Google Chrome 62 is here, the Not Secure warning? Not so much
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Google Chrome 62 is here, the Not Secure warning? Not so much

Google’s new insecure forms warning for HTTPS sites is still in testing.

Many internet users viewed Chrome 62 as the deadline to install an SSL certificate on your website if you had any forms. After all, Google had advertised its Not Secure warning as arriving in this version on its own security blog. But Chrome 62 is out and the Not Secure warning is no where to be found.

So what gives?

Google Chrome isn’t a traditional piece of software. Here’s how Eric Lawrence describes it on his blog TextSlashPlain:

What isn’t mentioned in the blog post is exactly how this feature will roll out– many readers naturally assume that it’s as simple as: “If you have Chrome 62, then this feature is present.” After all, that’s how software usually works.

In Chrome, things are more interesting. Where possible, Chrome rolls out new features dynamically using the Field Trials platform. You can think of Field Trials as a set of server-controlled flags that allow Google to change Chrome’s behavior dynamically, at runtime, without shipping a new version.

Lawrence goes on to explain the Field Trials are used for two things:

  1. Experimentation
  2. Rollouts

Google’s Insecure Fields warning is still in field testing

When Google tests a new feature it creates small test groups and compares telemetries against a control group. If the feature performs well, it’s considered for rollout in Chrome stable. Traditionally Chrome performs these tests on its developmental browsers (Canary, Dev & Beta).

Where things get tricky is the rollout itself. Even with substantial testing, it’s still possible to miss flaws and bugs. By field testing, it allows Google to roll out to a substantial portion of its users, but still a small percentage of the total. Then Google can calibrate everything in Stable to ensure the rollout goes smoothly before ramping up the percentage for a complete release.

If anything goes terribly wrong, the field testing also lets Google tamp things down quickly.

As for the Not Secure/Insecure Forms warning, it will be here soon.

Rest assured that I’m eager to push the new Not Secure warnings to 100% and I expect to get to do so very soon. If you just can’t wait, you can override the field trial and turn it on yourself by changing chrome://flags/#mark-non-secure-as and restarting Chrome.

  • Looks like the warning pops in once you start filling out the form on an insecure page. It’s small, but it’s there in the first release – version 62.0.3202.62

    • The warning isn’t there for most folks unless you specifically go in and twiddle the settings. Makes you ponder what other major features google can turn on and off at will from their server side…

    • If you go on Incognito you can see this is already switched on by default. I’d anticipate the flags will be switched to match what is on Incognito in the turn of the year.

  • Any idea when / if Explorer will have similar warnings?
    LOTS of info out there about Chrome – but haven’t seen much regarding IE?

    • Microsoft is much more tight-lipped about its plans and direction. Google and Mozilla tend to announce things first to try to guide the industry where they want, Apple and Microsoft generally follow suit but are far less vocal.

Leave a Reply

Your email address will not be published. We will only use your email address to respond to your comment and/or notify you of responses. Required fields are marked *

Captcha *


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.