

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 20, 2003
posts:890
votes: 6


You have diffrent options at Cloudflare [support.cloudflare.com]
6:05 pm on Feb 26, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:1787
votes: 266


SSL and TLS are not technically synonymous, but they're often used as such in conversation (and marketing), especially in reference to certificates. "TLS certificate" has a different ring to it :-) Most don't need to worry much about the difference, big as it may be.
6:54 pm on Feb 26, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:11480
votes: 692


...Cloudflare, for their TLS, does it mean that your site/data are being transmitted in plain text between your server and the servers of Cloudflare, before being encrypted ? If so, isn't it "half" bad ? The data can still be altered and intercepted anywhere between Cloudflare and your server.
That's true for the sites that maintain their host and just put a CDN in front. This is probably worse for the user since it gives the illusion of safety while still putting them at risk.
7:28 pm on Feb 26, 2018 (gmt 0)

Junior Member

joined:Feb 22, 2018
posts:146
votes: 22


That's true for the sites that maintain their host and just put a CDN in front.

Reading at all the comments here and there, I have the impression that most webmasters who are using Cloudflare to switch to HTTPS are using CF because they don't know how to do it themselves, which suggests that at the level of their host, their site is not using TLS at all.

This is probably worse for the user since it gives the illusion of safety while still putting them at risk.

Exactly.

Hackers can simply try to listen at cloudflare, and the day they find a security hole, they can absorb all the not-really-secured traffic.
12:48 am on Feb 27, 2018 (gmt 0)

Full Member

Top Contributors Of The Month

joined:July 3, 2015
posts: 244
votes: 41


@Travis, that would take some serious type of hackers and those types of hackers, in my personal experience, go after the big boys. I would say about 90% of the people I know using https are going through Cloudlfare for the certs.

An expert with over 20 years experience with encrypted data answered this question on whether there is a real risk of danger with a CDN handling the certs, which only poses to the "flexible" option of Cloudflare as the other two work with a cert installed on your server.

His answer was posted below.

Depends on your threat model. It would be challenging for most attackers to intercept your traffic between CloudFlare and your origin server (presuming that it's hosted at a well-connected ISP); attackers that can do that can probably just as easily intercept your traffic at your ISP or, if you were using a secure connection between CloudFlare and your ISP, at CloudFlare.

The most likely additional risk is DNS: if an attacker can change how CloudFlare resolves your origin server's DNS name, they could get the traffic sent to them (and possibly redirect it from there to your origin server); however, if they could do that, they could probably also get a certificate issued to them for your domain, because many cheap TLS certificates trust DNS to identify authorized domain owners.

Thus, I'm having difficulty identifying a likely threat model for an attacker who could intercept unencrypted traffic between CloudFlare and your origin server, but who would be thwarted by encrypting that traffic.

If you're security-sensitive, it's more secure to not use such a CDN, so you terminate your own TLS connections within your infrastructure: it reduces one threat (an attacker inside CloudFlare).

But I don't think "Flexible SSL" is that much less secure than CloudFlare's "Full SSL" or "Full SSL (strict)". If CloudFlare supports certificate pinning (via HPKP), that would add some security, but I don't think they do.
9:12 am on Feb 27, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:11480
votes: 692


I would say about 90% of the people I know using https are going through Cloudlfare for the certs
That's one way of keeping them there. They haven't made their files secure at all, they just rely on CF. If they leave, they're faced with the added burden of getting HTTPS compliant.

My personal irritation with CF comes from the malicious behavior I constantly see in my server logs that points back to CF.

Granted, the bad behavior is comparable to some other hosts, but it is sometimes difficult to track down the source site with CF... that & their apathetic replies when I report the abuse and attempt to identify the culprit. Even AWS is more helpful in that regard.
9:29 am on Feb 27, 2018 (gmt 0)

Full Member

Top Contributors Of The Month

joined:July 3, 2015
posts: 244
votes: 41


@keyplyr

Very few care about keeping files secure, as far as their decision to go over to HTTPS. Just about everyone I know that went to HTTPS or going there, is only doing so in order to be compliant with Google, possibly snag a ranking boost and avoid those 'no secure' messages in Chrome.

As far as CF customers keeping secure, it depends on what plan they have. I've always had a business plan with some added features and it's not cheap, and I know the bulk of their users are under the free package that most hosts offer.

There are so many added features from a security aspect on the business plan that I would recommend it to anyone.

As far as HTTPS goes, that's why I had a developer recode our site to be compliant instead of using their URL rewrite feature. So if I leave, my only burden is to get my own certs which is very easy with my host.

And its very easy to find the source site with CF. There are hacks for doing so, but they are not widely out there because the hackers dont want CF to switch things up.
10:01 am on Feb 27, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:11480
votes: 692


Very few care about keeping files secure... [they're] only doing so in order to be compliant with Google, possibly snag a ranking boost and avoid those 'no secure' messages in Chrome.
Yes, sadly that's the case. Just by participating in these forums, one sees that is evident. No matter, the result gets achieved.
11:54 am on Feb 27, 2018 (gmt 0)

Full Member

Top Contributors Of The Month

joined:Apr 20, 2017
posts:334
votes: 73


Depends on your threat model. It would be challenging for most attackers to intercept your traffic between CloudFlare and your origin server (presuming that it's hosted at a well-connected ISP); attackers that can do that can probably just as easily intercept your traffic at your ISP or, if you were using a secure connection between CloudFlare and your ISP, at CloudFlare.

A compromised network equipment can be anywhere, this is why it's better that anything arriving and leaving your server be encrypted. Also,one day or another (if not already the case), hackers will succeed to get into CloudFlare, than they did with any big Internet companies.
5:21 pm on Feb 27, 2018 (gmt 0)

Full Member

Top Contributors Of The Month

joined:July 3, 2015
posts: 244
votes: 41


@Peter,

Most hackers, torrent websites, etc. user Cloudflare and CF protects them, so they have a lot of backers from the dark corners of the web - from the highest hack teams down. That's why hackers don't focus on them and thats why CF has a lot of critics for protecting the hack crews. Almost every hack or torrent website, if not all, are using CF.
This 48 message thread spans 2 pages: 48