Chrome 57 Will Bring More Severe Warning for Unsecure Forms
An In-Form Warning Will Provide Better Protection to Users.
We recently reported on the “Not Secure” warning which Google added for any HTTP page that contains a login field or credit card form.
Well, if you run a site that is still on HTTP and thought that was bad, the newest version of Google Chrome is about to make it worse. The Chrome 57 browser warnings for HTTP forms will be even more severe.
In addition to the “Not Secure” warning in the address bar, an in-form warning will also appear directly below the fields. This will make the warning significantly more noticeable to end users and hopefully help them avoid insecure transmission of their data.
The Chrome 57 browser warnings are make it quite clear: do NOT submit your private info on insecure pages.
You can see a preview of this in-form warning above. At the bottom of this post we included a screenshot of this warning on a real (but un-named) eCommerce site that is still using HTTP, just to give you a better sense of how this looks on an actual website.
Clicking the warning opens the Origin Info Box (the pane that opens when you click the padlock) which has a more verbose warning that reads, “You should not enter any sensitive information on this site (for example, passwords or credit cards), because it could be stolen by attackers.”
Chrome 57 is scheduled for release on March 14th.
If you want to test this for yourself, you can turn this behavior on now by setting a flag in Chrome Beta 57 or Canary 58/59. To turn it on:
- Run Chrome Beta or Canary. Download either if you do not already have it.
- Navigate to chrome://flags
- Press Ctrl +F (Cmd + F on Mac) to open the Find dialog and search for “enable-http-form-warning” which will bring you to the flag you want to edit: “Show in-form warnings for sensitive fields when the top-level page is not HTTPS”
- Change the option to “Enabled.”
- Press “Relaunch Now” at the bottom
- Navigate to http://http-login.badssl.com/ to test the in-form warning
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown