While there’s wide HTTPS adoption today, HTTP content on secure pages still persists. Google has been working to stamp that out, and Chrome is now turning its attention to and warning about insecure forms.
These “mixed forms” (forms on HTTPS sites that do not submit on HTTPS) are a risk to users’ security and privacy. Information submitted on these forms can be visible to eavesdroppers, allowing malicious parties to read or change sensitive form data.
The Google browser today removes the address bar’s lock icon from sites with mixed forms. However, this proved to deliver an “unclear” experience that “did not effectively communicate the risks associated with submitting data in insecure forms.”
Starting in version 86, due to hit stable in October, Chrome will provide a more aggressive warning about insecure forms. Autofill will be disabled, but the built-in password manager will continue to offer “unique passwords.” The company argues it’s safer than reusing credentials.
Next, the form will show red warning text underneath the field: “This form is not secure. Autofill has been turned off. The last measure will throw up a full-page warning communicating the potential risks. It gives users an option to cancel the action, but there will be a “Send anyway” button.
Site developers are encouraged to “fully migrate forms on their site to HTTPS to protect their users.”
Developers with questions are welcome to email us at security-dev@chromium.org.
Other initiatives in this vein include:
- Chrome furthering HTTPS push by blocking insecure ‘mixed content’
- Chrome to gradually block insecure downloads on HTTPS page
FTC: We use income earning auto affiliate links. More.
Comments