Welcome to WebmasterWorld Guest from 34.225.194.144

Forum Moderators: phranque

Message Too Old, No Replies

Nonsecure Collection of Passwords will trigger warnings in Chrome 56

     
10:36 pm on Dec 27, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:Mar 15, 2013
posts: 1206
votes: 120


I received this nice little headache from Google today:

Nonsecure Collection of Passwords will trigger warnings in Chrome 56 for www.example.com

Beginning in January 2017, Chrome (version 56 and later) will mark pages that collect passwords or credit card details as “Not Secure” unless the pages are served over HTTPS.

The following URLs include input fields for passwords or credit card details that will trigger the new Chrome warning. Review these examples to see where these warnings will appear, and so you can take action to help protect users’ data. The list is not exhaustive.
....

The new warning is the first stage of a long-term plan to mark all pages served over the non-encrypted HTTP protocol as “Not Secure”.


I build, manage, and maintain 71 websites, ALL of which have a simple "username and password" login in the upper right corner of every page!

So now, based on this, it appears that I'm going to have to make several changes:

1. Buy a security certificate for every domain ($15 x 71 = $1065 /year);

2. Modify every site to run every page through that security certificate;

3. Modify all internal links to point to https; and

4. Change the htaccess to redirect non-secure pages to secure, so that external links continue to work.

And I have to assume that, in exchange for my efforts, the sites will run slower and I'll lose some search engine placement.

And thoughts on how to improve any of this?
1:03 am on Dec 28, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15956
votes: 898


Anythoughts on how to improve any of this?

Item #3 sounds as if your sites are due for a cleanup anyway. Internal links should have no mention of protocol--just as they should have no mention of a hostname--unless the site is currently mixed http and https, which does not seem to be the case.

1. Buy a security certificate for every domain ($15 x 71 = $1065 /year);
Why, when there exist free certificates, and you only require a minimal level of security?
2. Modify every site to run every page through that security certificate;
Huh?
4. Change the htaccess to redirect non-secure pages to secure, so that external links continue to work.
This "change" involves adding a single RewriteCond to the already existing domain-name redirect. That's all. Any existing redirects whose target currently contains http:// can be changed to https:// with an unsupervised global replace. An unsupervised multi-file global replace, in fact.

and I'll lose some search engine placement.
Either Google wants sites to be https, or it doesn't.
2:33 am on Dec 28, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


Thanks for sharing that notification csdude55. Just more indication how driven Google is to get everyone to install SSL certificates so their pages are served as HTTPS.

The process is faily simple once you start.

And BTW - HTTPS sites do not run slower. In fact, they will be much faster as HTTP/2 becomes standard.

Also there's no proof you will "loose search engine placement" and every indication you will gain advantage in SERP as Google has explicitly said so.

Related discussion: [webmasterworld.com...]
2:41 am on Dec 28, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:Mar 15, 2013
posts: 1206
votes: 120


And BTW - HTTPS sites do not run slower. In fact, they will be much faster as HTTP/2 becomes standard.

Also there's no proof you will "loose search engine placement" and every indication you will gain advantage in SERP as Google has explicitly said so.


Hmm, well that's good to know. I'm in an area where dial-up is still fairly common, so speed is critical to me... not to mention, I've noticed that an increase in load time directly results in an increase in pages per session, which results in more ad impressions / more money.

I've been in the middle of rebuilding everything to be more mobile friendly, anyway (which I hate, since mobile CPM has been a tiny fraction of desktop CPM), so it sucks that I'm going to have to start at the beginning and go over everything with a fine-tooth comb, but if there's the potential of better SERP then I guess it's worth it? Maybe?

Have you guys heard anything of whether IE and FF are going to follow Google's lead on this?
3:22 am on Dec 28, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


mobile CPM has been a tiny fraction of desktop CPM
As your site becomes more mobile friendly, so will the mobile activity increase. Mine is usually about 50/50 weekdays & 70/30 mobile advantage on weekends.

whether IE and FF are going to follow Google's lead on this?
Yup, that's the assumption and both have made statements. You can see they have already added warning icons to show where certs have improperly been implimentated. I see this as a 1st step.
3:41 am on Dec 28, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:Mar 15, 2013
posts: 1206
votes: 120


mobile CPM has been a tiny fraction of desktop CPM

As your site becomes more mobile friendly, so will the mobile activity increase. Mine is usually about 50/50 weekdays & 70/30 mobile advantage on weekends.


Unrelated, I guess, but my concern here has been that current mobile traffic gets 1 banner, where desktop traffic gets 3. And that one banner is worth about 1/100th of one of the desktop banners. So I don't really WANT to encourage mobile traffic... if all of my users move to mobile, I'll be out of business!

