Sign in to follow this  
expmrb

Chrome will show red flag for non https sites

Recommended Posts

Chrome will show red flag for non https sites from mid summer of this year. We all know Google has been pusing this for quite a some time but it hasn't effected much till now.

What do you guys think about this?

Share this post


Link to post
Share on other sites
17 hours ago, expmrb said:

Chrome will show red flag for non https sites from mid summer of this year. We all know Google has been pusing this for quite a some time but it hasn't effected much till now.

What do you guys think about this?

Google has been moving towards marking http sites as "Not Secure" for quite some time now and rightfully so. The final push, to display the warning in red, makes sense as the current, light grey warning doesn't really "Warn" anyone. They currently use a red label for sites where the SSL Cert is broken/invalid, which is important. 

Ever since it became possible to get free SSL Certs, I've been of the opinion that it doesn't make sense not to. Aside from being more secure than http, it lends credibility to your site, it adds a small benefit for SEO purposes and it's ridiculously easy to do. 

6 hours ago, yukon said:

...yet Google still has help pages for their own https products when they've been hacked.

Recover a hacked or hijacked account

To be fair, most of that "Hacking" takes place because the user downloaded malware, got phished or did something else stupid that exposed their account credentials - not because of https. 

One of the simplest ways to protect Google (and other) accounts is to use 2-Step Authentication - that's a no brainer, but most folks don't use it. 

Share this post


Link to post
Share on other sites
4 hours ago, BIG Mike said:

To be fair, most of that "Hacking" takes place because the user downloaded malware, got phished or did something else stupid that exposed their account credentials - not because of https. 

 

What?

The whole point of hacking is finding a backdoor. You can https all day long, doesn't matter when there's still a way in.

Share this post


Link to post
Share on other sites

Equifax is running https, that's right, the same business that was hacked via part of an open source app. (Apache Struts). They did $3 billion in revenue last year and entire business is built on private data.

If someone wants in, they get in.

Share this post


Link to post
Share on other sites
4 hours ago, yukon said:

 

What?

The whole point of hacking is finding a backdoor. You can https all day long, doesn't matter when there's still a way in.

SSL (https) isn't intended to stop or block hackers - it's purpose is to ensure secure, encrypted communication between the client and server, which it does perfectly. In other words, to prevent others from listening in on the communication, intercepting confidential data, etc. 

3 hours ago, yukon said:

Equifax is running https, that's right, the same business that was hacked via part of an open source app. (Apache Struts). They did $3 billion in revenue last year and entire business is built on private data.

If someone wants in, they get in.

OK, but what does that have to do with SSL? In the case you mentioned, it had nothing to do with client/server communication, so your point just doesn't make any sense to me. 

I'm not disputing that sites can be hacked with or without SSL (that's the gist of what I originally posted). 

 

Share this post


Link to post
Share on other sites

July 2018 is the deadline.

https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html

Starting in July, Chrome will label all HTTP sites as "not secure". 

For your average blog and website, I think this is bullshit. They do not need HTTPS. 

Nevertheless, I'm telling all of my clients to upgrade. The potential loss conversions is not worth the risk.

Share this post


Link to post
Share on other sites
On 2/12/2018 at 1:31 PM, BIG Mike said:

OK, but what does that have to do with SSL? In the case you mentioned, it had nothing to do with client/server communication, so your point just doesn't make any sense to me. 

 

You're missing the point.

Put a lock on every door of your house and leave a window open, someone is getting in. Same as a website.

Who gives a shit about https when there's still holes in the site, every site. No site is completely locked down.

Share this post


Link to post
Share on other sites
6 hours ago, Mike Friedman said:

July 2018 is the deadline.

https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html

Starting in July, Chrome will label all HTTP sites as "not secure". 

For your average blog and website, I think this is bullshit. They do not need HTTPS. 

Nevertheless, I'm telling all of my clients to upgrade. The potential loss conversions is not worth the risk.

 

Screw Google and their petty threats.

Secure transactions for the right reasons, not Google's attaboy.

Very few sites actually process their own transactions, they use a 3rd party like Paypal. The average site isn't trying to hide sensitive data even then there's big business like Equifax fucking that up with billions in profit. Can't afford someone smarter I guess. It's amazing their stock hasn't tanked.

Either way, like I've already said, If someone wants in, they get in, it all depends on how bad they want in (motive).

Share this post


Link to post
Share on other sites
23 minutes ago, yukon said:

 

Screw Google and their petty threats.

Secure transactions for the right reasons, not Google's attaboy.

Very few sites actually process their own transactions, they use a 3rd party like Paypal. The average site isn't trying to hide sensitive data even then there's big business like Equifax fucking that up with billions in profit. Can't afford someone smarter I guess. It's amazing their stock hasn't tanked.

Either way, like I've already said, If someone wants in, they get in, it all depends on how bad they want in (motive).

 

I get all of that. It's not going to keep websites from getting hacked. Forcing it on people the way Google is doing seems heavy handed. I don't really understand their motivation for this.

However, the bottom line is that for people who do not really understand what the "not secured" message means, it could hurt conversions. Pretend you are collecting life insurance leads. Someone who comes to the site that is technically illiterate and sees the "not secured" warning pop up, might leave and go to the next site. HTTPS is not all that hard or that expensive to implement these days. It's worth it to keep from possibly losing a few conversions. 

I hate it, but I'm giving in.

Share this post


Link to post
Share on other sites

Keep in mind Google has always tried to pitch new ideas and a lot of them fade away because nobody cared. I don't believe them when they say https has taken off recently. No doubt they're skewing things to make a point that favors their idea (https). Like they're saving the world (meh).

