Chrome 56 will mark HTTP pages with password fields as non-secure

Firefox has started to do this recently and it&#x27;s been fantastically informative and helpful.<p>It&#x27;s the one new browser feature I never really considered wanting&#x2F;needing before, that&#x27;s really stood out to me as being incredibly valuable since I&#x27;ve started to see the warnings pop up.

Pm - &quot;why is this page insecure&quot;<p>Developer - &quot;chrome labels password fields as insecure over http&quot;<p>Pm - &quot;what if it wasn&#x27;t a password field&quot;

I&#x27;ve got to say though, that this is a wee bit frustrating as a developer. SSL libraries are terrible, bug ridden, hard to work with, and there are huge sacrifices using a pass-through proxy to offer SSL.<p>The brittleness of SSL libraries manifests not just in the form of security exploits, but also in the form of delaying the next generation of HTTP technology. Node doesn&#x27;t support natively support HTTP&#x2F;2 due to HTTP2 fitting issues [<a href="https:&#x2F;&#x2F;github.com&#x2F;nodejs&#x2F;NG&#x2F;issues&#x2F;8" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;nodejs&#x2F;NG&#x2F;issues&#x2F;8</a>]. Jetty was delayed for Java SLL changes. Same with Go.<p>If Google wants to make the whole web secure? That&#x27;s great. But we also need to work on making it <i>simple</i> to secure. So much research goes into novel ciphers and optimal ways to defeat timing attacks, and etc etc, but the spike in complexity means that we&#x27;re reaching a point where almost no individual or group can approach a correct implementation.<p>It worries me that we&#x27;re approaching a point where we&#x27;re utterly dependent on a security standard no one can understand.

I hope they do this for CC numbers too, because I know of a website I had to use that passed your Name, address, CC number, CC exp, amount; the whole shebang over plain ol&#x27; http to do a payment <i>shudder</i>.

I&#x27;ve been paying rent with www.rentpayment.com which unfortunately serves up their home page with multiple logins over http. Naturally, emails and tweets to their support go ignored. Maybe they&#x27;ll finally respond after more people ask them why they&#x27;re &quot;non-secure&quot;.

Mods, can we please get the &quot;?m=1&quot; part of the url removed? I think the current link is for mobile.

Alright, for what its worth everyone, if you haven&#x27;t seen this already, here it is! The Cert bot from EFF!<p>Get that HTTPS motor running. This really does make it easy.<p><a href="https:&#x2F;&#x2F;certbot.eff.org&#x2F;docs&#x2F;intro.html" rel="nofollow">https:&#x2F;&#x2F;certbot.eff.org&#x2F;docs&#x2F;intro.html</a>

Firefox has a similar feature enabled in dev edition: <a href="https:&#x2F;&#x2F;blog.mozilla.org&#x2F;security&#x2F;2017&#x2F;01&#x2F;20&#x2F;communicating-the-dangers-of-non-secure-http&#x2F;" rel="nofollow">https:&#x2F;&#x2F;blog.mozilla.org&#x2F;security&#x2F;2017&#x2F;01&#x2F;20&#x2F;communicating-t...</a>

Countdown until a JS extension that takes a normal &lt;input&gt; field and uses &amp;bull; characters to make it look like a password field without tripping Chrome&#x27;s detector...

Stupid question: Is the warning going to show up for localhost i.e. using chrome to see the local dev version of your website?

What should be done for routers and printers that are accessed by their IP address?

There should be an HTTP Header (or a CSP directive) to allow servers to set sites as &quot;Not Secure&quot; manually. That would help a lot of people dealing with phishing attacks on web hosts.<p>It would function in the same way - if Chrome detects CC&#x2F;password forms, it labels the site as Not Secure.

I know the article is older, but it&#x27;s January 2017, just a reminde. The message will appear in the address bar.