But now search engine placement relies on it, so it's a catch-22.
4:32 am on Dec 28, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


if all of my users move to mobile, I'll be out of business
Considering all the signals, mobile will continue to gain dominance across markets. It would be prudent to consider developing your interests in that direction.
7:00 am on Dec 28, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:Mar 15, 2013
posts: 1206
votes: 120


We're heading away from the topic, but... I have to hope that mobile ads will increase in value over time; otherwise, I won't make enough to cover the cost of the servers, much less employees.

Currently, mobile conversion rates are only 1.43%, so it only makes sense that advertisers don't focus a lot of their ad money there:

[smartinsights.com...]

At some point, either the mobile ad model will have to change, or people in the US are going to have to change their mindset on buying on their phone. If they don't then free-to-use, ad-driven sites will disappear, and the only thing left on the internet will be Facebook, Ebay, and Amazon.

But maybe that's better for another thread...

System

9:16 pm on Dec 28, 2016 (gmt 0)

redhat

 
 


The following 8 messages were cut out to new thread by not2easy. New thread at: webmaster/4830273.htm [webmasterworld.com]
12:03 pm on Dec 29, 2016 (atl -4)
1:10 am on Jan 21, 2017 (gmt 0)

Preferred Member

10+ Year Member Top Contributors Of The Month

joined:Feb 5, 2004
posts: 624
votes: 110


I just got this warning as well for my sites today.

"Nonsecure Collection of Passwords will trigger warnings in Chrome 56"

You can create a user account on my sites for comment and forum posts (which can also be done anonymous but then they have to be approved). The login appears on all pages so I guess I either remove it to just one to reduce the chance of SEO issues eventually on these pages or I have to do some research and setup a SSL certificate.

I have 4 sites on a IIS 8 Windows server. Does anyone have any links to good how to guides for doing this on an IIS server?

I guess I will have to also read up on:

- if I can just use one certificate or is it better with 4
- What is the difference of a free vs paid one
- Redirecting of http:// to https:// so I don't loose all of the sites linking to me.

Am I missing anything else? (I guess also updating webmaster tools and bing)

Also what does this warning look like? Is it just an icon up by the url or is it a message box that comes up when someone visits my site?
2:36 am on Jan 21, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:Mar 15, 2013
posts: 1206
votes: 120


If you have cPanel, it now has the option to create certificates for each domain automatically. Just enable AutoSSL, and it will create them overnight. That solves the problem with having to buy certificates! Believe me, with 71 sites, that was a HUGE concern!

Although I did consider merging all of my sites to one; eg, having example.com redirect to whatever.com/example, example2.com redirect to whatever.com/example2, and so on. This would suck for marketing purposes, but I think it would have increased overall Adsense revenue, so... it's not entirely off the table yet.

As for redirecting everyone, I think I'm going to do it with Javascript instead of .htaccess because I need to modify existing users' cookies. It will be slower, but after a few months I'll change it to the htaccess method. I haven't tested this or anything, but something like:

<script>
// getCookie() and setCookie() are separate functions, and 'user' is the name of the
// cookie set for users that are logged in
var user = getCookie('user');

if (window.location.protocol == 'http:') {
// Resets my cookie using "domain=" and "path=", which weren't originally set
setCookie('user', user);

var str = window.location.href;
str = str.substring(str.indexOf('://') + 1);

window.location = 'https://' + str;
}
</script>



If you don't need to change the cookie then you can simply add this to the .htaccess:

RewriteEngine On 
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]


(where example.com is your website address)
4:14 am on Jan 21, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15956
votes: 898


I think I'm going to do it with Javascript instead of .htaccess
Didn't you just get through saying that your area has a lot of dialup? Anything involving javascript can only happen after the original (wrong) request has been loaded up, which is not likely to make your users happy.

[R,L]
I hope that was a typo. It should always be [R=301,L] unless it truly is a temporary redirect and you're moving back to the old address next week.

Incidentally, mod_rewrite is perfectly happy to set (using the [CO] flag) and read (using the HTTP_COOKIE RewriteCond) cookies. So I hope that isn't your reason for using javascript.
2:21 pm on Jan 21, 2017 (gmt 0)

Preferred Member

10+ Year Member Top Contributors Of The Month

joined:Feb 5, 2004
posts: 624
votes: 110


I would still think you want to setup the redirect in htaccess and then have your script deal with the incorrect cookies at that point. I didn't think of the cookies for my own site but it will be fine if they have to get reapplied.

No control panel here. I will be doing this through the IIS interface on the server itself. I know there has been a few SSL topics on the forums here over the last year or so. I will have do a search and find the following info:

- Guide to installing SSL and certificate on IIS
- if I can just use one certificate or is it better with 4
- What is the difference of a free vs paid one

For now I have removed the login module and limited the login to the login page itself. The sites are no more secure but it should at least prevent Google complaining about nonsecure pages for my content pages.
6:21 pm on Jan 21, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Nov 13, 2016
posts:1194
votes: 288


I understand easily that it can cause an annoyance, for all webmasters, but I think this is a good point that Web browsers are starting to warm users about insecure connection. Your sites are not bank or e-commerce, but still... The main reason being that people are often using the same passwords and email/username at different places. It makes it very easy for hackers to intercept login information, and then try them at other sites.

