Must have SSL or dedicated IP address?

[Christian Trujillo]

I am a web developer and I was talking with a hosting provider we use for marketing sites and blogs, as we were discussing opening a new account we were told that google was looking at enforcing SSL or a dedicated IP address on each site otherwise you would be penalized. 

As I was doing more research on this I found this article:

https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure

If this is real and google will serously enforce this and penilize sites in my opinion it would be the STUPIDIEST (sorry) thing google has ever done. 

The reason why google's search engine is so big and popular as we all know, is for the quality of the results shown. This results are based on content and relevance. There are millions of website which contain the answers the user is looking for and most all of them dont have the budget to pay for an SSL cert a year. 

Google will loose this sites, its credibility and quality of results. I would personally move to Bing and will make sure to explain all my followers why. 

I cannot believe this is being considered. 

THIS COMMUNICATION IS INTENDED ONLY FOR THE USE OF THE INDIVIDUAL OR ENTITY TO WHICH IT IS ADDRESSED AND CONTAINS OR MAY CONTAIN INFORMATION THAT IS PRIVILEGED, CONFIDENTIAL OR EXEMPT FROM DISCLOSURE UNDER APPLICABLE LAW. If the reader of this communication is not the intended recipient (or the employee or agent responsible for delivering to the intended recipient), you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please disregard and delete this communication, and do not disseminate or retain any copy of this communication.

[Vincent Lynch]

Google has never announced that there will be a penalty for sites that are not using SSL. They have only announced that SSL will be a *small* boost to rankings.

The word "penalty" does not appear anywhere on the page you linked.

SSL certificates are available for free through multiple providers. Let's Encrypt (www.letsencrypt.org) is the most popular of the free providers. 

(I am not affiliated with Google)

-Vincent

--
You received this message because you are subscribed to the Google Groups "Security-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev+unsubscribe@chromium.org.

--
Vincent Lynch

[Emily Schechter]

Per the response on the bug -- to be clear, this change is strictly about how the Chrome browser UI indicates the status of a page you're on (i.e. the lock icon next to HTTPS in the URL bar).

[Victor Costan]

Separately from Chrome's policy: your ISP might be trying to sell you things you don't need.

You can get SSL certificates for free from Let's Encrypt and StartSSL. You don't need a dedicated IP for SSL, thanks to SNI (Server Name Indication).

I hope this helps you migrate to SSL. If you care about your vistor count, you probably care about your site being shown to your visitors exactly as you intended it to be. Without SSL, you're vulnerable to things like ad injection, which could degrade your visitors' experience and negatively impact your retention rate.

Hope this helps,

    Victor

[Joseph Lorenzo Hall]

The search ranking bump that Google gives for https is so small (currently) as to not really make a difference... of course, there are a ton of good reasons to move to https regardless (we'll have some neat materials aimed at web sysadmins and their bosses later this week). best, How

--
Joseph Lorenzo Hall
Chief Technologist, Center for Democracy & Technology [https://www.cdt.org]
1401 K ST NW STE 200, Washington DC 20005-3497
e: j...@cdt.org, p: 202.407.8825, pgp: https://josephhall.org/gpg-key
Fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871

Tech Prom, CDT's Annual Dinner, is April 20, 2017! https://cdt.org/annual-dinner