Monday, July 02, 2018

Will Chrome 68 label your website as "NOT Secure"?

Starting in July 2018, Google's Chrome Browser (Chrome 68) will start labelling all websites which start with HTTP as "Not Secure". (see 

Below is an illustration by Google of what this means.
  • The top line shows what a URL currently looks like in the URL window.
  • Below it is what this will change to when Chrome 68 is introduced 
In Chrome 68, the omnibox will display “Not secure” for all HTTP pages.
My expectation is that the "Not secure" will be really obvious - like this "Not secure"

Now a lot of people thought that this would all happen yesterday 1 July 2018 - because Google said it would happen in July.

They missed the bit that said
Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.
(Chrome 68 has not yet been introduced in the UK - but may have happened elsewhere. I'm on Version 67.0.3396.99 )

Below I look at:
  • what does being labelled as "not secure" mean?
  • what you need to do re. Google's Blogger (I had a hiccup!)
  • How do I make my website/blog/ secure?


What does being labelled "not secure" mean?


The reasons for making your website/blog secure are:
  • it protects the integrity of your website
  • it protects the privacy and security of your visitors and those shopping via your site
  • it's where the web is going. Security is ever increasing and there is a cost to not keeping up with developments in this area.
There are also a number of implications of Google's ongoing drive for better security of all websites
  • Your website may not rank well in response to Google search queries. Google is already downgrading all websites in search which are currently marked as "Your connection to this site is not secure" which is what comes up if you click the "i" icon prefacing the URL
  • Your website or blog traffic may take a dive - as in "off a cliff". It all depends on whether you depend on your email list of Google for visitors to your website or blog.
  • If you are selling art via your website you may notice sales drying up
    • Obviously your website MUST also be super secure if you are taking any payment transactions via your website - even if you are routing them via a secure process. 
    • You can't have an insecure website with PayPal or whatever and expect to get away with it!

So what about Google's Blogger?


This is where it gets interesting - then tortuous - then interesting again. Bear with me!
I started off by thinking I'd show you what a secure site looked like.

Knowing that this blog is secure I did a screen dump and was downsizing it for posting when I noticed that the green secure sign was missing from the URL Line. YIKES!!!

My blog https://makingamark.blogspot.com has been labelled as secure for some time.
i.e. I had implemented the instructions for how to get https as the starting point of your url a very long time ago (Go to Settings / Basic / HTTPS and do what it says i.e. say "Yes" to the HTTPS redirect) - and had no problems with it.

Just now I found out that it's now "not secure" i.e. it's got an i in a circle next to it which if you click it says
"Your connection to this site is not fully secure".
When I checked, it said
This page includes a form with a non-secure "action" attribute.
Except when I do what they say on the Google Support Page Fix mixed content on your blog I came up with this advice
Make sure to visit each page of your blog separately. Errors will show only for the page being viewed, not the blog as a whole
So I gave them some feedback - I was livid!
over 3,500 blog posts using Google Blogger - and you are seriously suggesting that I visit each page individually to check for insecure content? REALLY? SERIOUSLY? You haven't come up with anything better than that?
However I kept looking (using their Developer Tools - go to View / Developer / Developer Tools)  is when I found out that I had two notifications (except I forget how I found it!)
  • one in relation to Clustrmaps (that's my nice little map of visitors from around the world in the side column) and 
  • one in relation to Feedblitz.
The latter said
(index):5743 Mixed Content: The page at 'https://makingamark.blogspot.com/' was loaded over a secure connection, but contains a form that targets an insecure endpoint 'http://www.feedblitz.com/feedblitz.exe?BurnUser'. This endpoint should be made available over a secure connection.
I couldn't remember where the Feedblitz subscription form was. It turned out after interrogating my html that it was right down at the bottom of the site

It has now been swiftly removed - and my blog has immediately pinged back to being SECURE!

Back to being a secure site again!
This is what your URL should look like

Hopefully that will mean that traffic will come back. I'd noticed it had been dropping off but put it down to the very hot weather (which always reduces traffic) - but hopefully this fix will sort out any non-weather related drop.

I guess that means that anybody who has subscribed via Feedblitz will now need to resubscribe using Feedburner - which turned out to be the innocent party!

How do I make my website / blog secure?


There is no one size fits all answer to this question. It all depends on what you are using.
  • What's likely to trigger being rated as insecure? The one thing that I learned from the above is that any site with a data entry form is at risk of being marked up "not secure" unless you have done something to fix this.
  • Do I need a security certificate? Apparently not if you are using Google products eg Blogger and Feedburner as I do! I haven't got a specific "certificate" but Google knows I am secure - and that's good enough for me! (PS It's also free!)
  • Will your website hosts charge you for security certificates? Not if they have any sense i.e. it's a great way of persuading people to change hosts!  I pay for my sites on Weebly and after some prods they decided it made sense to give free security status to all paid websites. Then they decided it made sense to extend this to ALL websites - even the free ones!
In relation to anything else - my suggestion is just keep googling for help and support on what you need to do if you have a problem. Someone somewhere is likely to have had a similar problem or developed a fix which might work for you.

PLEASE suggest tips for any platform you are on which you have now made secure - and tell us all how you did it.




No comments: