Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Chrome Google Security

Chrome 86 Will Warn Users About Insecure Forms On HTTPS Pages (9to5google.com) 37

Posted by BeauHD from the risky-text-boxes dept.
While there's wide HTTPS adoption today, HTTP content on secure pages still persists. Google has been working to stamp that out, and Chrome is now turning its attention to and warning about insecure forms. "These 'mixed forms' (forms on HTTPS sites that do not submit on HTTPS) are a risk to users' security and privacy," says Google in a blog post. "Information submitted on these forms can be visible to eavesdroppers, allowing malicious parties to read or change sensitive form data." 9to5Google reports: The Google browser today removes the address bar's lock icon from sites with mixed forms. However, this proved to deliver an "unclear" experience that "did not effectively communicate the risks associated with submitting data in insecure forms." Starting in version 86, due to hit stable in October, Chrome will provide a more aggressive warning about insecure forms. Autofill will be disabled, but the built-in password manager will continue to offer "unique passwords." The company argues it's safer than reusing credentials. Next, the form will show red warning text underneath the field: "This form is not secure. Autofill has been turned off. The last measure will throw up a full-page warning communicating the potential risks. It gives users an option to cancel the action, but there will be a "Send anyway" button.
This discussion has been archived. No new comments can be posted.

Chrome 86 Will Warn Users About Insecure Forms On HTTPS Pages More

Chrome 86 Will Warn Users About Insecure Forms On HTTPS Pages

Comments Filter:
  • To post to http from https. I hope a web developer gets fired over this.

    • I am sure that Firefox was warning about these things years ago, and they were hardly the first.

    • what about IPMI and others with self singed certs?

    • For the most part when I see code that does this.
      * The person who wrote the code is often the Boss/Founder of the business or a close personal aquance of them.
      * A really old program often coded in the late 1990's and was just handed over to a system administrator to upgrade the server to run https, as long as it works they never had him, or a developer review the code.
      * Coded by the guy who has been doing Cobol Coding for the last 50 years (Not to discredit everyone who has been doing cobol coding, as many

      • To expand on your thoughts: Firing people that make expensive mistakes doesn't prevent further expensive mistakes from happening. Further, once a mistake has happened, you've already paid the price for the lesson. Firing the guy that initiated the lesson is just punitive and would make the remaining employees more likely to hide issues rather than own up to them, leading to internal corruption and an inability to identify and learn from mistakes.

    • There are cases where this is kind of necessary, for example checking for client connectivity for routers next to you, (you can't get a response if the site is self signed) it is hard to get routers that only have IP non internet IP addresses or domain names to have a valid SSL certificate, you need to set up your own certificate authority, and when you change the routers IP address you need to generate an new certificate, so the router needs to sign the new cert, that is a security risk in itself, since yo

    • Re: (Score:2)

      by NFN_NLN ( 633283 )

      > To post to http from https. I hope a web developer gets fired over this.

      HR> Sorry h33t l4x0r we're going to have to let you go. Company policy on posting to http forms.

      But it was a tutorial site on basic http form posting. If a user put sensitive data in, that's on them.

      HR> Yeah, we don't disagree with the logic or this case. No one actually sent any data, and of course there was no resulting DLP event. Unfortunately we have a zero tolerance policy and this was caught by our automated scan to

  • This will mostly affect corporate web apps (Score:3)

    by xack ( 5304745 ) on Tuesday August 18, 2020 @06:07AM (#60413895)
    Who still haven’t learned their,lesson from the IE6 days. I bet they will even go back to IE after this because IE is less “whiny” about bad security.

    • Re: (Score:2)

      by AmiMoJo ( 196126 )

      Microsoft is killing IE and the old Edge off, so even corps only have a few years before the LTS versions of Windows 10 force-uninstall them

      Anyway corps should have this sorted out by now. Just issue their own cert. Stops some phishing attacks too.

    • I remember back in the 1990's where I had a web developer prefer IE over Netscape. Because with IE if you didn't properly code your closing tags, it would guess what your intent was. for example if you are doing a Table tag (I am going to be lazy and not use the escape values) and did a tr td data td data tr td data td data /table
      It may actually render a proper table. Of course this meant slower rendering speed as it needed to guess your context. as well it may do odd things later on if you needed to do

  • Only now? (Score:5, Insightful)

    by _merlin ( 160982 ) on Tuesday August 18, 2020 @06:31AM (#60413911) Homepage Journal

    I'm pretty sure Opera used to warn about this back in '98, as well as blocking mixed content (e.g. not displaying images loaded over HTTP on an HTTPS page, which affected the login page for their own OperaMail). Why did browsers stop warning about this stuff, and why has it taken so long for them to start warning about it again?

    • HTTPS Everywhere add-on by EFF has options to either load mixed content, warn about it, or block it silently.

      • I wish browsers (at least Chrome) would give us a flag that defaults to https instead of http. Right now when you type www.example.com, the browser just assumes http. If a site supports https, it will often redirect for you - but not always. I think there is a website that lists the top 100 websites (according to Alexa) that don't redirect. They will just serve you a version of the site over http.

        Why not a flag or full-blown setting that changes it from default-http to default-https? Until then, yeah the

        • Re: (Score:2)

          by tepples ( 727027 )

          The websites you're thinking of are Why No HTTPS [whynohttps.com] and Why No IPv6 [whynoipv6.com]. And they appear to have dropped Alexa rank in favor of Tranco rank.

          But are things like routerlogin.net and 192.168.0.1 included in Tranco rank? Because home routers, printers, and NAS appliances lack a globally unique name, their web-based administration interfaces can't obtain a certificate from any TLS CA that the major web browsers trust by default.

    • Probably about the time SGML rules were relaxed to make way for the ill-formed HTML5 standard. We spent years pushing XHTML, and things improved a lot, but once the hype died down and HTML5 finally arrived, people basically stopped caring about standards and doing things the right way.

    • Re: (Score:2)

      by antdude ( 79039 )

      SeaMonkey still warn these days.

  • Comment removed based on user account deletion

    • What about providing warnings about when SNI is not encrypted and to help users enable Encrypted-SNI(ESNI) like Firefox can?
      Firefox Encrypted-SNI(ESNI) is so strong at privacy, China's GFW blocks connections using ESNI.

      But only if it's trivial to turn off

      Because I'm more worried about filtering _outgoing_ traffic that I don't approve of than anyone eavesdropping on my rather boring web traffic.

    • What about providing warnings about when SNI is not encrypted

      No thanks. ESNI is already dead. I don't want browsers adopting draft proposals marked as experimental by the IETF.

      to help users enable Encrypted-SNI(ESNI) like Firefox can?

      Firefox will abandon ESNI because they stupidly jumped the gun and implemented something that will not become a standard. Not only was ESNI in draft, it won't be taken forward and was superseded by ECH 6 weeks ago: https://datatracker.ietf.org/d... [ietf.org]

      Give the world time, stop jumping on every shiny new thing you read an article about. Browsers adopting things which weren't even a proposed standard

  • Warning: whatever you fill in in that form will be transmitted to Google

  • Chrome is just the worst. I've been building and configuring computers for 35+ years. Had the pleasure of cleaning a friend's laptop recently of bloatware, temp files, etc.. and do a tune up for speed. The laptop is only 5 years old, so still good for net. The LARGEST speed boost came from removing Chrome and all its related bloat and installing Firefox with uBlock Origin, Ghostery, New Tab Override, and Google Analytics Optout addons. Laptop runs better than the day it was new. Chrome is the new IE6.

  • Does this mean finally undoing the reverse bug? (Score:4, Interesting)

    by holophrastic ( 221104 ) on Tuesday August 18, 2020 @11:21AM (#60414667)

    They started warning my visitors of forms on http pages that were being sent to https pages.

    I had public pages insecure (because why oh why would you want to slow down connections to completely public content), and I had my forms submitting to secure pages (to keep the content secure).

    But chrome, and other browsers, stupidly required me to slow down the form page itself also, I guess to prove that I could create secure pages in general?!

    Doesn't matter anymore. The entire web is slow for https now. It's ridiculous. I can scatter a million paper pamphlets from an airplane, but put the same content on a web page, and it needs to be secure. Thanks.

  • this isn't in place already?!
  • They can only be secure or unsecured.
  • Can't leave a few tabs open overnight without having to restart my computer once I'm back - have been using Chrome since about 2011-ish - please fix!

Slashdot Top Deals

Truly simple systems... require infinite testing. -- Norman Augustine

Close