BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage News Chrome and Firefox Start Warning of Insecure Sites

Chrome and Firefox Start Warning of Insecure Sites

This item in japanese

Bookmarks

With upcoming changes to web browsers from Google and Firefox, users will start to see alerts when they're browsing on an insecure site. Chrome 56 and Firefox 51 in January 2017 will be the first general releases containing these warnings.

Google gave plenty of notice that, starting with Chrome version 56, if users visit a non-HTTPS website that contains any password or credit card input fields, the URL bar will include an alert that they are not on a secure website. The first version of this alert is subtle and may not catch the user's eye, but later builds will intensify the alert.


Image Credit: https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html

In the post, they noted that the current presentation of websites may give users false security:

Chrome currently indicates HTTP connections with a neutral indicator. This doesn’t reflect the true lack of security for HTTP connections. When you load a website over HTTP, someone else on the network can look at or modify the site before it gets to you.

This is similar to the way Chrome currently displays a "secure" notice next to sites that do use HTTPS.

Tanvi Vyas, Mozilla Security Engineer, says that merely submitting the form over HTTPS isn't enough:

We get this question a lot. Although transmitting over HTTPS instead of HTTP does prevent a network eavesdropper from seeing a user’s password, it does not prevent an active MITM attacker from extracting the password from the non-secure HTTP page. The attacker can take the HTML content that the site attempted to deliver to the user and add javascript to the HTML page that will steal the user’s username and password.

Google has provided a page to assist developers with preparing for the not secure warning including downloading the latest version of Chrome Canary to test their sites.

Chrome will only allow sites with password and credit card input fields to avoid the warning if the page is served over HTTPS. If the form field is inside an iframe, both the frame and the top level page need to be secured via HTTPS. In a later build (to be determined), Chrome will flag non-HTTPS sites as "Not Secure" even if they don't have password or credit card fields. The hope is that developers and site owners will seek to eliminate this warning message and serve all pages over HTTPS. This later warning will be more conspicuous, calling out the insecurity with red text.


Image Credit: https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html

Rate this Article

Adoption
Style

BT