Chrome 86 Will Warn Users About Insecure Forms On HTTPS Pages

While there's wide HTTPS adoption today, HTTP content on secure pages still persists. Google has been working to stamp that out, and Chrome is now turning its attention to and warning about insecure forms. "These 'mixed forms' (forms on HTTPS sites that do not submit on HTTPS) are a risk to users' security and privacy," says Google in a blog post. "Information submitted on these forms can be visible to eavesdroppers, allowing malicious parties to read or change sensitive form data." 9to5Google reports: The Google browser today removes the address bar's lock icon from sites with mixed forms. However, this proved to deliver an "unclear" experience that "did not effectively communicate the risks associated with submitting data in insecure forms." Starting in version 86, due to hit stable in October, Chrome will provide a more aggressive warning about insecure forms. Autofill will be disabled, but the built-in password manager will continue to offer "unique passwords." The company argues it's safer than reusing credentials. Next, the form will show red warning text underneath the field: "This form is not secure. Autofill has been turned off. The last measure will throw up a full-page warning communicating the potential risks. It gives users an option to cancel the action, but there will be a "Send anyway" button.

You he to be a grade A dingleberry...

[h33t l4x0r]

To post to http from https. I hope a web developer gets fired over this.

Dunno about that, but

[Mr. Dollar Ton]

I am sure that Firefox was warning about these things years ago, and they were hardly the first.

what about IPMI and others with self singed certs?

[Joe_Dragon]

what about IPMI and others with self singed certs?

Re:

[sconeu]

what about IPMI and others with self singed certs?

They'll get burned.

Re:

[jellomizer]

For the most part when I see code that does this.
* The person who wrote the code is often the Boss/Founder of the business or a close personal aquance of them.
* A really old program often coded in the late 1990's and was just handed over to a system administrator to upgrade the server to run https, as long as it works they never had him, or a developer review the code.
* Coded by the guy who has been doing Cobol Coding for the last 50 years (Not to discredit everyone who has been doing cobol coding, as many

Re:

[burningcpu]

To expand on your thoughts: Firing people that make expensive mistakes doesn't prevent further expensive mistakes from happening. Further, once a mistake has happened, you've already paid the price for the lesson. Firing the guy that initiated the lesson is just punitive and would make the remaining employees more likely to hide issues rather than own up to them, leading to internal corruption and an inability to identify and learn from mistakes.

Re:

[ewibble]

There are cases where this is kind of necessary, for example checking for client connectivity for routers next to you, (you can't get a response if the site is self signed) it is hard to get routers that only have IP non internet IP addresses or domain names to have a valid SSL certificate, you need to set up your own certificate authority, and when you change the routers IP address you need to generate an new certificate, so the router needs to sign the new cert, that is a security risk in itself, since yo

Re:

[NFN_NLN]

> To post to http from https. I hope a web developer gets fired over this.

HR> Sorry h33t l4x0r we're going to have to let you go. Company policy on posting to http forms.

But it was a tutorial site on basic http form posting. If a user put sensitive data in, that's on them.

HR> Yeah, we don't disagree with the logic or this case. No one actually sent any data, and of course there was no resulting DLP event. Unfortunately we have a zero tolerance policy and this was caught by our automated scan to

This will mostly affect corporate web apps

[xack]

Who still haven’t learned their,lesson from the IE6 days. I bet they will even go back to IE after this because IE is less “whiny” about bad security.

Re:

[AmiMoJo]

Microsoft is killing IE and the old Edge off, so even corps only have a few years before the LTS versions of Windows 10 force-uninstall them

Anyway corps should have this sorted out by now. Just issue their own cert. Stops some phishing attacks too.

Re:

[Merk42]

The reports of IEs death are greatly exaggerated.
Microsoft is only stopping IE11 support in Microsoft apps like Office 365. IE11 will still receive security updates.

Re:

[AmiMoJo]

Support for IE11 and old Edge are ending next year.

https://techcommunity.microsof... [microsoft.com]

Re:

[Merk42]

Support for IE11 and old Edge are ending next year.

https://techcommunity.microsof... [microsoft.com]

Yeah support from Microsoft 365 apps, like Office 365.

From that same link:

...we want to be clear that IE 11 isn’t going away

Internet Explorer 11 is a component of the Windows operating system and follows the Lifecycle Policy [microsoft.com] for the product on which it is installed.

Re:

[fahrbot-bot]

Microsoft is killing IE and the old Edge off, ...

I think their preferred phrase is "extinguishing".

Re:

[jellomizer]

I remember back in the 1990's where I had a web developer prefer IE over Netscape. Because with IE if you didn't properly code your closing tags, it would guess what your intent was. for example if you are doing a Table tag (I am going to be lazy and not use the escape values) and did a tr td data td data tr td data td data /table
It may actually render a proper table. Of course this meant slower rendering speed as it needed to guess your context. as well it may do odd things later on if you needed to do

Only now?

[_merlin]

I'm pretty sure Opera used to warn about this back in '98, as well as blocking mixed content (e.g. not displaying images loaded over HTTP on an HTTPS page, which affected the login page for their own OperaMail). Why did browsers stop warning about this stuff, and why has it taken so long for them to start warning about it again?

