Google Chrome is removing the secure indicator from HTTPS sites in September

Image: Google

Google is changing the visual cues for HTTPS in Chrome’s user interface, starting in September. Sites using HTTPS will no longer trigger the green “Secure” text that usually appears in the address bar on Chrome version 69.

Then in October, sites visited with Chrome 70 that don’t have HTTPS certificates will trigger a red “Not secure” label when entering text.

Image: Google

Here’s a quick HTTPS refresher course: it’s a more secure version of HTTP, acting as a secure communication protocol for users and websites, making it harder for eavesdroppers to snoop on your packets. Your data is kept secure from third parties, so most modern sites are employing this technology, using Transport Layer Security (TLS) the underlying tech behind HTTPS, to do this.

Image: Google

So, why the change? Google’s argument is, “users should expect that the web is safe by default.” However, well-presented information allows users to be informed and can be accomplished through minimalism instead of outright removal.

Google’s counterclaim is that HTTPS is becoming cheaper and easier to integrate, which is true. It’s time to get to it, if you haven’t already.

Comments

With Let’s Encrypt providing free certificates, there’s no excuse now for serving a website over http

There is an excuse, which is that deployment on existing small sites is very difficult and time consuming, and often not necessary. I have a blog that’s read by quite a few people and makes me a little money, but it’s just a blog – strictly one way communication (text and video served to the reader, no info sent to me by them) except for the comments, which are handled by Disqus.

I have thousands and thousands of pages going back to 2003, a very complex template, and various plugins. There’s no easy way to get all of that stuff updated to https. Some of the plugins I use – including a couple from Google! (notably their related posts script) – are not available themselves over https, so I need to figure out whether I can live without them, or find replacements. Remember, if one element on a page is served through http, like a video or image, Google will mark the whole page as not secure. So I need to manually go through every single page on my blog to make sure everything’s being served through https. On a blog. Where readers aren’t sending me any information.

This is ironically easier for companies to deal with even if they have much larger sites, because they have either developers on staff or third parties that they can pay to automate deployment. But individual people like me, or small businesses (like I also have) that might use their site for advertising and only have a few people on staff total and no budget for web development, are just being unnecessarily burdened. Nobody wants their site to say "NOT SECURE" and nobody wants their content pushed down in the search results just because their blog posts are not encrypted.

That’s a bunch of crap. Lets Encrypt automates setting up SSL for most web servers. Just because you haven’t looked it up on how to do it doesn’t mean it’s hard. I am an individual who has his personal website and I spent a total of 10 minutes setting it up. If you are really annoyed by it so much, I am happy to even help you set it up.

You haven’t a clue. I set up let’s encrypt on my site too, it was a breeze. But badasscat1 specifically mentions the mixed content problem. My site uses an external API that fetches the occasional content from a website which did not have HTTPS until very recently. My part of the job was done, but if just a single image from the APIs site was served in HTTP, my site would end up as mixed content. Which in some browsers makes it even scarier for the end user. I bit the bullet and turned on let’s encrypt because I figured eventually, that provider would get their act together. But it wasn’t a trivial decision for a 80K monthly visit site.

So just because you are an individual with a website doesn’t mean you know what you’re talking about.

badasscat1 and greg2k are correct — the SSL certs are free now, which is great, but many ad networks, plugin tool providers, and third-party comment systems still do not properly support HTTPS, or in the very least require non-trivial modification to the site to get it updated. It’s certainly not impossible but in many cases requires and experienced developer to fix any mixed-content issues.

In addition to the 3rd party issues, it is still non-trivial on a few major hosts. Microsoft Azure, for one, really makes you jump through a LOT of hoops to add a Let’s Encrypt certificate. For one of my sites (basically just a resume on a static site), it is annoying to go through the effort. Basic internet users might feel threatened and not want to view the site, despite it having nothing that necessitates HTTPS.

(On another note, many many people have been trained to look for the lock icon. It disappearing will doubtlessly cause confusion—especially as other browsers will still have it.)

I’ve often had to combat these mixed content errors when securing a WordPress site for others as part of my job. I can see how mixed content errors will be especially problematic for individual bloggers with large sites, and anyone else who only uses https. But over time, as Google tries to make a https only internet, every WordPress plugin, and anything else that could create mixed content errors will start defaulting to https.

As an example, if a plugin continues to use http by default, and then this change causes their plugin to cause mixed content errors for all their users, do you think anyone is going to use this plugin anymore. Before you know it, the plugin will have 0 active users, so it will basically be a requirement for developers to prevent these mixed content errors from happening.

I switched a couple of WordPress sites over to HTTPS recently – with the help of a few plugins to make it easy to switch from http to https, and some other minor changes, I made the entire move in a couple of hours.

I switched all my sites over in the last few months and it’s been easy as pie.

Let’s encrypt is so easy, it’s ridiculous. If you can’t figure out how to do it, and still want to run your own web-server, then maybe your website deserves to have a glaring "Not secure" message pasted across it.

Read the earlier comments. It’s not always so simple.

A free service like Cloudflare sits between your site visitor and your website, only requires a DNS change. From there you can turn on HTTPS rewrites in the admin console and everything just magically works. Your site is now served over HTTPS. Definitely worth looking into, most sites will also see a decent speed increase since Cloudflare is acting as another caching layer.

Ah, but it doesn’t not necessarily mean that the connection between CloudFlare and the origin server is also encrypted. The web browser will show a secure page, it only shows that the information between the browser and the CloudFlare is secure.

So if the infrastructure underneath the edge facing servers allows for non-encrypted traffic, what do you do? Chrome’s security warnings will do nothing for that.

I use Dreamhost, and they offer free Https. You just have to press a button to activate it

Very much agree with this. I maintain multiple blogs, and still need to make the switch. I’ve done my research, and it’s going to take a LOT of manual work to make sure everything will work correctly after the switch. Still haven’t found solutions to some problems, for instance: the social share numbers on your pages. They’ll go to zero after switching to SSL because the HTTP version of the URL has been shared, not the HTTPS version.
Then there are SEO and (potential) traffic loss issues, which really creeps me out. It’ll take a while for search engines to correctly reindex your site. After reindexing, there’s a chance you’ll show up lower in the search results and will take a hit in traffic. This means I’m also taking a hit in income (I blog for a living). None of my blogs handle any sensitive information at all. At most, your email address, but ONLY if you want to leave a comment on my articles (and I might move that to Disqus). I will eventually move to SSL, but it’s a lot of (IMO unnecessary) extra work.

Let’s Encrypt is great. Its easy to update my certs. So easy in fact I don’t have to. My server does it automatically. Also yes there is a reason to serve a website over http and that is to redirect it to https. That’s what my site does.

Google, how a static html page, without any js, served through http can be "not secure"?

Secure doesn’t mean safe/unsafe. It means anyone can read (and manipulate) the traffic to and from the webserver.

> It means anyone can read (and manipulate) the traffic to and from the webserver.

I guess not many people know that https doesn’t solve that problem.

It doesn’t solve it, but it makes a lot less likely and protects against the vast majority of threats regular users face.

Yes, it actually does. It ensures that you are talking directly to the server in question. Short of installing a firewall cert. You are talking to the server you intend to talk to and that communication isn’t readable or manipulated.

Some ISPs actually inject spying scripts into plain http. That cannot happen with https.

1. Because you don’t know that the HTML page you’re receiving hasn’t been manipulated by someone sitting in the middle along the way.
2. Users making http network requests reveal more about what they’re doing on the network, it may not necessarily contain sensitive information, but it can contain information users would like to keep somewhat private.

Besides, a ‘static html page without any js’ can still include a standard HTML form.

Served over HTTPS means your pesky government can’t see the details.

Wrong post, delete.

I like this change as it calls out the bad actors and lazy web masters. I think this could lead to unsecured sites seeing a dip in traffic and ultimately put a fire under some butts to make the oh so easy shift to https.

Surely sticking a big red No Secure in the address bar would be a better way of forcing sysadmins and website owners to perk up a bit. A bigger problem that I’ve been seeing of late – even with large and powerful corporate sites is that they leak valuable software versions in HTTP headers which reveal which OS, the OS version, the version of PHP (or whatever language), and probably what they ate for lunch exposed to anybody who looks at HTTP headers. If the sysadmins are not tightening up that info, it makes you wonder how the site is processing its data.

View All Comments
Back to top ↑