Google’s new insecure forms warning for HTTPS sites is still in testing.
Many internet users viewed Chrome 62 as the deadline to install an SSL certificate on your website if you had any forms. After all, Google had advertised its Not Secure warning as arriving in this version on its own security blog. But Chrome 62 is out and the Not Secure warning is no where to be found.
So what gives?
Google Chrome isn’t a traditional piece of software. Here’s how Eric Lawrence describes it on his blog TextSlashPlain:
What isn’t mentioned in the blog post is exactly how this feature will roll out– many readers naturally assume that it’s as simple as: “If you have Chrome 62, then this feature is present.” After all, that’s how software usually works.
In Chrome, things are more interesting. Where possible, Chrome rolls out new features dynamically using the Field Trials platform. You can think of Field Trials as a set of server-controlled flags that allow Google to change Chrome’s behavior dynamically, at runtime, without shipping a new version.
Lawrence goes on to explain the Field Trials are used for two things:
Google’s Insecure Fields warning is still in field testing
When Google tests a new feature it creates small test groups and compares telemetries against a control group. If the feature performs well, it’s considered for rollout in Chrome stable. Traditionally Chrome performs these tests on its developmental browsers (Canary, Dev & Beta).
Where things get tricky is the rollout itself. Even with substantial testing, it’s still possible to miss flaws and bugs. By field testing, it allows Google to roll out to a substantial portion of its users, but still a small percentage of the total. Then Google can calibrate everything in Stable to ensure the rollout goes smoothly before ramping up the percentage for a complete release.
If anything goes terribly wrong, the field testing also lets Google tamp things down quickly.
As for the Not Secure/Insecure Forms warning, it will be here soon.
Rest assured that I’m eager to push the new Not Secure warnings to 100% and I expect to get to do so very soon. If you just can’t wait, you can override the field trial and turn it on yourself by changing chrome://flags/#mark-non-secure-as and restarting Chrome.