Welcome to WebmasterWorld Guest from 23.20.25.122

Forum Moderators: open

Featured Home Page Discussion

Google Chrome to Remove Secure Marking as Default on Sites From September

Chrome 70 will start showing HTTP with the red "not secure" indicator

     
9:46 am on May 18, 2018 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:25428
votes: 728


Google's Chrome 69 will change from September making all secure sites with no label, and only sites with HTTP will be marked "not secure."
From October 2018, in Chrome 70, Google will start showing the red “not secure” warning when users enter data on HTTP pages.

Clearly, Google feels the numbers have swung in favor of HTTPS.

Since we’ll soon start marking all HTTP pages as “not secure”, we’ll step towards removing Chrome’s positive security indicators so that the default unmarked state is secure. Chrome will roll this out over time, starting by removing the “Secure” wording and HTTPS scheme in September 2018 (Chrome 69).


[blog.chromium.org...]
11:19 am on May 18, 2018 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:Mar 25, 2018
posts:500
votes: 101


Since 10-15-20 years users were trained to check the status "secure" of sites, before doing something , ... if the "secure" label is removed, even if it means the site IS secure, it can cause confusion I think... Lot of people , especially nowadays, don't even pay attention if there is a "s" at the end o the http ... so not seeing the label "secure", might makes them think the site is NOT secure...
11:30 am on May 18, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:1855
votes: 276


The lock will still be there for the foreseeable future, and the "Secure" bit doesn't really add much to that anyway. We're quickly moving towards HTTPS being the new default*, which means you won't even have to check for a lock anymore because everything will be secure unless you're otherwise notified.

* it already sort of is, with 84% of Chrome page requests already happening over HTTPS. [transparencyreport.google.com...]
6:45 pm on May 18, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12102
votes: 772


I can envision all non-secure pages being purged from the index at some point.
4:11 pm on May 19, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member editorialguy is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:June 28, 2013
posts:3242
votes: 646


I can envision all non-secure pages being purged from the index at some point.

Only if it didn't affect the quality of the index, I think. Or maybe we'll reach the point where all hosting services serve up pages as https: by default, using automatic HTTPS rewrites as needed.
4:57 pm on May 19, 2018 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts:2773
votes: 112


AT which point Google will not index pages that are not certified by a limited number of approved providers - making the net a bit less open.

I think Travis is right about it confusing people. People are very easily confused by security. No average user will fill in a form on a page with a faulty certificate, but they mostly will on an unencrypted page.
6:41 pm on May 19, 2018 (gmt 0)

Preferred Member from GB 

5+ Year Member Top Contributors Of The Month

joined:Sept 29, 2009
posts:507
votes: 44


there are still major sites (BBC for example) that haven't bothered making the jump to https yet.
9:29 pm on May 19, 2018 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:11388
votes: 157


instead of making ignorant and irrelevant judgments on site security they should simply state the facts ("Not Encrypted") and leave it at that.
11:11 pm on May 19, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:1855
votes: 276


they should simply state the facts ("Not Encrypted") and leave it at that.

Probably too cryptic for most people (pun obviously intended).

But I agree the "Secure" tag can be confusing. Probably one reason they're getting rid of it.

"Not secure", however, still holds true for any HTTP connection.
12:37 am on May 20, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12102
votes: 772


Well that's just it, the term "secure" is now defined for commonality through user safety. Conversely “not secure” to mean user safety is not implied.
6:49 am on May 20, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member topr8 is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 19, 2002
posts:3397
votes: 45


@ChanandlerBong

i think the BBC has been https for a while.
6:57 am on May 20, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12102
votes: 772


Just tried HTTPS for BBC.com and it redirects to HTTP. Maybe someone should tell them they got it backwards.
8:35 am on May 20, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member editorialguy is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:June 28, 2013
posts:3242
votes: 646


Just tried HTTPS for BBC.com and it redirects to HTTP. Maybe someone should tell them they got it backwards.

