https://www.wired.com/story/google-chrome-https-not-secure-label/

The irony of it all. Google warning users about privacy. Not to worry. Tim Lee is working on it & soon we will have sites not even Google can track.

I just loaded it in Chrome. No problems.

Google Chrome is up to date
Version 70.0.3538.77 (Official Build) (64-bit)

Mike,

When I go to www.pgmusic.com, Firefox also tells me that it's not secure. This is also true of the forums. Since these are free, public websites, though, do they need to be secure?

When I log-in into my PG Music sales account, that part of the site is secure. This is the part that matters to me because it contains important personal information.

Regards,
Noel

Exactly. Most of the site isn't secure, and has no reason to be.

The entire ordering process, everything to do with your account, and the online chat service, are all secure to protect your personal info and credit card numbers.

Thanks
Kent
PG Musc

I deal with this every day.
Most browsers are now pointing out a 'not secure connection', even when a secure connection isn't needed.
They did give developers a little warning, but it's a pretty aggressive change.
At work, we are seriously considering paying a couple grand a year to alleviate the problem .. per server on multiple servers.

On the flip side there's really no need for a browser to point out the connection is 'not secure' when it doesn't need to be secure.
Secure is of course better, but browsers are indeed leaning to alarming the user unnecessarily.

They need to give SysAdmins a little more time to adapt, and the Consumer a little more time to absorb the cost (costs get passed on).
If I gotta make a server 'all https' (secure) it costs me more .. and therefore your charges go up to cover it.

FWIW I'm cool with wanting a totally encrypted internet (which is all this initiative really is) but it will indeed cost more. So don't complain unless you are willing to pony up ..

/just my thoughts

Yes, it's a real PITA.

The people that host my website, www.blue-attitude.net, told me that this change was coming a while ago and offered to add the security certificate needed so it would be https instead of http. For a price of course!

They say that many people will not proceed if their browser tells them the site is not secure, and I'm sure that is true. Same deal, my website is information only, doesn't need to be secure.

It is a non-issue since anyone can simply use Let's Encrypt for free and the problem is solved!

https://letsencrypt.org/

And yes, I know not all web hosting companies support it but they should and will. If yours does not then switch to someone modern!

And a company like PG should obviously secure their entire website because it is not just security warnings...Google is penalizing non-secure sites in search results!

Thanks for the clarification Kent

Actually there are 3 reasons...

1) https actually does improve security for everyone using the web
2) browsers now warn your customers that you are not secure and you can lose business because of those warnings whether you agree with them or not
3) Google will penalize you in search results for having a non-secure site

This is the world we live in so get used to it.

I've posted many times about what we have to do at the CPA firm now and how using Win 10 with Edge is the most secure way to go unless you want to go to using an old computer as a server/firewall. I'll say it again for the unteenth time if you're not using a fully up to date Win 10 OS then you simply don't care about security. Win 7 cannot be patched up to the level of Win 10. This goes to show how the hackers keep making our lives more and more restricted. Most folks think of hackers as some kid in his mothers basement. No, the hackers I'm talking about are very large international organized crime groups based in fun places like Russia, North Korea, China, etc. They're dealing with billions of dollars.

The IRS started new procedures several years ago to make our online lives easier when dealing with them and then they were forced to take it all back when the hacking got worse. As a tax pro I used to be able to login, pull up a clients info and do certain things right there online. Now, they've cut that back, I can only do some of what I used to do and I'm forced to call them and wait on hold for up to an hour. Then they go through an ID authentication process to verify who I am before they release any taxpayer info. People like me are supposed to be sharp enough to understand all this but the average person who has little clue? Forget it. It's a total PIA for me to get info I need about a client quickly and easily.

It's all about hackers and it's filtering down to everybody now.

Those of you in the IT/security field know what I'm talking about. The majority of folks still have little clue about any of this and we see it even on this forum even though musicians tend to be more technical minded than most.

Bob

Dear John,

Thank you for this. I will have someone explore this for me and try to use this on my behalf, because I don't have time to stay on the phone with Network Solutions all day. Thanks again for the nice tip.

Do you know by any chance if Network Solutions allows this? The last time I discussed, I think it was an extra $250 per site and of course THEY wanted to do it/sell it instantly.

I have 5 websites. So that would be a over $1,200 a year in residual recurring revenue income for a plug-in for someone. For doing nothing, of course.

I wonder about the economics of this. Is Google getting a cut from hosting companies? My hosting package from Network Solutions that allows me to have and build 5 websites is $175 a year.

To make all of those "secure" (and they are only informational) would increase my costs sevenfold--for a line of code and a green sticky from Chrome. Thanks!

It's like the phone company. AT&T makes no profit, I have heard, on the phone line. But they make, I dunno, 3000% margins or something on the voicemail that was a program written once 30 years ago.

I think this is all about tech companies wanting to sell people code, or force them to buy it, in a country that no longer grows potatoes.

