Google dropping “Secure” for https sites

[WotEver]

Just a little thing I picked up along the way that may interest those of you who use Chrome. Because the use of https has now become so common Google will start phasing out the word “Secure” and then eventually also drop the padlock symbol.

 

Instead, they will be introducing “NOT SECURE” warnings for plain old http sites. 

[reg]

Thanks for the heads up, seems to be a sensible move. 

Traditionally there was a reluctance to use https for many sites, other than those that demanded them by the nature of their usage, due to a overhead in accessing them, from what I can gather these overheads have largely been negated by improved methods and increases in processing power. It would seem that a point has now been reached where https has become the standard and http usage has receded and Google are acting in line with this. 

 

Nice to have your heads up in advance of this rather than it just seeming to suddenly occur. 

 

Edited May 18, 2018 by reg

[Jess--]

It's already happened on the latest chrome updates

 

over roughly a year it changed from...
HTTPS required for financial transactions and preferred for sensitive logins to...
HTTPS required for financials and anything requiring a username & password to...
HTTPS required for everything
 

over the same timeframe we have also seen the various CPU flaws (where fixes impose a substantial loss of performance)

 

The change from https in very few places to https everywhere combined with performance losses from cpu flaw fixes has seen some servers that I operate going from 40% cpu load (with peaks of 70) to 70% cpu load (with peaks of 100%), the actual server usage has not changed over the time (similar user numbers, similar data transfer and similar database usage levels)

in short it's costing me money right now in the form of increased electricity usage and will cost me more shortly as I need to add extra servers to spread the load.

[reg]

Interesting to hear that from the coal face Jess. Nowadays I'm very much just a consumer so from that perspective in many cases there does not appear to be the same degree of time difference between http and https connections that there used to be, didn't really consider the server load increases that you might have to absorb. 

Purely out of interest do you know who is driving these changes? Is it Google, W3c or other body? 

[Jess--]

it seems to be being driven by google for the most part, but given their browser share through chrome it can't be ignored and other browsers follow fairly quickly.

going back to when people were running 33mhz machines the overhead in performing encryption (even if it was the hobbled 56bit version) was considerable for the consumer but fairly negligible for a faster server class machine.
now the tables are turned, home machines are running with clock speeds in ghz and with multiple CPU's (cores) the overhead isn't noticable for the consumer but the reality is that the server they (and possibly hundreds of others) are connecting to is probably running slower than a single home users pc.

to use my PC as an example... my cpu (I7-4790K) at stock speeds will hit around 150w of power usage (or 250w if I overclock it to 4.8ghz). that cpu power usage alone is around the same as a modern 1U server so I would run into problems fairly quickly if I were to try and co-locate a server with a cpu as powerful (firstly in power usage and secondly in heat generated).

 

this will date me fairly well but I remember putting together a server where money was no object, the only stipulation was that it had to fit in a 4U case and run the new (pre-release) Windows NT 4.0.

we spent well in excess of £15k and ended up with....
quad PII 350 Mhz cpus on a motherboard that had to be imported from the states (Serial No 0000002)
128Mb of memory (at the time 32Mb was thought to be big and 64Mb was god-like)
4 x 18Gb (total 72Gb) Ibm SCSI hard drives, specially imported from IBM in germany (the largest drives on general release at the time were their 9gb models)

dual 10mb network cards (1mb was standard at the time)

 

These days I can pick up an equivalent machine (only 64gb hard drive but ssd) for a little over £100 and it's small enough to put in a pocket.

[Keeping Up]

Does this imply that an ordinary website such as mine (see my signature) needs to be changed in some way to be https rather than just http if I want people to be able to see it? If so, I wonder what I need to do.

[jam]

25 minutes ago, Keeping Up said:

Does this imply that an ordinary website such as mine (see my signature) needs to be changed in some way to be https rather than just http if I want people to be able to see it? If so, I wonder what I need to do.

There is a fix, sign up to cloudfare.com and you can register one website for free which once you redirect your site, will give additional protection as well as giving https. All you have to do is alter your DNS record to point to cloudfare. This does not affect your registration with your hosting company.

[reg]

1 hour ago, Keeping Up said:

Does this imply that an ordinary website such as mine (see my signature) needs to be changed in some way to be https rather than just http if I want people to be able to see it? If so, I wonder what I need to do.

I wouldn't think so if you have no one login in or having the ability to send messages etc. I just tried it and it comes up almost instantly as it is. However, and it looks like Jess it better placed to stear you on this, eventually everyone may have to. The only issue I can imagine is that if you don't change and people visit it they will get the NOT SECURE message. What effect this will have on your visitors I can't predict but I would guess that some may panic a little and log out of none https sites. 

 

What may be interesting is to measure page load speeds under http ready for comparison if you ever do change. 

