Beginning in M86, Chrome will warn users when they try to complete forms on secure (HTTPS) pages that are submitted insecurely. These “mixed forms” (forms on HTTPS sites that do not submit on HTTPS) are a risk to users’ security and privacy. Information submitted on these forms can be visible to eavesdroppers, allowing malicious parties to read or change sensitive form data, says Google. 

Specifically, Chrome will be making the following changes to communicate the risks associated with mixed form submission:

  • Autofill will be disabled on mixed forms.
    Note: On mixed forms with login and password prompts, Chrome’s password manager will continue to work. Chrome’s  password manager helps users input unique passwords, and it is safer to use unique passwords even on forms that are submitted insecurely, than to reuse passwords.

  • When a user begins filling out a mixed form, they will see warning text alerting them that the form is not secure.

  • If a user tries to submit a mixed form, they will see a full page warning alerting them of the potential risk and confirming if they’d like to submit anyway.

According to Google, "before M86, mixed forms were only marked by removing the lock icon from the address bar. We saw that users found this experience unclear and it did not effectively communicate the risks associated with submitting data in insecure forms."

Joseph Carson, chief security scientist and Advisory CISO at Thycotic, a Washington D.C. based provider of privileged access management (PAM) solutions, says, “This is a surprising move by Google Chrome who continue to raise the bar and are starting to take security of Chrome users more seriously.  This security change forces companies to make urgent changes to their forms and might have an impact on many organizations revenue since users who see this warning will likely think twice before clicking submit or even signing up for internet services. Security continues to increase in priority, and internet users are becoming more concerned about the possibility of becoming a victim of credential theft, identity theft or financial fraud.  This appears to be a push from Google to help Chrome users start using password managers more frequently and reduce the risks of become a victim from insecure web forms. As always, this a is positive move and will cause many companies to make urgent changes.”

Tim Wade, Technical Director, CTO Team at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyberattackers, notes, he appreciates the diligence the Chrome team has put into promoting user privacy and safety – "two other examples include visually emphasizing the insecurity of HTTP sites to increase HTTPs adoption across the web, and rallying for the deprecation and replacement of the often exploited Adobe Flash with HTML5.  By creating simple, straightforward warnings that users understand demystifies security for the end user, which makes the web a much safer place.”

Brandon Hoffman, Chief Information Security Officer at Netenrich, a San Jose, Calif.-based provider of IT, cloud, and cybersecurity operations and services, adds that, “The security enhancement to form submission and control offered by Chrome is a huge benefit to consumers. This is an area of online interaction or transaction that is difficult to get clarity on. Certainly for the bulk of consumers out there it's an area they would not have the requisite technical skills to help themselves secure.”