That being said:

- it's been some years already that Google announced it will push more and more webmasters to use SSL sites, so it's nothing new.

- there are several places where to get free SSL. Personnaly, I use Let's Encrypt [ [letsencrypt.org...] ] ( I asusme it's okay, to post the URL , considering how "famous" and important it has become ).

- be careful, if you host several sites on the same IP. "By default" , with SSL you have 1 domain = 1 IP , for the reason that web browers are accessing the SSL information through the IP , before sending the domain name request. However, nowadays, there are methods to address this problem. I am just point this, because it's something to be careful with, and to look at , when configuring a SSL cert or /and a web server.

- after configuring your server, you can check if all is set up correctly, for example with sites like : [ssllabs.com...]

Hope it can help.
12:08 am on Jan 22, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:Mar 15, 2013
posts: 1206
votes: 120


Didn't you just get through saying that your area has a lot of dialup? Anything involving javascript can only happen after the original (wrong) request has been loaded up, which is not likely to make your users happy.


True, and it's something I've considered. But I have a few counter arguments:

1. The original cookie didn't set "path" or "domain", so I really need those cookies to be reset before they get redirected.

2. I have 51 domains parked on top of the main, and then the code reads like, if ($host eq 'domain1') { $show = 'this'; } elseif ($host eq 'domain2') { $show = 'that'; }. Eventually I'm going to have to have 51 RewriteCond in the htaccess (for each domain), and remember to add them for later additions. So no matter what, I'll need to have the JavaScript there as a backup, in case I forget to add a domain to the htaccess.

3. In theory, this slower response SHOULD only be on the first page they visit, presumably from Google or a bookmark. After that, all of the subsequent links would point to HTTPS, so it shouldn't matter.


[R,L]

I hope that was a typo. It should always be [R=301,L] unless it truly is a temporary redirect and you're moving back to the old address next week.


I actually borrowed that from the first site that came up on Google when I searched for "htaccess redirect to secure". You make a good point about defining the 301, though... unfortunately, I bet a lot of people are looking for and finding the same thing I found.


Incidentally, mod_rewrite is perfectly happy to set (using the [CO] flag) and read (using the HTTP_COOKIE RewriteCond) cookies. So I hope that isn't your reason for using javascript.


Hmm, I've never read or set a cookie via htaccess. Is it possible to modify my JavaScript code to htaccess? Doing some research, it looks like it would be something like:

RewriteCond %{HTTP_COOKIE} user
Header set Set-Cookie "user=%{HTTP_COOKIE}; path=/; domain=[not sure how to get my domain?]"


I might should create a different thread on that one, but if you can clarify that then it would certainly be appreciated!


Jester...

- Guide to installing SSL and certificate on IIS


Sorry, man, I've never used IIS :(

- if I can just use one certificate or is it better with 4


On mine, if I use a single certificate then it ends up looking like https://example.com/~domain1, https://example.cm/~domain2, etc. So for me it's better to use a different certificate for each, but YMMV.

- What is the difference of a free vs paid one


I've done some digging on this, too, and as far as I can tell the only difference is that paid certificates offer insurance if the data gets hacked. But I've never found a report from anyone that's cashed in a claim, so I think that's really just for show.

For a shopping cart it might be worthwhile to be able to put a "Verisign certified" logo on there to appease customers, but for a forum login like ours I just don't see the relevance.
10:20 am on Jan 23, 2017 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:11888
votes: 250


fyi news of this impending feature was first announced on WebmasterWorld in this thread in september - Google Chrome Will Mark HTTP Sites Transmitting Passwords or Credit Cards as Non Secure:
https://www.webmasterworld.com/google_chrome/4817980.htm [webmasterworld.com]
12:05 pm on Jan 23, 2017 (gmt 0)

Preferred Member

10+ Year Member Top Contributors Of The Month

joined:Feb 5, 2004
posts: 624
votes: 110


Has anyone had any problems switching over to https when dealing with displaying ads or affiliate links?

Out bound links that are not secure (ie https) shouldn't create any problems but anything that loads on the page should be retrieved via https or warning will result.
12:33 pm on Jan 23, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Nov 13, 2016
posts:1194
votes: 288


@JesterMagic: yes, images need to come form an https sites too.
9:52 pm on Jan 23, 2017 (gmt 0)

Preferred Member

10+ Year Member Top Contributors Of The Month

joined:Feb 5, 2004
posts: 624
votes: 110


@Dimitri: ...and that may be my problem. A number of the banners I notice are not accessible via https. Hopefully they will let me host them myself.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members