Jump to content

Cre8asiteforums

Web Site Design, Usability, SEO & Marketing Discussion and Support

  • Announcements

    • cre8pc

      20 Years! Cre8asiteforums 1998 - 2018   01/18/2018

      Cre8asiteforums In Its 20th Year In case you didn't know, Internet Marketing Ninjas released many of the online forums they had acquired, such as WebmasterWorld, SEOChat, several DevShed properties and these forums back to their founders. You will notice a new user interface for Cre8asiteforums, the software was upgraded, and it was moved to a new server.  Founder, Kim Krause Berg, who was retained as forums Admin when the forums were sold, is the hotel manager here, with the help of long-time member, "iamlost" as backup. Kim is shouldering the expenses of keeping the place going, so if you have any inclination towards making a donation or putting up a banner, she is most appreciative of your financial support. 
iamlost

Critical Must Know: Chrome To Target Http As Non-Secure

Recommended Posts

NOTE: cross posted to both 'Cre8tive Tomorrow' and 'Forum Issues and Status Updates' as I consider this development a webdev must know.




Cre8 (and many another site) has a serious technical consideration/problem going forward:

Moving towards a more secure web by Emily Schechter, Chrome Security Team, Google Security Blog, 08-September-2016.

 

To help users browse the web safely, Chrome indicates connection security with an icon in the address bar. Historically, Chrome has not explicitly labelled HTTP connections as non-secure. Beginning in January 2017 (Chrome 56), we’ll mark HTTP sites that transmit passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.


Point 1: HTTP sites that transmit passwords
That's Cre8, folks.

Four months from now every Chrome user that goes to log on to Cre8 will be told (at a minimum) that the log-in page/pop-up is not secure.

Point 2: long-term plan to mark all HTTP sites as non-secure

 

In following releases, we will continue to extend HTTP warnings, for example, by labelling HTTP pages as “not secure” in Incognito mode, where users may have higher expectations of privacy. Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.





CRITICAL NOTE: a simple switch to HTTPS/1.1 is likely to get dinged again within a few years with Google/Chrome pushing HTTP/2. Therefor do appropriate due diligence and decide what to switch to which when to best future proof your site and it's delivery.

Share this post


Link to post
Share on other sites

I was just preparing to post something similar...

Go to http://target.com/ and see what happens..... then go to https://target.com/

 

I am seeing results in both Chrome and Firefox that people who run target would not enjoy.

 

The same for macys.com. Try with both http:// and https://

For the browsers that I am using these guys are on the web with their pants down.

Looks like if you are not https and don't have all of your redirects in place you are going to be embarrassed in front of some of your visitors.

Share this post


Link to post
Share on other sites

For me, favicons have disappeared in Chrome and Firefox.

 

If you are https and your site is working well then a green lock appears. If you are not https an "i" symbol appears instead of the favicon and anyone who clicks it sees a message that your site isn't secure or their connection is not private depending upon browser.

Share this post


Link to post
Share on other sites

Yup, big sites have been caught out variously by https for years. Almost always one of expired/invalid certificate(s) or including non-secure inputs (for the longest while it was AdSense :))

 

And yup, the browsers have been becoming stricter - this however, is not just them closing in but a loud warning shot across the bows.

 

I'm not at all surprised about the January non-secure credit card as that should have been implemented years ago! A bit surprised at the non-secure log-in and somewhat surprised at noting non-secure connection when in privacy mode - as there may or may not be actual security/privacy considerations.

 

What did surprise me completely (albeit not shock as I can see thier logic) was the warning of future aim at all http connections. They really really must want everyone on HTTP/2 albeit mostly for bandwidth/speed reasons mostly, I think.

Share this post


Link to post
Share on other sites

To comply, every domain needs an SSL certificate purchased, approved and installed at their host?

 

Added...notified Tech Admin at Ninjas

Edited by cre8pc

Share this post


Link to post
Share on other sites

Certs can be purchased or are available free via Let's Encrypt.

 

It also means that to be fully compliant a site's inputs should all also be served https with a valid cert. This includes ads and widgets et al.

 

No reason to panic.

Reason to research and get ready - Cre8 sooner due to log-in,

others, including info sites probably within a couple of years if you care what the browsers tell your visitors.

 

Note: as EGOL mentioned some browsers are already replacing icons with 'i' and 'lock' icons on the URL line. This is Cre8 in FF:

 

Cre8-browser-info-icon.png

 

cre8-browser-info-tag.png

 

Cre8-browser-info-click2.png

Edited by iamlost
  • Like 1

Share this post


Link to post
Share on other sites

I first noticed the "i" symbol replacing my favicon yesterday. I believe that a lot of people will see the "i" and click it to see what it means. For that reason, I feel a higher need to move to https.

 

I am surprised by some of the really large retailers who have not gone to https on the front side of the retail site.

Share this post


Link to post
Share on other sites

For comparison here is our sister site WebmasterWorld, which is HTTPS, in FF:

www-browser-info-lock.png

 

www-browser-info-click.png

 

wmw-browser-info-click2.png

  • Like 1

Share this post


Link to post
Share on other sites

Didn't notice there was an i button until you pointed it out. I bet a lot (most) users won't. Big warnings like the 'expired/wrong certificate' ones would be an issue but I don't think most users will notice the subtle i or be worried unless their CC is involved (and even then plenty still don't check for a padlock).

 

It's going to be like mobiles, one of those things you stick at the end of the to do to look into, then suddenly realise opps it's a bigger deal than expected. Will wait for google to start labelling results before panicking too much ;)

  • Like 1

Share this post


Link to post
Share on other sites

The symbol is really bothering me :emo_gavel:

 

Some of my clients are really small potatoes and have a simple blog with a contact form. They don't sell anything.

 

And for image...what does the warning mean?

 

Should I get rid of the contact form? Get rid of Feedburner RSS and Email subscriptions?

 

ssl3.png

 

 

Share this post


Link to post
Share on other sites

The symbol is really bothering me :emo_gavel:

 

Some of my clients are really small potatoes and have a simple blog with a contact form. They don't sell anything.

 

And for image...what does the warning mean?

 

Should I get rid of the contact form? Get rid of Feedburner RSS and Email subscriptions?

 

 

 

this is my biggest issue with just about everything Google does. I get that they say that they want a more secure web, but their heavy handed, I mean very heavy handed, approach to these things just strikes me as wrong on so many levels. I'm not looking forward to the mad scramble this is going to create.

Share this post


Link to post
Share on other sites

For some sites, moving to https won't be that big of a deal. If you're dealing with a relatively small site, on WordPress, and you have a decent host who offers Let's Encrypt, it's almost a piece of cake. If those things don't apply, then it gets relatively more difficult as the size and complexity of the site increases. But Kim, for really small potato clients, it should be pretty easy to get 'em all fixed up.

Share this post


Link to post
Share on other sites

Just because the ssl is on the site you also need to make sure all loaded assetts are and all third party scripts!!

Share this post


Link to post
Share on other sites

And sometimes the developers of those thirds party scripts need to be educated too!

  • Like 1

Share this post


Link to post
Share on other sites

Agreed. One of my clients has an approved SSL cert installed but her site is showing the "i" icon because there are absolute links in the site to http, not https. Her site is gigantic and I have no idea how to deal with finding them all to repair.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×