HTTPS Everywher addon by EFF has options

[bd580slashdot]

HTTPS Everywhere add-on by EFF has options to either load mixed content, warn about it, or block it silently.

Re:

[kingbilly]

I wish browsers (at least Chrome) would give us a flag that defaults to https instead of http. Right now when you type www.example.com, the browser just assumes http. If a site supports https, it will often redirect for you - but not always. I think there is a website that lists the top 100 websites (according to Alexa) that don't redirect. They will just serve you a version of the site over http.

Why not a flag or full-blown setting that changes it from default-http to default-https? Until then, yeah the

Re:

[tepples]

The websites you're thinking of are Why No HTTPS [whynohttps.com] and Why No IPv6 [whynoipv6.com]. And they appear to have dropped Alexa rank in favor of Tranco rank.

But are things like routerlogin.net and 192.168.0.1 included in Tranco rank? Because home routers, printers, and NAS appliances lack a globally unique name, their web-based administration interfaces can't obtain a certificate from any TLS CA that the major web browsers trust by default.

Re:

[Waccoon]

Probably about the time SGML rules were relaxed to make way for the ill-formed HTML5 standard. We spent years pushing XHTML, and things improved a lot, but once the hype died down and HTML5 finally arrived, people basically stopped caring about standards and doing things the right way.

Re:

[antdude]

SeaMonkey still warn these days.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[locofungus]

What about providing warnings about when SNI is not encrypted and to help users enable Encrypted-SNI(ESNI) like Firefox can?
Firefox Encrypted-SNI(ESNI) is so strong at privacy, China's GFW blocks connections using ESNI.

But only if it's trivial to turn off

Because I'm more worried about filtering _outgoing_ traffic that I don't approve of than anyone eavesdropping on my rather boring web traffic.

Re:

[thegarbz]

What about providing warnings about when SNI is not encrypted

No thanks. ESNI is already dead. I don't want browsers adopting draft proposals marked as experimental by the IETF.

to help users enable Encrypted-SNI(ESNI) like Firefox can?

Firefox will abandon ESNI because they stupidly jumped the gun and implemented something that will not become a standard. Not only was ESNI in draft, it won't be taken forward and was superseded by ECH 6 weeks ago: https://datatracker.ietf.org/d... [ietf.org]

Give the world time, stop jumping on every shiny new thing you read an article about. Browsers adopting things which weren't even a proposed standard

It'll trigger a warning all the time

[Rosco P. Coltrane]

Warning: whatever you fill in in that form will be transmitted to Google

Re:

[oh_my_080980980]

Dick sucking Google this early in the morning has to be the work of a bot. Nicely done Google.

Ditch Chrome

[RitchCraft]

Chrome is just the worst. I've been building and configuring computers for 35+ years. Had the pleasure of cleaning a friend's laptop recently of bloatware, temp files, etc.. and do a tune up for speed. The laptop is only 5 years old, so still good for net. The LARGEST speed boost came from removing Chrome and all its related bloat and installing Firefox with uBlock Origin, Ghostery, New Tab Override, and Google Analytics Optout addons. Laptop runs better than the day it was new. Chrome is the new IE6.

Does this mean finally undoing the reverse bug?

[holophrastic]

They started warning my visitors of forms on http pages that were being sent to https pages.

I had public pages insecure (because why oh why would you want to slow down connections to completely public content), and I had my forms submitting to secure pages (to keep the content secure).

But chrome, and other browsers, stupidly required me to slow down the form page itself also, I guess to prove that I could create secure pages in general?!

Doesn't matter anymore. The entire web is slow for https now. It's ridiculous. I can scatter a million paper pamphlets from an airplane, but put the same content on a web page, and it needs to be secure. Thanks.

Re:

[holophrastic]

Don't get me started on the number of things that browsers let me change (in javascript) that really ought never to be changeable. We've already been through the whole css history leaking. Twenty-five years ago, I could use input=file to upload your bookmarks text file. tonnes of cross-site stuff. and yet, I still can't change the colour of the fucking radio button. I can't even provide a pair of on/off images. I get to jump through sixteen css hoops with visibility and manually synchronize a radio bu

Re:

[burningcpu]

I'm not really getting the implications of a changed submission location. Do you mind elaborating? I'm not in IT or anything related so please understand my lack of knowledge here.

Re:

[randm.ca]

Imagine if slashdot had an http login form that submitted to https.

If I use the free wifi at the local coffee shop, then an attacker could change the submit location from slashdot to a location they control, so then when I put in my password and hit submit it gets sent to the attacker.

Not the end of the world if my slashdot account is compromised, but it would be a bigger deal for gmail or my workplace web portal, etc.

Holy crap

[dan325]

this isn't in place already?!

Forms can't be insecure, they don't have emotions.

[Pierre Pants]

They can only be secure or unsecured.

When are they going to fix the memory leaks?

[pickleses]

Can't leave a few tabs open overnight without having to restart my computer once I'm back - have been using Chrome since about 2011-ish - please fix!