 

Eta

Looks like the roll out is scheduled for July 2018 as per this register article

https://www.google.co.uk/amp/s/www.theregister.co.uk/AMP/2018/02/08/google_chrome_http_shame/

Might be worth contacting your hosting company as it may simply be a case of them switching it on at their end for your site. 

This is an example of how it will look

Edited May 18, 2018 by reg

[Rob-M]

The hosting company I use provide a free certificate to use for Https verification.

[MtB]

9 hours ago, jam said:

There is a fix, sign up to cloudfare.com and you can register one website for free which once you redirect your site, will give additional protection as well as giving https. All you have to do is alter your DNS record to point to cloudfare. This does not affect your registration with your hosting company.

 

Did you mean cloudflare.com? (with a hard to see letter 'l') Cloudfare appears to be for sale. 

 

https://www.cloudflare.com/ssl/

[StephenA]

16 hours ago, Keeping Up said:

Does this imply that an ordinary website such as mine (see my signature) needs to be changed in some way to be https rather than just http if I want people to be able to see it? If so, I wonder what I need to do.

Google have basically said that non https sites will be ranked lower in their search engine and if you run adverts then you will not get as many adverts and wont earn as much for the ones you do.

 

Most Browsers are starting to get upset if they see what they think is a login dialogue on a screen that is not protected by https

 

 

[Keeping Up]

Thanks for the responses guys. It looks like it's not urgent (there's no login or advertising etc) and if just a couple of visitors get frightened away in the meantime it doesn't matter a lot. My hosting company say they provide free certificates so later in the summer I'll set about trying to understand their instructions on how to use it.

[Robbo]

18 hours ago, reg said:

I wouldn't think so if you have no one login in or having the ability to send messages etc. I just tried it and it comes up almost instantly as it is. However, and it looks like Jess it better placed to stear you on this, eventually everyone may have to. The only issue I can imagine is that if you don't change and people visit it they will get the NOT SECURE message. What effect this will have on your visitors I can't predict but I would guess that some may panic a little and log out of none https sites. 

If you have to login to a site it should be fully https anyhow even at the home page for the login button.   

 

Note if if you use a works computer a “secure” site can still be intercepted and viewed/monitored as they usually have full control of the computer your using.   If on bank or email sites you should look for the Extended Validation part (the name of the company next to the lock like https://www.globalsign.com/en/ssl-information-center/what-is-an-extended-validation-certificate/).

Edited May 19, 2018 by Robbo

[jam]

12 hours ago, Mike the Boilerman said:

 

Did you mean cloudflare.com? (with a hard to see letter 'l') Cloudfare appears to be for sale. 

 

https://www.cloudflare.com/ssl/

Well spotted, my eyes don't always tell me the truth

[MtB]

Another free or low cost method of encrypting your site is to use SSL by the crowd-funded service called 'lets encrypt'. 

 

https://letsencrypt.org/

[Chop!]

I stopped using Google a few years back, Ecosia is less intrusive and uses profits to plant trees.

 

https://www.ecosia.org

[WotEver]

2 minutes ago, Chop! said:

I stopped using Google a few years back, Ecosia is less intrusive and uses profits to plant trees.

 

https://www.ecosia.org

Not really relevant but good for you

[Chop!]

18 hours ago, WotEver said:

Not really relevant but good for you

I can't see how you find this irrelevant?

Google is a pernicious search engine and I merely suggested an eco-friendly alternative.

WotEver! ;0)

[Robbo]

23 minutes ago, Chop! said:

I can't see how you find this irrelevant?

Google is a pernicious search engine and I merely suggested an eco-friendly alternative.

WotEver! ;0)

We are talking about a Internet browser not a search engine tho!

 

Not sure what you mean by Google been pernicious?  Is Microsoft pernicious? 

Edited May 22, 2018 by Robbo

[reg]

18 minutes ago, Robbo said:

We are talking about a Internet browser not a search engine tho!

This is perhaps a good example of why Google's monopoly position confuses the issue particularly when on android systems. They have the OS the browser and the search engine all pretty much intertwined. Their position pretty much means that they can set 'standards' such as this https in isolation. 

Strangely enough they seem to have achieved a position that Microsoft dreamed of  achieving. 

https://www.google.co.uk/amp/s/www.theregister.co.uk/AMP/2018/05/21/on_20th_anniversary_of_microsoft_antitrust_treasury_secretary_says_its_time_to_take_a_look_at_google/

I remember it well. 

 

 

 

Edited May 22, 2018 by reg

[WotEver]

51 minutes ago, Chop! said:

I can't see how you find this irrelevant?

Because all browsers (not search engines), whether that be Opera, Firefox, Edge, Chrome or whatever will be making the same move. So whether or not you continue to use Ecosia, the browser you are using will follow the new ‘rules’ I described in the OP.