Chrome Version 62 to Show Security Warnings on HTTP Pages Starting in October 2017

Google Search Console has started sending out notices to sites that have not yet migrated to HTTPS. Chrome 61 is now in beta and version 62 is on track to begin marking HTTP pages as “NOT SECURE” beginning in October. It will show the warning if it detects any forms on the page that transmit passwords, credit cards, or any text input fields that the browser deems are in need of HTTPS protection. All HTTP pages in incognito mode will trigger the warning.

In January 2017, Chrome version 56 began marking sites that transmit passwords or credit cards as non-secure as part of its long-term plan to mark all HTTP sites as non-secure. The warning will become more prominent as time goes on.

“Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS,” Chrome Security Team Emily Schechter said.

The email sent out from the Google Search Console urges site owners to fix the problem by migrating to HTTPS. Hosting companies that specialize in WordPress are making it easier than ever to make the switch. Many of them have added Let’s Encrypt integration to offer free certificates to customers. As of 2017, WordPress now only recommends hosting partners that provide SSL certificates by default.

Thanks to the push towards HTTPS from Google, web browsers, hosting companies, and the 100+ million certificates issued by Let’s Encrypt, the percentage of pageloads over HTTPS is now approaching 60%, according to Firefox Telemetry.

18 Comments


  1. This will become very expensive for a lot of people who use web hosts that do not offer LetsEncrypt, but instead charges a lot of money for SSL. Mine charges $75 per site per year, so with multiple sites, this can get expensive. The host I use, and have for many years, makes me cringe to think I may have to move to a new host with LetsEncrypt, but I may have to make that sacrifice and move.

    The fact people will be seeing these warning messages before entering a site, could end up costing a lot of visitors and money to the site owners. People will be scared off when they see the Not Secure messages.

    Report


    1. Hosts that don’t support Let’s Encrypt are going to have a harder time competing. There are plenty of hosts out there offering free, automatic SSL certificates that are happy to move new customers off of hosts like yours for free.

      Report


  2. Yes, Google now forcing webmasters to move to HTTPS. I have also move my site to https and have seen a hike in rankings. I think its a good move to make the web more secure.

    Report


  3. Absolutely right what Google does to force it to use https! If the lame webmasters don’t do it the fall down in ranking and users get warned because of a not secure website. I think every browser creator should follow that to make the net more secure for us users.

    Report


  4. If your hosting provider doesn’t allow SSL for free, then they are making a big mistake!

    I believe that all hosting providers should give every customer the feature to install even Lets Encrypt Open SSL.

    It’s just the most obvious thing to do. Afterwards, they may provide SSL certificates which provide security compensation.

    But the fact of the matter of this little rant is that we should go for hosts which provide Lets Encrypt.

    If you are at a loss wishing to stay with your hosting provider even though they currently don’t provide a free SSL service, then you can always setup your website with CloudFlare, which is free and there is a way to setup HTTPS through reverse proxy.

    I’ve completed a setup for CloudFlare with my clients and the gains are instant! You’ll also get CloudFlare’s HTTP/2 which is what makes HTTPS fast (not to be confused with HTTP/2).

    I just hope that everyone of you guys don’t get caught in the middle for having to pay for a regular green https just because you didn’t know we have free options available!

    Kind regards,

    Mic Sumner

    Report


  5. It’s really good move to keep web secure. I don’t see any reason that hosting providers will give a free SSL as they can see Google’s forcing HTTPS as an opportunity to gain in business of selling SSL certificate.

    Report


    1. Any host that sticks with that strategy will lose new sign ups in the long-run. In a few years it will be laughable that a host is so behind the times that they’re not providing free SSL certificates. They’ll fizzle and die.

      “Wait, you want me to pay for an SSL certificate?”

      Report


  6. Google forcing website owners buy SSL certificates will increase the yearly expenses for websites, especially when you own more than just one website.
    Not many will be happy to increase their yearly expenses by $30-$100 PER WEBSITE.

    P.S. Last month I’ve moved 2 websites (1 e-commerce, 1 content-based) and have seen zero changes in rankings.

    Report


    1. SSL certs are free or it cost under 10$ if somebody wish to pay it. Sure you saw zero ranking changes, it’s a standard already, nothing new or rarely seen, that will diff. you from other websites.

      Report


    2. Looks like somebody missed the memo on Let’s Encrypt.

      It’s FREE!!!!

      Report


    3. If you’re paying 30-100 for ssl, you’re paying too much.

      Report


    4. Even wildcard certs will be free soon. I don’t think anybody’s going to need to pay for anything unless they want something like an EV cert.

      Report


  7. I recently launched a tech blog, and come on, I don’t want to use HTTPS on that. This is not good, my tech blog is just about guides and tips, I have nothing to do with secure access like logging in or even putting any delicate information on my blog.

    That’s pretty… bad. :(

    Report


    1. Consider that the transmission of your password is not encrypted when you log into /wp-admin/ over http.

      Report


    2. Yes, that was a helpful reply. Thank you for that.

      I have to agree with Bright Joe here. There is no intrinsic need for a security certificate from a Certificate Authority (CA) on a website that is simply a blog, especially if it is just plain HTML… without any data capture.

      If you are really concerned about security, use a VPN and not rely on SSL. There is a bit of overhead to it, but it is about as secure as you can get. Of course, bank/financial and medical, and similar sites that collect personal info should be protected… and I can’t think of one that isn’t these days (making a VPN somewhat redundant.)

      No one has explained to me why Google is on the road to requiring Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL) for every website… but I have to surmise that there is a dollar sign behind their motivation somewhere. Do they own a CA somewhere?

      There is no doubt that the Comodo’s of the world will cash in!

      Report


  8. If your host allows it you can easily install Let’s Encrypt using their CertBot. However, some hosts don’t give you root permission and CertBot needs it.

    If that is the case, many hosts have a manual way for you to get a Let’s Encrypt certificate and sending it to them and they will install it for free.

    We use this site and it works well.

    For those of you who host on Pair.com as we do, we wrote this… actually for ourselves… so we would not forget how to do the procedure!!

    The downside with hosts that don’t support Let’s Encrypt internally is that the host (obviously) can’t auto-renew the certificates and they expire every 3 months… so you have to do the procedure 4 times a year.

    Perhaps paying the ten bucks a year is a better idea… but if you have some 20 domains as we do for our different businesses, maybe not. It does not take very long but it is a PITA, for sure.

    Report


  9. I use CloudFlare’s flexible SSL with no charge. I understand it is not a complete SSL and I wonder if Google will still display the message for my site.

    Report


  10. It’s pretty clear that a lot of education about HTTPS/SSL needs to be done. I’m really glad Google is making this an unavoidable issue.

    Report

Comments are closed.