Chrome to brand HTTP pages with forms ‘not secure’, webmasters warned
Google has warned website owners that if they use forms on HTTP web pages, these will now be marked as ‘not secure’ in Chrome 62, as of next week.
In fact, this is not strictly a new notification, with the search giant having first given notice of this weeks ago.
The corporation said in a statement: “Chrome will show the ‘not secure’ warning when users enter data on an HTTP page, as well as on all HTTP pages visited in Icognito mode.”
In emails with the subject line ‘Chrome will show security warnings for’, there was an explanation of where HTTPS should be added, along with further details of how to do this.
The emails listed URLs that will trigger the new Chrome warning where there are text input fields.
It seems that the new warning is part of a long-term strategy which will eventually see all pages served over HTTP labelled insecure. The plan has been introduced gradually, but based on increasingly broad criteria.
Indeed, as far back as January and the launch of Chrome 56, Chrome says it was looking into how to improve the connection security of HTTP pages. And, even at the start of the year, such pages were branded insecure if they contained credit card or password fields.
Since then, there have been almost 25% fewer navigations to HTTP pages with password or credit card forms from desktop computers, so now Google felt ready to take its plan a step further. And it insists that credit card details and passwords are not the only kinds of data which should remain private.
The corporation said in a blog: “Any data that users type into websites should not be accessible to others on the network.
“When users browse Chrome Incognito, they probably have greater expectations of security. Eventually, we plan to show the ‘Not secure’ warning for all HTTP pages, even outside Incognito mode.”
Luckily, this is pretty easy to put right. To stop the ‘not secure’ warning from showing when people visit your website, make sure you gather user input data exclusively on pages served with HTTPS.
While Google updates on this will be forthcoming, don’t wait for those before you take action. And talk to us if you have any concerns.