Or as a WSJ senior writer said in a front page WSJ article earlier this year about his father-in-law who had lost his job as sales person and would never be employed again:

In the near future there will be two jobs.

1.) Sleeping under a bridge.

2.) Working for Amazon so you can buy stuff from Amazon.

JJJ,
If you had a production server, would you rely on letsEncrypt?
Not me.

And Google does not 'penalize' sites without SSL, though they do give a 'slight' advantage to those that do have it (not a minus but rather a very slight plus in rankings).

We take security seriously on our servers, and I'd rather pay for an SSL with a reliable warranty than go down the letsEncrypt path.

Hopefully someday the internet is all encrypted safely, but we're not there yet.

Yes. Absolutely! The vast majority of non-commerce sites will do just fine with Let's Encrypt. As you said earlier, "there's really no need for a browser to point out the connection is 'not secure' when it doesn't need to be secure". So for all of those sites, Let's Encrypt fits the bill perfectly.


Call it what you want. Sites that are secure get better search engine positioning than non-secure sites. And Google is notoriously secretive about their algorithms so it may be "slight" or it may be "huge"! They are pushing this initiative really hard and have modified their browser for it so...


Well, it is kinda like insurance isn't it? We assess our risks and decide how much we can tolerate. Anyone with an informational site running on a shared web host should do just fine with Let's Encrypt. If you are Amazon or eBay of course you might consider paid alternatives.

Hey David! So first I'd say generally Network Solutions sucks because they still charge premium prices for meager services! I just checked them and it appears they do NOT support Let's Encrypt. Obviously this is because they want to keep making money off of every website they host! I have about 60 domains through GoDaddy (they also suck as a host but are fine as a registrar!) and they also do not offer Let's Encrypt support for the same reason.

But there are a lot of shared hosting web hosts who do support Let's Encrypt. I am assuming you are using shared hosting at Network Solutions, right? A decent shared hosting account can usually handle several thousand visitors per day unless you end up on a host that squeezes way too many sites on their servers. But even then, most sites are not getting a lot of traffic so that doesn't necessarily mean you'll have any issues.

If you want to consider moving your websites you can search online for hosts that support Let's Encrypt. And you can still leave your domains at Network Solutions if you want.

One host I like a lot is Pair Networks. For about 6 bucks a month you can host an unlimited number of sites, you get 15 GB of disk space, 75 GB monthly transfer and 15 MySQL Databases. If you wanna use Let's Encrypt you can do so for free. Or, if you want a basic secure certificate with a $10,000 warranty it is $10/year/domain.

https://www.pair.com/webhosting/shared.html

I know moving your sites can be a pain but you could save some dough and get SSL for free or a low cost. Lemme know if you have any further questions.

Hey John,

Thanks! I may p.m. you on this later on if I need some more help.

I think I will contract this out when the time comes. I don't want to suffer that headache.

My daughter just finished a gorgeous art portfolio website on Wix with https automatic as the default and her website is better than anything I have ever done--granted she is a genius and an artist and a whole lot smarter than I am, but still. No extra charges, so there is obviously some form of a scam going on out there.

JJJ,
I *think* I see your point. If it was my personal site, I may try this route.
My response is because I'm on the other side of the fence in many ways.

I am responsible for hundreds of sites on various servers and I rest much better at night knowing the SSLs we use are backed. Like I said we plan to spend a few grand a year to secure our sites using other sources.

Using LetsEncrypt means I'd have to allow them (LetsEncrypt) to run some processes/updates that access our servers every 3 months and update SSLs (they are only good for 3 months, not a couple years) .. plus I can't look at what they are actually doing.
So I have to make this decision on a different level.

If my personal hosting provider allowed it, I'd probably use this service while I could.
But like I said I'm on the other side of the fence, deciding whether to allow a free 3rd party service to access/change our servers; that makes me nervous ..

On the flip side I think PGMusic could secure both the forum and the main site (legitimately with a warranty) for about $120/yr, so it's pretty minimal in the grand scheme of things for a company like PGMusic, which is what the original thread was about.

So is there any plan by these browsers to eventually block access? I’m perfectly happy to ignore a cautionary message on sites I trust, especially when it’s public and security isn’t needed.

Yeah I can see that you and I are at different ends of the spectrum. When I use shared hosting for myself or my clients I would not hesitate to use Let's Encrypt for an info site. But if I was managing my own servers I'd probably choose to go the route you describe.

Regarding PGM they already have a secure cert for pgmusic.com so it would only take a few hours to convert all of the absolute references from http to https. You could probably do it even faster with a little redirect trickery! There is no reason for them not to fix this right away and avoid the possibility of losing even a single prospective customer.

No one knows for sure but based on what I've seen over the last 23 or so years I'd guess they will continue to push this initiative and if a significant number of sites stay non-secure they will up the ante. Their next step will probably be to ship the browser with blocking of non-secure sites available but turned off by default. Then follow that with blocking set as the default.

.. yet somehow they'll still offer 'Incognito' as a feature ..