A couple of weeks ago, I received an email from Google. It read:
Chrome will show security warnings on http://burningbird.net
To owner of http://burningbird.net,
Starting October 2017, Chrome (version 62) will show a “NOT SECURE” warning when users enter text in a form on an HTTP page, and for all HTTP pages in Incognito mode.
The following URLs on your site include text input fields (such as < input type=”text” > or < input type=”email” >) that will trigger the new Chrome warning. Review these examples to see where these warnings will appear, so that you can take action to help protect users’ data. This list is not exhaustive.
The new warning is part of a long term plan to mark all pages served over HTTP as “not secure”.
Here’s how to fix this problem:
Migrate to HTTPS
To prevent the “Not Secure” notification from appearing when Chrome users visit your site, only collect user input data on pages served using HTTPS.
Like many web sites, mine contain an input field that people can use to search through articles. It’s this search field that triggered the warning.
To prevent the warning, I do have other options to follow in addition to the one that Google mandated. I could just remove the search field. No input field, no warning. Or I could just let people get the warning. However, the problem with the former is people will lose the ability to look for specific material; the problem with the latter is that the non-techs may be intimidated by the Google warning, and will then want nothing to do with the site. In the end, I don’t have much of a choice other than the one Google is mandating.
I had planned on moving my sites to HTTPS at the same time I’m making several other site changes. Now, though, I have to drop everything and prepare my sites for HTTPS now, because Google, who controls most of our web searches, as well as providing a popular web browsing tool, has given me an arbitrary deadline to make it so.
I’m not happy about the email, and from the Google forums, I’m not alone. None of us enjoys having Google mandate when we modify our sites. That all browsers issue a warning when people are entering sensitive information, such as passwords and credit card information in pages not protected with HTTPS is a no-brainer and no one would dispute this necessity. But Google isn’t selective: any input field is subject to the warning.
More importantly is Google’s implicit threat to chase everyone away from our sites at a future time if we don’t upgrade to HTTPS. It’s already doing so by downgrading the ranking of our sites on its search engine. Eventually, its plan is to blast out Danger, Will Robinson! Danger! notices for any web page not served by HTTPS.
Questioning Google on its decisions doesn’t do a bit of good. Recently, there’s been much discussion about a manifesto put out by a Google engineer that basically states women are too dumb and emotional for development. While the manifesto may or may not reflect Google culture, the engineer’s arrogant assumption that he knows best is not an outlier.
At the forums, we’re told how easy it is to upgrade to HTTPS; how anyone can do it in ten minutes or less. We’re directed to how-to web pages that make an amazing number of assumptions about the technical background of the reader.
Basically, we’re told to just shut up, and get it done because if we don’t, we’ll be pushed so far into the neverlands, we might as well not exist. And Google has the power to enforce its threats because we gave it the power to do so.
I, like others, have had web sites longer than Google has been in existence. We’ve had years of using different content management systems and/or building our own static HTML pages. We use both subdomains and multiple domains. Moving from HTTP to HTTPS is not simply a matter of flipping a switch and installing a bit of software.
I’ve been working on cleaning up my sites for a couple of months now, and I still have more clean up to do. I had planned on installing a digital certificate from Let’s Encrypt about the same time I planned on upgrading my Ubuntu installation and doing other long term maintenance and performance tasks.
I’ve been slowly copying my static HTML pages into my WordPress web site, deleting the old static page in the process. There are plugins to use in WordPress that can manage URL conversion for absolute URLs, which means I don’t have to deal with mixed content warnings or actions for in these pages. But the thousands of static HTML pages are filled with absolute URLs utilizing the old HTTP protocol.
If you have a URL in a web page, such as http://burningbird.net/someresource, and you serve the page up using HTTPs, the person accessing the page is going to get a nasty warning about the insecurity of the page. Either that or the browser will block the content.
Trying to code a program to automatically modify these absolute URLs to relative ones isn’t likely to end well, so the options are to manually modify the page, or just trash it. For those of us who have been around decades, this can mean thousands of pages.
Now that Google has arbitrarily picked a date when I must make this change, I’m having to step up my game. I’ve downloaded all static pages to my PC. I don’t plan on reloading my oldest weblog, effectively trashing over 15 years of history. For the newer weblogs, I’ll add them to WordPress when I have spare time. In all cases, my server is spitting out 404 errors like a kid spits out watermelon seeds on a hot August afternoon.
(This is my way of saying that there will be dragons here for the next few weeks as I make all of the modifications I had planned on making over the Christmas holidays three months ahead of schedule.)
This implacable demand for security forgets an important element of the web: the personal web sites. These are sites maintained by people who don’t typically have a technical background. I do, but I still find the task to move my eclectic mess to HTTPS to be daunting. I can’t imagine what that Google email did to folks who have no web background.
In addition, many personal web sites are managed by a hosting company. The site owners usually don’t have SSH access, so manually installing a digital certificate isn’t an option. If they’re lucky, their hosting company provides a Let’s Encrypt option to turn on HTTPS support for no fee. Many hosting companies, though, use digital certificates as a source of income, making deals with certificate authorities to provide the certificates, skimming some coin from the top, and not allowing their customers to pick any other.
I’m sure the helpful people at Google will say, Oh well, then they should move their sites. They won’t understand that moving a web site from one host to another is just as intimidating to people as having to implement HTTPS.
The small personal web site is already an endangered Web species today, primarily thanks to Google’s search algorithms that value the commercial over the personal, the monetized over the free. Now, the latest of Google’s never-ending demands may lead to the shuttering of still more, as people decide they just can’t keep up with the geek taxes.
The web will have gained a small measure of extra security but will lose more of its diversity. I guess in the end, we are all Amazon.
What’s particularly ironic about the Google email is its format and content. People’s greatest risk from the internet is clicking on links in emails. Google’s email was full of them.