Maybe they've taken the concept of "openness and transparency" a little too far. :-)
11:14 am on May 20, 2018 (gmt 0)

Preferred Member from GB 

5+ Year Member Top Contributors Of The Month

joined:Sept 29, 2009
posts:507
votes: 44


yep, I go to BBC page and it's http, no redirect to https at all. If I call https version of a page, it does stay as https.
so they've done a halfway house sort of thing, maybe they're not worried about PR juice being spread around.
11:35 am on May 20, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12102
votes: 772


HTTPS to HTTP to HTTP (redirects twice)
HTTP/1.1 301 Moved Permanently
Server: Varnish
Retry-After: 0
Content-Length: 0
Accept-Ranges: bytes
Date: Sun, 20 May 2018 11:33:23 GMT
Via: 1.1 varnish
Connection: close
X-Served-By: cache-bos8231-BOS
X-Cache: MISS
X-Cache-Hits: 0
X-Timer: S1526816003.270480,VS0,VE0
Location: https://www.BBC.com/
cache-control: public, max-age=3600

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Location: http://www.bbc.com/
X-Fastly-Cache-Reason: NO-CACHE-CONTROL
Content-Length: 0
Accept-Ranges: bytes
Date: Sun, 20 May 2018 11:33:23 GMT
Via: 1.1 varnish
Age: 0
Connection: keep-alive
X-Fastly-Cache-Status: PASS
X-Served-By: cache-dca17729-DCA
X-Cache: MISS
X-Cache-Hits: 0
X-Timer: S1526816003.383083,VS0,VE441

HTTP/1.1 200 OK
Server: Apache
X-Cache-Action: HIT
X-Cache-Age: 36
Content-Type: text/html
Content-Encoding: gzip
Expires: Sun, 20 May 2018 11:32:44 GMT
Content-Language: en
Etag: "a8995f48032e67b6e4a28b7020d24f6a"
X-PAL-Host: pal105.back.live.telhc.local:80
Content-Length: 35655
Accept-Ranges: bytes
Date: Sun, 20 May 2018 11:33:23 GMT
Via: 1.1 varnish
Age: 3
Connection: keep-alive
X-LB-NoCache: true
X-Fastly-Cache-Status: HIT-CLUSTER
Set-Cookie: BBC-UID=21d88b12f76443161ecefe3c62bcccd0cb6c372b628fed6d5d9f558627ff85b10keyplyer%27s%20test; expires=Thu, 19 May 2022 11:33:23 GMT; path=/; domain=.bbc.com
Cache-Control: private, max-age=60
X-Served-By: cache-iad2125-IAD
X-Cache: HIT
X-Cache-Hits: 2, 1
X-Timer: S1526816004.913076,VS0,VE1
Vary: Accept-Encoding
10:20 pm on May 20, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:8459
votes: 652


The old way was not that proactive. A RED ALERT is ... and since that will be simply a protocol warning, the web will start to look broken. The boat load of http info sites that do not collect information will be hurt the worst.

Browsers should only warn if such info is asked rather than paint the web red. Just a thought. Meanwhile, https is generally doable and the web is headed there.
10:41 pm on May 20, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12102
votes: 772


The boat load of http info sites that do not collect information will be hurt the worst.
It's not about hurting websites, it's about protecting users.
One common misconception about HTTPS is that the only websites that need HTTPS are those that handle sensitive communications. Every unprotected HTTP request can potentially reveal information about the behaviors and identities of your users. Although a single visit to one of your unprotected websites may seem benign, some intruders look at the aggregate browsing activities of your users to make inferences about their behaviors and intentions, and to de-anonymize their identities. For example, employees might inadvertently disclose sensitive health conditions to their employers just by reading unprotected medical articles.
source: [developers.google.com...]
2:43 am on May 21, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:8459
votes: 652


explain "intruders", "aggregate browsing" and "behaviors and intentions" and how it is revealed and to who.
11:10 am on May 21, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:1855
votes: 276


How it's revealed? It's all in plain-text, that's the whole point. Anyone with access to the wire can see what you do on the HTTP-Web.

If I visit the BBC, my traffic passes through at least 12 routers. I can't see if anyone snoops on it, but that doesn't mean it's not happening.
11:14 am on May 21, 2018 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:11388
votes: 157


explain "intruders", "aggregate browsing" and "behaviors and intentions" and how it is revealed and to who.

an example was given in the following sentence.
do you want an explanation of the example?
11:28 am on May 21, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12102
votes: 772


Just a FYI - Besides the article, there's also an educational video in the link I posted.
3:47 pm on May 22, 2018 (gmt 0)

New User

joined:May 1, 2018
posts:38
votes: 6


I think https is more secure for the time being