An In-Form Warning Will Provide Better Protection to Users.
We recently reported on the “Not Secure” warning which Google added for any HTTP page that contains a login field or credit card form.
Well, if you run a site that is still on HTTP and thought that was bad, the newest version of Google Chrome is about to make it worse. The Chrome 57 browser warnings for HTTP forms will be even more severe.
In addition to the “Not Secure” warning in the address bar, an in-form warning will also appear directly below the fields. This will make the warning significantly more noticeable to end users and hopefully help them avoid insecure transmission of their data.
The Chrome 57 browser warnings are make it quite clear: do NOT submit your private info on insecure pages.
You can see a preview of this in-form warning above. At the bottom of this post we included a screenshot of this warning on a real (but un-named) eCommerce site that is still using HTTP, just to give you a better sense of how this looks on an actual website.
Clicking the warning opens the Origin Info Box (the pane that opens when you click the padlock) which has a more verbose warning that reads, “You should not enter any sensitive information on this site (for example, passwords or credit cards), because it could be stolen by attackers.”
Chrome 57 is scheduled for release on March 14th.
If you want to test this for yourself, you can turn this behavior on now by setting a flag in Chrome Beta 57 or Canary 58/59. To turn it on:
- Run Chrome Beta or Canary. Download either if you do not already have it.
- Navigate to chrome://flags
- Press Ctrl +F (Cmd + F on Mac) to open the Find dialog and search for “enable-http-form-warning” which will bring you to the flag you want to edit: “Show in-form warnings for sensitive fields when the top-level page is not HTTPS”
- Change the option to “Enabled.”
- Press “Relaunch Now” at the bottom
- Navigate to http://http-login.badssl.com/ to test the in-form warning