24 Comments

  1. mark k.

    Scare tactics rarely work, and the implication that a site with SSL is secure is just false in any case. I predict that 99% of the users will ignore this like they ignore the mixed content warning that is on many sites that use HTTPS. They will categorize it under “too technical for me to understand” and will keep on with their lives

    Report

    • Ron

      This is going to have to be one of those times we completely disagree Mark. :)

      Report

    • Jeffrey

      The announcement cited a study on connection security indicators that showed users do not perceive the lack of a green lock icon as a warning that a site is not secure and can become blind to warnings they see too frequently.

      It’s not about scare. The current icon in the address bar does not convey enough information to the user to get their attention. I think the “not secure” label with a eye-catching background will accomplish the task. Way to go, Google!

      Report

      • mark k.

        It is a scare tactic. There is a big fight over who can monitor any of your “movements” on the internet between the big corps and government. Monitoring is about privacy and rarely about security, as the most important security factor is whether the site is secure, not if the communication is encrypted (it takes a goverment to monitor your communication on the wire, never heard of a non targeted attack that hit anyone who were just surfing the net from his home) so calling it “not secure” instead of “not private” seems like an obvious attempt to make the random net user be afraid and in return put pressure on site owners to go HTTPS.

        Since most sites are HTTP only, this warning is just going to become a constant UI noise ending in effectively the same situation as today.

        Report

      • abdussamad

        ISPs in developing countries routinely inject ads into plain http web pages i.e. technically a man in the middle attack. So yeah it happens all the time just not where you live.

        You mentioned scare tactics above. You should know that google started with the carrot and is only now reaching for the stick.

        This whole thing started a few years back when they announced that HTTPS sites would enjoy an advantage in search engine results. This was done to encourage webmasters to make their sites HTTPS.

        It worked to a large extent because encrypted traffic on the web went from <20% to over 60%. It is only now that they are employing the stick by warning users about plain http sites.

        Report

  2. Klaas

    Not entirely clear from the post, but very interesting to know is, whether the “almighty” Google will only label the HTTP page with password as insecure or will it label the entire site as insecure?

    Report

    • Ron

      I would guess only that page – for now. Waiting can’t end well and the cost is marginal even if you go with a paid cert.

      Since they put it this way….

      “Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.”

      ….I’m not waiting around to see what “eventually” means to them. That could mean 2 years or that could just as easily mean next Tuesday. It wouldn’t be the first time Google has dropped something really early (I’m looking at you AdWords – grrrrrrr). :)

      Top of my to-do list right now.

      Report

    • abdussamad

      The article above says that they are starting with login forms and credit card entry forms but will eventually expand to all HTTP pages.

      Report

  3. Sally Gradle

    So, if the site is just a brochure site with a contact form, then it will still show as okay? For now?

    Report

    • Jeffrey

      I think it will be fine. It is the password and credit card fields that Google Chrome will be targeting.

      But I would still recommend to implement SSL on your site because HTTPS sites get higher indexing score by Google than HTTP sites.

      Report

    • Ron

      “For now” is the variable that made me change everything now. :)

      Report

  4. Otto

    I gotta agree with Mark on this one. It’s incentive to encourage https, but will have no actual effect on real security.

    Report

    • abdussamad

      It will make a difference to third world users. For example one ISP here replaces google analytics javascript files with its own popup ads script. It can only do that on plain HTTP sites.

      The fact is you can’t really trust anything that has not been transmitted via an encrypted connection. It could have been modified by anyone.

      Report

      • mark k.

        How can you say that “it could have been modified by anyone” when in practice your only evidence is that “it could have been modified by an ISP”, and if your ISP is evil you are most likely in a big problem in any case. They will just tell you to install a browser add-on to “improve” your experience.

        In china for example ISPs are probably required by law to intercept traffic and analyze it, so this kind of alert will be issued to all nice western sites but will not be displayed for the evil sites of companies which are in the pocket of the government.

        As I said, encryption by itself do not provide security, and lack of encryption do not mean that you should fear surfing..

        Report

      • Anonymous

        This is not only about ISP’s, hackers on the same network as you (e.g a coffee shop or train station WiFi) can inject malware into any unencrypted website they want. It doesn’t matter if the site is not transferring passwords, even the simplest site with only contact information is today a target for MitM attacks.

        Deprecating HTTP and moving to HTTPS does not only bring privacy and security, it is also shown – as long as you configure it correctly – to have major speed improvements. https://www.httpvshttps.com/

        Report

      • mark k.

        Oh the WiFi threat…. have you ever used a WiFi in a coffeeshop? Do you think the owners of coffeeshop are focused on serving food or hacking computers? In most places I have been, knowing how to restart the router when it fails is the limit of the technological understanding of the people working there. They just get the router from the ISP and nothing more, the idea that they will rent additional/more expensive equipment just to hack the 10 people a day that use wifi there for a 1-2$ profit, is just ridiculous, especially since it will open them to being sued for computer crimes and/or copyright infringement.

        A threat of a security camera recording your bank details while you enter them is more realistic.

        And why should anyone that cares about his security use open WiFi at all? Now days everybody has a smartphone with data plan and tethering ability.

        Report

  5. Ron

    Well, I just avoided the whole mess by installing the WP Encrypt plugin and activating my new Let’s Encrypt cert.

    For God’s sake people – it’s FREE – and it automatically renews every 90 days so I’ll never need to touch it again.

    My host was happy to help me set it up and now I have an advantage over my competitors that aren’t SECURE. :)

    Report

  6. Steve

    do we have to encrypt all pages? or just pages that handle sensitive information?

    Report

    • Ron

      Did you read the announcement?

      Beginning in January 2017 (Chrome 56), we’ll mark HTTP sites that transmit passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.

      Report

  7. Brian

    This is definitely a scare tactic by Google, but I don’t see it as being a bad thing. Those that will ignore it, have probably been ignoring the HTTPS issue for years now. I think it will definitely help at least bring attention to people possibly looking at the benefits of HTTPS, such as encrypted data, SEO, performance in some cases (HTTP/2), better referral data from Google Analytics, trust, and now… well I guess you can add Chrome labels to the list.

    For those of you debating migration, don’t forget the SEO aspects as I have seen some people completely kill their traffic overnight. Such as creating new GSC profile, re-submitting disavow file, 301 redirects, etc. Here is a good guide: https://kinsta.com/blog/http-to-https/

    Report

  8. Marcus Tibesar

    Good on you Google.

    Mobile, AMP and now https.

    I appreciate your efforts to improve the Internet and the quality of the websites.

    Report

  9. Vitalii

    Hi. Thanks for the info, I still have a few questions though. What about blogs with just comment fields? Will be they marked as non secure? Is there free certificates that will do the work or I have to by one for each blog?

    Report

  10. régis

    does anyone know if the backend’s login page of a wordpress site counts as a “login” ? if so every wordpress/drupal/joomla site will be affected.

    Report

Comments are closed.

%d bloggers like this: