Previously, HTTP usage was too high to mark all HTTP pages with a strong red warning, but in October 2018 (Chrome 70), we’ll start showing the red “not secure” warning when users enter data on HTTP pages.
Seemingly small change, but still hugely significant. Right now, HTTPS pages are marked as secure, and HTTP pages are not marked at all. In the future, HTTPS pages will not be marked, while HTTP pages will be marked as insecure.
In light of this, how about removing the https -> http redirects on here?
Best practice is to redirect all http requests to the same url under SSL, and to convert all links (even if it’s just going forward) to https.
It’s very perplexing that you have SSL and don’t do the above. It’s a small change in your web server, and a few regex replaces in SQL.
Edited 2018-05-17 22:34 UTC
Yeah …Thom, when will OSAlert go with the times and embrace HTTPS for login?
If you start training users this way, they’re going to mistakenly assume that data entered on https web pages is safe. That’s not guaranteed, not by a long shot. It’s encrypted, but that hardly means you’re giving it to a trustworthy web site. What with Letsencrypt and other such companies giving out SSL certificates to just about anyone who wants them, https isn’t going to mean what it once meant. It used to be that, if a user clicks on that fishing link about their Netflix account being locked, the absence of the little lock meant that the page was a fake. Now, the little lock doesn’t mean jack and Google is still training users to think that it is the key to their safety, so to speak.
This might have been a good thing if they’d done it three or four years ago. Now, it seems like a retroactive step that will give most users a false, and possibly damaging, sense of security upon which they can’t base the trust they once could.
Did you not read the linked article?
They’re moving to what you suggest.
HTTP will be labelled as “insecure”.
HTTPS will not be labelled – it’s the default.
They are not moving towards any such thing. If you label http as insecure and https as nothing, again, it’s like training the users to watch for the little lock that doesn’t mean anything. It’s worse, actually, because all they have to do now is not see something and they’ll just assume the site is fully legitimate. Maybe this is what Google really want, to train users to give their data away without thought. I don’t know. What I do know is that training them that an absence of something means safety when it really doesn’t is doing no one, except perhaps Google, any favors.
Most users already assume it’s safe. In fact, most of them already assume the whole internet is safe (though that is thankfully changing). This change is just reflecting that reality, and the fact that things absolutely should be safe by default.