We'll have to wait and see how dramatic Chrome looks down on http sites. If it's a browser toolbar icon, traffic won't even notice. If it's a SERP icon, sure, SERP traffic will notice.

I'll wait. No hurry.

Share this post


Link to post
Share on other sites
32 minutes ago, yukon said:

Keep in mind Google has always tried to pitch new ideas and a lot of them fade away because nobody cared. I don't believe them when they say https has taken off recently. No doubt they're skewing things to make a point that favors their idea (https). Like they're saving the world (meh).

We'll have to wait and see how dramatic Chrome looks down on http sites. If it's a browser toolbar icon, traffic won't even notice. If it's a SERP icon, sure, SERP traffic will notice.

I'll wait. No hurry.

 

It will show up in the toolbar. This is what they shared:

Treatment+of+HTTP+Pages%25401x.png

 

I expect over time they will make that "Not secure" notice more prominent. Probably turn it red to make it stick out.

 

 

Share this post


Link to post
Share on other sites
17 minutes ago, Mike Friedman said:

 

It will show up in the toolbar. This is what they shared:

Treatment+of+HTTP+Pages%25401x.png

 

I expect over time they will make that "Not secure" notice more prominent. Probably turn it red to make it stick out.

 

 

 


That's nothing.

I guarantee the average non-tech person wouldn't pay attention to that example above while browsing the web on Chrome or any other browser.

True, If it was a big red icon, someone might notice.

Share this post


Link to post
Share on other sites
14 hours ago, yukon said:

You're missing the point.

Put a lock on every door of your house and leave a window open, someone is getting in. Same as a website.

Who gives a shit about https when there's still holes in the site, every site. No site is completely locked down.

Sorry dude, I'm not missing the point, you are. You're fixated on this idea that the purpose of https has something to do with making a website secure from hackers - you couldn't be more wrong. 

10 hours ago, yukon said:

What I find amusing is, If this is such a big deal for Google why are they ranking/promoting http pages?

BTW, Google has bounty pages for finding Google related hacks. Damn, you'd think https would cover their ass, lol.

A lot of companies offer rewards for alerting them to security holes. 

Whether or not a site gets hacked has absolutely nothing to do with https, it never has. Https is designed to protect the communication between the visitor and the website and to ensure for the visitor the authenticity of the site they're visiting, i.e.; it's really PayPal. 

Here' a link that explains what it is in detail: https://en.wikipedia.org/wiki/HTTPS

14 hours ago, Mike Friedman said:

Forcing it on people the way Google is doing seems heavy handed. I don't really understand their motivation for this.

Their long-term plan has always been to nudge website owners towards providing a more secure visitor experience. They've been working on this for at least nine or ten years now and other browsers will follow suit. Firefox already displays a grey padlock with a red slash through it on non-secure sites (at least those with a login page). 

They're not doing it to punish website owners - they're doing it to protect users, many of whom just don't have a clue about what they're doing. All things being equal, providing better visitor security isn't necessarily a bad thing. 

Share this post


Link to post
Share on other sites
5 hours ago, BIG Mike said:

They're not doing it to punish website owners - they're doing it to protect users, many of whom just don't have a clue about what they're doing. All things being equal, providing better visitor security isn't necessarily a bad thing. 

 

 

I get that. But why do they care if my experience on xyz.com is secure or not?

They are a corporation like any other that generally only acts in their best interest. So I'm overly suspicious that they are only acting for the greater good.

Share this post


Link to post
Share on other sites

HTTP is just a communication channel.  HTTPS means the communication is encrypted so if someone is listening in they won't be able to get at the data being shared between your computer and the website. It doesn't secure the website itself.  Mike is saying HTTPS won't help with DDOS attacks or sql injections or insert other common hacking techniques...   

Share this post


Link to post
Share on other sites

I finally think I uncovered the "what's in it for them" for Google and pushing HTTPS.

There is a new upgrade to HTTP called HTTP/2. I say new, but it has been around for a few years. It is overdue as the HTTP protocol has barely been upgraded since its inception.

I won't bore you with comparisons between the two, but HTTP/2 is a lot faster and requires fewer resources off a server. If your site supports HTTP/2 it will load much faster and be less of a drag on your hosting server.

That being said, Chrome and Firefox only support HTTP/2 over an HTTPS connection.

By only supporting HTTP/2 through HTTPS, Google might be squashing some of its ad network competition. Most of the smaller ad networks do not support HTTPS. 

Basically, this whole push to HTTPS might just be so Google can gain more market share in the ad market.

 

Share this post


Link to post
Share on other sites
13 hours ago, Mike Friedman said:

I finally think I uncovered the "what's in it for them" for Google and pushing HTTPS.

There is a new upgrade to HTTP called HTTP/2. I say new, but it has been around for a few years. It is overdue as the HTTP protocol has barely been upgraded since its inception.

I won't bore you with comparisons between the two, but HTTP/2 is a lot faster and requires fewer resources off a server. If your site supports HTTP/2 it will load much faster and be less of a drag on your hosting server.

That being said, Chrome and Firefox only support HTTP/2 over an HTTPS connection.

By only supporting HTTP/2 through HTTPS, Google might be squashing some of its ad network competition. Most of the smaller ad networks do not support HTTPS. 

Basically, this whole push to HTTPS might just be so Google can gain more market share in the ad market.

 

 

 

Google is doing it for money and not compassion?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.