Still Not Secure in Chrome
-
Hi
We migrated to HTTPs in November - but we still aren't showing as Secure.
I thought it was due to there being an Insecure SHA-1 script in the SSlL Certificate, so am waiting to get this fixed.
We had a few http links outstanding so they have been updated, but we're still getting the issue.
Does anyone have an idea of what it could be? https://www.key.co.uk/en/key/
-
I'm surprised to say... that SSL certificate you have is very poor quality and has a number of pretty significant security issues, in addition to the SHA-1 encryption.]
To answer your specific question, there's nothing you or your devs can do about the SHA-1 encryption problem, as that problem exists on one of the certificates in the chain that is owned and controlled by Thawte (the cert issuer or "Certificate Authority"), not your own certificate. It is up to them to fix it.
As you can see from the cert security scan, there are a number of other issues with the certificate that are unacceptable. Especially in a paid certificate. [Edited for clarity - some of those warnings are likely server-specific, meaning the server is being allowed to communicate with certificate in less than optimal ways]
https://www.ssllabs.com/ssltest/analyze.html?d=www.key.co.ukIt's unlikely that the encryption problem is whats giving the "not secure" warning on the site at the moment (although it will become a major issue later in February) so you'll need to keep looking for resources called over HTTP if you're still getting warnings.
When I had a quick look at the home page, I didn't see any more warnings, as it appears you've fixed the image call that Andrew mentioned. You can use Chrome or Firefox Dev Tools to inspect any pages that are not secure to be shown exactly what element is causing the failure. It often comes down to hardcoded images like those in CSS/background images etc, or hardcoded scripts. For example, your Quotations page is calling a script from Microsoft to validate the form, but it's failing as it's called over HTTP.
Knowing this, you'd want to check any other pages using such form validation. A thorough Screaming Frog crawl to look for any other wayward HTTP calls can also help dig our the remaining random culprits.
Hope that helps?
Paul
Sidenote: Your certificate authority is Thawte, which is connected with Symantec. Which has done such a bad job of securing their certificates that Chrome and other browsers no longer trust them and are in the near future are going to be officially distrusted and ignored. Symantec has in fact given up their Certificate Authority status and is transferring their business to a new company which does have a trusted infrastructure for issuing certificates. So you're going to need to deal with a new certificate in the not too distant future anyway.
Given the poor security of your existing cert, and the upcoming issues, if it were me, I'd be asking for a refund of my current cert, and replacing it with one from a more reliable issuer. I know that can mean a lot of extra work, but as these existing problematic certs go through the distrust process over the next 8 months, sites that haven't dealt with the issue are going to break.
It's possible that Thawte will build out a reliable process for migrating. At the very least, you need to have a strong conversation with your issuer about how to insure you are getting the security and long-term reliability you've paid for. Sorry to be the bearer of bad news that is a much bigger issue. You can read up about it more here:
https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html -
Thank you.
Also, does anyone know if we need to rekey the SHA-1 signature algorithm, what we rekey it with or should my dev team know this?
-
I also got this report from https://www.whynopadlock.com
Soft FailureAn image with an insecure url of "http://www.key.co.uk/img/W/KEY/F7/IC/F7-112H204-1-LX.jpg" was loaded on line: 1 of https://www.key.co.uk/en/key.
Errors that are reported on line 1 are generally not part of the source code. This error may be caused by an external javascript file which is writing to the page, however we are unable to reliably detect these scripts in our automated test.
Please contact us using the "Need Help?" link below if you need assistance with resolving this error.
Got a burning SEO question?
Subscribe to Moz Pro to gain full access to Q&A, answer questions, and ask your own.
Browse Questions
Explore more categories
-
Moz Tools
Chat with the community about the Moz tools.
-
SEO Tactics
Discuss the SEO process with fellow marketers
-
Community
Discuss industry events, jobs, and news!