Not a Chrome user, but this is a great feature, and is at least moving things in the right direction. Really they should go farther though. The UI treatment is almost un-noticable, even if they went with the &quot;red triangle&quot; version. How about a red-background interstitial page or a modal with a clear &quot;Get Me Out Of Here&quot; and &quot;I Know What I&#x27;m Doing&quot; choice for the user?<p>And for all those &quot;small businesses&quot; that are going to get affected by this? It&#x27;s hard to muster up much sympathy at this point. It&#x27;s 2017, and you&#x27;re still horsing around with vanilla http?

I&#x27;m going to go ahead and make another shameless plug, since a lot of folks who are hesitant about this new HTTPS stack are worried about deployment, and thats for the fantastic folks over at Caddy. They make an Apache&#x2F;Nginx alternative that has built in letsencrypt renewal support and automatically encrypts your site by default and serves over https&#x2F;2.<p><a href="https:&#x2F;&#x2F;caddyserver.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;caddyserver.com&#x2F;</a><p>I am not an affiliated developer, but I am a user, and have recommended this to others as well, its a solid product.

How does it handle password inputs that are added to the page with JS?

I&#x27;d go a leap further and change the background color of the address bar to red if it&#x27;s a non-HTTPS page. No excuse for any site to be HTTP in 2017, especially with LetsEncrypt. Your host doesn&#x27;t allow LetsEncrypt? They need to get with the times, or you need to switch hosts. (Why would you want to use a host that doesn&#x27;t see the value of HTTPS?)

I&#x27;m in an A&#x2F;B test group where all pages are marked either green &#x27;Secure&#x27; or red &#x27;Not Secure&#x27;, password or not.<p>I like it.

I hope me trying to push this on G+ and Twitter for years helped.<p>This was always my first install on a new Chrome.<p><a href="https:&#x2F;&#x2F;chrome.google.com&#x2F;webstore&#x2F;detail&#x2F;unsecure-login-notifier&#x2F;ledomejmbiemgdfiekmhoheabhonihmi" rel="nofollow">https:&#x2F;&#x2F;chrome.google.com&#x2F;webstore&#x2F;detail&#x2F;unsecure-login-not...</a>

Will this also apply to data URIs? Thinking of the recent data URI phishing exploits [1]<p>[1]: <a href="https:&#x2F;&#x2F;www.wordfence.com&#x2F;blog&#x2F;2017&#x2F;01&#x2F;gmail-phishing-data-uri&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.wordfence.com&#x2F;blog&#x2F;2017&#x2F;01&#x2F;gmail-phishing-data-u...</a>

Working on a new community site to help people move to HTTPS: <a href="https:&#x2F;&#x2F;blog.movingtohttps.com&#x2F;dedicated-to-simplifying-the-move-from-http-to-https-97d80b08e4dd" rel="nofollow">https:&#x2F;&#x2F;blog.movingtohttps.com&#x2F;dedicated-to-simplifying-the-...</a>

It&#x27;s great that Google wants to move more sites to https, and I&#x27;m in support of this, but it also creates challenges for security vendors such as myself.<p>Currently DNSFilter and others Man in the Middle traffic destined for sites our customers have decided to block. This works great for http, but not https, as certificate warnings are presented.<p>The standard work around is arguably less secure: adding a third-party CA to all end-points. This can still present problems with HSTS and certificate pinning.<p>I&#x27;d like to work with Google to create a standard where vendors can either be on a whitelist or have new recognized SSL cert fields, not to MITM traffic, but just to present users with a friendlier message explaining whats happening, and providing a separate <a href="https:&#x2F;&#x2F;" rel="nofollow">https:&#x2F;&#x2F;</a> url to visit for information from the vendor about the block.<p>Implementing such a standard in browsers would further increase user security, and provide a viable method for filtering on guest networks where there is no end-point access.

What happens if the page is insecure, but the attacker places an iframe in the page with HTTPS url, which then tricks the user into sending their credentials (unsuspecting users will think they are logging into the site).

What about services like Sellfy that let you add a button to your site&#x27;s pages, that loads a shopping iframe? Will it change the indicator when the iframe appears after a user clicks the Buy button?

