Google has announced that the Google Chrome browser will soon alert individuals about insecure forms on websites. Google is planning on rolling out the new feature in Chrome 86 to protect users from man-in-the-middle attacks.
The new feature will generate an alert for mixed forms, which are forms on secure (HTTPS) websites that are delivered insecurely and pose a risk to users’ privacy and security. These insecure forms can be visible to eavesdroppers and could allow data to be read or altered in in man-in-the-middle attacks.
In Chrome 86, autofill will be disabled on mixed forms but the password manager will continue to work for mixed forms with login and password prompts. When a user attempts to enter information on a mixed form, warning text will appear alerting the user that the form is not secure.
If the user continues to enter data and attempts to submit the form, they will be presented with a further warning alerting them to the insecure nature of the form and will be asked if they would like to submit the data anyway.
In previous Chrome versions, mixed forms were only denoted by the removal of the lock icon in the address bar. Google decided to make the change as the current mechanism was not effectively communicating the risk associated with submitting insecure form data.
Google has also announced that it will also be introducing an experimental feature that will provide protection against URL spoofing, such as when a URL contains a misleading brand name. The address bar will only show the part of the domain that can be registered. The full URL will only be visible when the user hovers the mouse arrow over the address bar. This feature will be enabled by default, although users that do not wish to use this feature can right click on the address bar and select “Always show full URLs”.
This feature will initially only be provided to a random selection of Chrome users while it is tested and will not initially be available to enterprise Chrome users. Google will then assess whether the new way of displaying URLs helps to protect users from phishing and social engineering attacks. If successful, the feature will be rolled out to all users.