Welcome to WebmasterWorld Guest from 23.20.162.200

Forum Moderators: phranque

Chrome will show security warnings from version 62

     
9:31 am on Aug 18, 2017 (gmt 0)

Full Member

10+ Year Member

joined:May 3, 2003
posts:275
votes: 22


I guess we knew something like this was coming:

Just got this email from Google (Search Console)

Chrome will show security warnings on [website]
=====================================

Starting October 2017, Chrome (version 62) will show a “NOT SECURE” warning when users enter text in a form on an HTTP page, and for all HTTP pages in Incognito mode.

The following URLs on your site include text input fields (such as < input type="text" > or < input type="email" >) that will trigger the new Chrome warning. Review these examples to see where these warnings will appear, so that you can take action to help protect users’ data. This list is not exhaustive.

[list]

The new warning is part of a long term plan to mark all pages served over HTTP as “not secure”.

Here’s how to fix this problem:

Migrate to HTTPS

To prevent the “Not Secure” notification from appearing when Chrome users visit your site, only collect user input data on pages served using HTTPS.

----------------------------------------------------

Thing is - the only input on the pages in the list is a Google search box - which is on every page on the site. About 10,000 pages. Plus my other sites...

Does anyone know if this is going to be a subtle warning (like a red X in the address bar), or something more obvious like a big "Not Secure" popup that the user has to dismiss?

Either way - looks like I have a fun (and not very productive) autumn lined up.
10:03 am on Aug 18, 2017 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts:2703
votes: 97


How many sites do you have? It should not take that long to either remove the search box or switch to https on all of them.
10:11 am on Aug 18, 2017 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:11082
votes: 106


I guess we knew something like this was coming:

posted in April in the Google Chrome Browser forum at WebmasterWorld...

Beginning in October 2017, Chrome will show the “Not secure” warning in two additional situations: when users enter data on an HTTP page, and on all HTTP pages visited in Incognito mode.


more HTTP warnings in Chrome:
https://www.webmasterworld.com/google_chrome/4846699.htm [webmasterworld.com]
10:21 am on Aug 18, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:10119
votes: 551


These warnings will only get more severe going forward until (IMO) eventually there's a huge red X across http pages saying WARNING!

It's also likely http pages will eventually be purged from the SERP.
11:27 am on Aug 18, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:7883
votes: 547


I agree with keyplyr in that there's a move to force https on the web at large. g is in the cat bird's seat with a major share of browsers to make this happen.

Currently one can get a minimal https certificate for free from LetsEncrypt (though my host says it will cost me $116/yr through their services though if I want to do the LetsEncrypt option that's okay by them, I just have to do it myself) and I suspect that the freebies will dry up once a tipping point (my guess is 70% of all sites, not necessarily global, 70% of those that have TRAFFIC) are switched over to either free or paid certificates and THEN the hammer will fall with required HTTPS.

Not conspiracy theory or end of world commentary, merely an understanding of past history for new tech (go back to the original printing press in the 1400s for an early example of do it free to increase demand/market, or Bell Telephone doing it free from 1880-1891 at general stores and post offices to gin up potential customers, or google free ads for publishers in recent mix). Eventually the average site cost will be host, dns registry, AND security certificate. Base cost for small sites will jump about $100-$300.

We all should do this because a secure web is a better web and a chit-load of current spam will disappear. This is a necessary step, just know it will eventually COST operations, and for most businesses that is a write off at tax time, something to pass along to the customer.

Just be aware that the freebies now AREN'T free. Somewhere down the line you will pay (add echo here: and pay and pay and pay).

TANSTAAFL. The gift horse of free HTTPS certs is a Trojan Horse and we all know how that worked out :)

Chrome is catching up to FF which has been doing this for months. I suspect all the major browsers, and minors, too, will follow suit.
8:19 pm on Aug 18, 2017 (gmt 0)

Full Member

10+ Year Member

joined:May 3, 2004
posts:301
votes: 0


So those of us who haven't switched yet have to decide whether to do this now or wait until the end of the year. Guessing most sites (big ones, especially) won't want to make this change until after Christmas season.
10:29 pm on Aug 18, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:10119
votes: 551


@Musicarl - why wait? It's not much work. You can install the cert, turn on the HTTP at the server, then have your site accessible from both protocols (HTTP & HTTPS) while you take your time and check all the links. Then when you think you've fixed all the unsecure links, install the 301 redirect to HTTPS and do a quick check to make sure everything is working as intended.



- Generic Steps to Switch from HTTP to HTTPS -


• Read all info at your host concerning certificates & switching to HTTPS and when applicable, follow those instructions.

• Install security certificate.

• Have you host enable HTTPS (if needed.) This will enable access from both HTTP & HTTPS.

• Go through site, page by page & make sure all file paths are relative (no protocol.) Test by accessing site using HTTPS and look for any browser alerts.

• Install 301 code in .htaccess file
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Note: your server may require a different code

• Go through site again, page by page, and test. Any remote absolute links will need to be HTTPS including those found in scripts & pluggins. If you publish Adsence or other advertising, links in these scripts need to be HTTPS also (or just remove the protocol altogether.)

• Update sitemap.xml (if applicable) and submit to appropriate agencies (Google, Bing, Yandex, etc)

• In Google Search Council create a new site using HTTPS (do not use the Change of Address form.) It will take a few days to start populating information. This is normal & traffic to old site (HTTP) will drop off accordingly.

• Bing Webmaster Tools, Yandex & others should update automatically once they crawl your new pages. Updating/re-submitting sitemap.xml should speed up this process.
1:56 am on Aug 30, 2017 (gmt 0)

Full Member

10+ Year Member

joined:May 3, 2004
posts:301
votes: 0


@Musicarl - why wait? It's not much work. You can install the cert, turn on the HTTP at the server, then have your site accessible from both protocols (HTTP & HTTPS) while you take your time and check all the links. Then when you think you've fixed all the unsecure links, install the 301 redirect to HTTPS and do a quick check to make sure everything is working as intended.

Excellent question, and your guide is most helpful. Here are three reasons we're waiting:

1) This site has been online for about 18 years, so there are a lot of moving parts. Would rather have something go wrong in January than in October.

2) We're going to change our link structures at the same time. We're still using URLs like http://example.com/index.php?id=33

This is something we've been meaning to change, so instead of first changing to
https://example.com/index.php?id=33 and then to https://example.com/something/something-else
We'll do it all at once. Lots of testing required.

3) It pains me to lose our Facebook likes. Some of our beloved stories have thousands, and the counters will reset to zero.
11:39 am on Oct 20, 2017 (gmt 0)

Full Member

10+ Year Member

joined:May 3, 2003
posts: 275
votes: 22


Sorry to drag this up again - but:

It's October - Chrome 62 has arrived - and I'm not seeing any security warnings on http pages, in incognito mode or otherwise.

Anyone else getting security warnings?
1:59 pm on Oct 20, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Apr 1, 2016
posts: 1245
votes: 368


Yes the warning are being shown. See the discussion at the end of this thread on the topic.
[webmasterworld.com...]
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members