Ultimately, how is this plan by Google going to affect sites that are hosted on a virtual server hosting plan?<p>For instance, I have a website hosted at Hurricane Electric on a virtual server plan. I&#x27;ve had hosting there for well over a decade. I like their service, the virtual host works well for most of my needs. There are two areas where it doesn&#x27;t work, though (AFAIK):<p>1. I can&#x27;t run a pure NodeJS website.<p>2. I can&#x27;t set up HTTPS.<p>Number one isn&#x27;t relevant to this discussion; but as far as I know, the second one is a big deal. There isn&#x27;t any way (AFAIK) to host multiple virtual servers each with their own certificate.<p>So right now (well, with the release of v56 of Chrome) - if you have a Wordpress site or something on a virtual host that has a login - it&#x27;s going to show something that says &quot;unsecure&quot; for the login&#x2F;password form. Honestly, I am fine with that. My own site isn&#x27;t a Wordpress site, but I do have a login&#x2F;password box on the site, and having it show that it is insecure is not a big deal to me. While there isn&#x27;t much or anything I can do about it, I do understand and support the reasoning.<p>But...<p>...in the future, they want to mark -all- non-HTTPS sites as &quot;insecure&quot; - regardless of what the site does, presumably. It could just be a collection of static html pages (no javascript, no forms, nothing special), and it will still be marked as &quot;insecure&quot;? Does this sound reasonable? Suddenly, all of these pages will be deemed pariahs and non-trusted because they choose to use non-encrypted means of presentation?<p>Is there any solution to this, as it stands? Or are all of us with virtual hosting solutions going to have to migrate to some cloud-based server solution, with it&#x27;s own IP, then obtain our own certificate (easier today, I know - and cheap to free, too) - just to get around this? Is this the end of virtual private server hosting (or is it going to be relegated to third-tier)?<p>I don&#x27;t currently know what if anything Hurricane Electric plans to do regarding these changes. I don&#x27;t want to move to another hosting provider if I can avoid it (while HE isn&#x27;t the cheapest for what you get, they are nice in that they assume you know wtf you are doing - your hosting is basically access to the server via ssh and sftp - so you better know how to admin and set things up via a shell, because they aren&#x27;t going to hold your hand).<p>I&#x27;m thinking I should send an email to them to ask them what they&#x27;re planning to do - if anything.

It should just label HTTP pages as &quot;not secure&quot;, full stop. Because they aren&#x27;t secure. Or at least, any page with a form. Never mind if it&#x27;s a password field or not.

What if the &lt;form&gt; submits to an https page but the page is served up on an http page? The form submission will be secure, correct? Will Chrome still mark as insecure?

Needs to start blocking form fields that have no corresponding input text box because...these unused fields still get autofilled with cached but personalized info.

Do they send a letsencrypt notice to these domains ? notifying users is awesome, helping &quot;late&quot; hosts into HTTPS would be perfection.

Insecure websites could get around this by not marking the fields as password fields but using javascript to make them appear so to the user.

I think the title must be &quot;Chrome 56 will mark non-HTTPS pages with password fields as non-secure&quot;

So if we have an http page with a password field that posts via https, it will be marked non-secure?

I&#x27;d like to see this with Adobe Flash and third party scripts. (Pandora!)

About time, this is an excellent feature.

Advancing HTTPS is one of a few good things Google made in the recent years. Thanks Google.

Thank God

&gt; A substantial portion of web traffic has transitioned to HTTPS so far, and HTTPS usage is consistently increasing. We recently hit a milestone with more than half of Chrome desktop page loads now served over HTTPS<p>Well OBVIOUSLY when the traffic is increasingly going to the same top ten sites like Faceboo, Twitter and Co.

This is such a dumb idea on google&#x27;s part (and mozilla&#x27;s) because people are now going to program dumb workarounds for this.<p>Google seriously has to stop trying to police the god damn web.

&quot;Thanks, Captain Obvious!&quot;<p>Is there an option to turn this off, for those of us who feel we need it like a hole in the head?