-
Digital Marketing
Chat about tactics outside of SEO
-
Research & Trends
Dive into research and trends in the search industry.
-
Support
Connect on product support and feature requests.
Related Questions
-
I've all the things set up, still keywords are not rankign anywhere in Google.
No results, only just a few - site:10stuffs.com All the search results can be visible through manual URL searching... No manual actions or any technical fault detected. I'm wondering what's wrong with my site and why It's not gelling on with the Google. 10stuffs.com
Intermediate & Advanced SEO | | stuffsurya0 -
Is Siloing still effective in 2018?
I've been advised about Siloing (site structure), although I'm getting conflicting advice now saying it is an outdated practice. What is the 2018 verdict?
Intermediate & Advanced SEO | | Undergrnd0 -
Why is my domain authority still 1?
I changed the domain of my website from www.vanillacrush.co.uk to www.carissamay.co.uk at the end of December and yet my DA for carissamay is still 1. As advised, I set up a 301 redirect from VC to CM which seems to be working fine. However when I check on redirect detective it tells me I also have a 302 set up. Could this be confusing things? http://www.vanillacrush.co.uk
Intermediate & Advanced SEO | | Carissamay
http://www.vanillacrush.co.uk/ 
http://www.carissamay.co.uk 
Any help would be greatly appreciated!
Many thanks
0 -
Changing domain names but still ranking as old one
Hi there, I have a client who changed domain names back in November 2015 but is still coming up in search engines with their old domain name not their new one. For example, I search for my clients name, let's call them Example B. So I search for "Example B" and within the search results they come up top and the title tag is correct as it says something along the lines of "Welcome to Example B". However the URL underneath is actually their old name which is Example A. When you click on the link, it redirects over to the new name so thats fine, but it's just annoying that Example A is still appearing when it should be Example B now. I don't think they have a new Webmaster Tools account setup for their new domain (I need to check still), but they do still have their old one setup. Is there something I can do within Webmaster Tools to tell it that Example A is now gone and to start indexing and referring to them as Example B? What else should I do to make sure their new name is coming up not their old one anymore?
Intermediate & Advanced SEO | | Virginia-Girtz1 -
The Wrong Page Is Still The Only One Ranking
For some reason, the search term "Tampa Personal Injury Attorney," shows this page of our's http://www.kempruge.com/personal-injury/ on the second page, but omits this page http://www.kempruge.com/tampa-personal-injury-attorney/ (the correct one). The correct one only shows up in omitted results. I have posted this question before. I made the changes suggested to me, and it actually worked for a couple weeks. But, it reverted back. I tried for the last two months to fix this on my own, but I just can't figure it out. Does anyone have any idea what to do here? Incredibly appreciative of any assistance, Ruben
Intermediate & Advanced SEO | | KempRugeLawGroup0 -
If a website trades internationally and simply translates its online content from English to French, German, etc how can we ensure no duplicate content penalisations and still maintain SEO performance in each territory?
Most of the international sites are as below: example.com example.de example.fr But some countries are on unique domains such example123.rsa
Intermediate & Advanced SEO | | Dave_Schulhof0 -
End of March we migrated our site over to HubSpot. We went from page 3 on Google to non existent. Still found on page 2 of Yahoo and Bing. Beyond frustrated...HELP PLEASE "www.vortexpartswashers.com"
End of March we migrated our site over to HubSpot. We went from page 3 on Google to non existent. Still found on page 2 of Yahoo and Bing under same keywords " parts washers" Beyond frustrated...HELP PLEASE "www.vortexpartswashers.com"
Intermediate & Advanced SEO | | mhart0 -
Does Google Use Security Seals As A Trust/Ranking Signal
There are quite a few secuirty seals/site safety tools by some big antivirus/trust companies Mcaffe site secuirty, verisign etc. Does Google, or any other big search engines use these as a trust/ranking signal?
Intermediate & Advanced SEO | | rhysmaster0