Google Warns Webmasters About Insecure HTTP Web Forms (searchengineland.com)

← Back to Stories (view on slashdot.org)

Google Warns Webmasters About Insecure HTTP Web Forms (searchengineland.com)

Posted by EditorDavid on Saturday August 19, 2017 @10:54AM from the Chrome-come-calling dept.

In April Chrome began marking HTTP pages as "not secure" in its address bar if the pages had password or credit card fields. They're about to take the next step. An anonymous reader quotes SearchEngineLand: Last night, Google sent email notifications via Google Search Console to site owners that have forms on web pages over HTTP... Google said, "Beginning in October 2017, Chrome will show the 'Not secure' warning in two additional situations: when users enter data on an HTTP page, and on all HTTP pages visited in Incognito mode."
Google warned in April that "Our plan to label HTTP sites as non-secure is taking place in gradual steps, based on increasingly broad criteria. Since the change in Chrome 56, there has been a 23% reduction in the fraction of navigations to HTTP pages with password or credit card forms on desktop, and we're ready to take the next steps..."

"Any type of data that users type into websites should not be accessible to others on the network, so starting in version 62 Chrome will show the 'Not secure' warning when users type data into HTTP sites."

11 of 94 comments (clear)

Min score:

Reason:

Sort:

Chrome copies Firefox ... Again by narcc · 2017-08-19 11:14 · Score: 4, Informative

Firefox added a warning a while ago. It's no surprise Google would follow suit.
Chrome is really turning in to a slow, bloated, spyware-ridden Firefox clone.

--
Required reading for internet skeptics
1. Re:Chrome copies Firefox ... Again by Gravis+Zero · 2017-08-19 12:17 · Score: 5, Informative
  
  Chrome is really turning in to a slow, bloated, spyware-ridden Firefox clone.
  Yeah, just like that time Chrome copied the Firefox layout and then dropped support for it's own extensions in favor Firefox extensions. Oh wait. ;)
  
  --
  Anons need not reply. Questions end with a question mark.
2. Re:Chrome copies Firefox ... Again by Z00L00K · 2017-08-19 18:42 · Score: 2
  
  You spelled Lynx wrong.
  
  --
  If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Re:HTTPS is stupid by Gaygirlie · 2017-08-19 11:34 · Score: 3, Informative

What the hell are you babbling about? SSL-certificates aren't tied to IP-addresses, they're tied to domain-names! Hell, you can have hundreds of HTTPS-sites served by a single Apache-server with a single IP-address, all with different SSL-certificates, by using SNI!
There is a lot that doesn't need encryption.. by toonces33 · 2017-08-19 11:37 · Score: 3, Insightful

This seems like overkill to me.
1. Re:There is a lot that doesn't need encryption.. by rklrkl · 2017-08-19 12:32 · Score: 2
  
  I think the problem here is that while you can easily identify a password field in a form (type=password), it's not so easy to identify other form fields that might contain personal information (you don't have to call the e-mail field "email" for example). Google is probably right at blanket-covering http forms with a warning that that they aren't https.
  The warning in Incognito Mode is on a bit less of a justifiable footing though, but it's the next logical step to warning about all http sites regardless of Incognito Mode or if they're forms or not. That latter step, though, would hit billions of pages, but might force a big adoption of https by the remaining http-only holdouts.
  A big shout-out to Let's Encrypt here, without whom I suspect this https-only tightening couldn't be been undertaken by any of the major browsers.
2. Re:There is a lot that doesn't need encryption.. by Anonymous Coward · 2017-08-19 12:45 · Score: 2, Interesting
  
  This seems like overkill to me.
  Are you unaware that some ISPs and "public" wireless hotspots tamper with packets in-transit in order to inject ads?
  I want zero percent of my packets to be tampered with in-transit. We prevent that with encryption.
3. Re:There is a lot that doesn't need encryption.. by Gavagai80 · 2017-08-20 00:55 · Score: 2
  
  The real danger here is that people are going to be so used to seeing "not secure" in their browser and being told "oh just go ahead and use it, this isn't important" that soon enough they'll start typing their credit cards into insecure forms again.
  
  --
  This space intentionally left blank
4. Re:There is a lot that doesn't need encryption.. by swillden · 2017-08-20 04:35 · Score: 2
  
  This seems like overkill to me.
  I'd say it's insufficient. Everything should be encrypted and authenticated end to end, not just forms and form responses. Actually, it's really more important that data coming to your browser be authenticated than that data you send be encrypted. Why? Because unless your browser and OS are perfectly secure (they're not) then you have to trust every network hop between the server and you not to inject malware. With authentication, you only have to trust the server.
  And as long as you're authenticating all of the data, you might as well encrypt it, too, because some stuff does need to be protected and (a) it's not always obvious what does and what does not and (b) there's no reason not to just encrypt it all.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Re:Not worth the extra cost to buy a certificate by BlueKitties · 2017-08-19 13:01 · Score: 2

Actually, it's free to set up HTTPS if you use letsencrypt.org. It takes roughly an hour of research to get it working, give or take depending on your current server setup. There are only a couple of gotchas: one, you have to make a certificate signing request file, .csr, which is easier on Linux than Windows. IIRC you can do it with Docker on a Windows machine. The second catch is, there are actually two files you have to put on your webserver, one is the private key, but the other is some "security key history" file that says where the security key came from. I can't for the life of me remember how that was setup, but it gave me some ugly unexplained "not secure" error in Chrome until some furious Googling surfaced the issue.
Oh, and the third catch is, try to make the links embedded in your site use https, since an http frame embedded in an https frame isn't secure by virtue of the parent frame. Anyway, if you take the dive, expect a few headaches and unexplained "this page is not secure" experiences before you hammer out the bugs. But it's doable in a single weekend for free, and you get a nice professional looking https bar as a bonus.
Also, some managed cloud services can turn on https for you with the push of a button, so it could be worth digging around in your settings if you're using a high level CMS / cloud host.

--
"Sorrow is better than laughter, for by sadness of face the heart is made glad." [Ecclesiastes 7:3]
Re:Manage your devices by Z00L00K · 2017-08-19 18:38 · Score: 2

The problem is that many sites serving over http only will be listed as insecure even if they aren't serving anything that would need encryption, and may not even have a login - or a login only for the webmaster. That covers many hobbyist sites.
This essentially makes it more cumbersome to run a small website for hobbyist purposes.
https only protects the data channel between server and client, it doesn't make a site more trustworthy today.

--
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.