Google Chrome has temporarily disabled the warning function of insecure forms

by ·

Google Chrome is committed to helping all websites migrate to the HTTPS encryption security protocol. If you use the HTTP plaintext transfer protocol, you may be warned by Google.

For example, an exclamation point will be displayed in the address bar when loading a plaintext protocol website, and a warning will also be displayed when the content of the plaintext protocol is loaded from a secure connection.

Another situation is that if the website uses an encrypted security protocol, but submits the form content such as account registration or login in plain text, the connection will be directly interrupted.

At this time, Google Chrome will warn the user that the information sent is not safe in the form of a full-screen pop-up window. If the user does not manually click to continue, it will be blocked from continuing to log in.

This function is reasonable in terms of design logic. After all, transmitting user information, especially account passwords, through a clear text protocol is easy to be hijacked and stolen.

However, in the design process, Google engineers did not consider the special situation, which is to use an encrypted connection to send user information but redirect to a clear text protocol after logging in.

The process is as follows: HTTPS loading —- HTTPS form —- redirect to HTTP URL, that is, the last step is to jump to the plaintext transfer protocol.

Google regards it as a clear text transmission and therefore ignores the encrypted form transmission and displays a huge warning, but in fact, user data is transmitted encrypted and there is no risk.

With the release of version 87 of Google Chrome, this improvement has reached the stable version, which has led to huge challenges for a large number of websites, especially older and complex ones.

After causing a large number of complaints, Google engineers responded that after checking and confirming the problem, this feature has been directly withdrawn through hot updates and waiting for subsequent optimization.

Considering that Google engineers are taking vacations during the Christmas holidays, rolling back this function directly is the most direct and quickest solution.

Google engineers said that they will optimize at the beginning of next year, and then re-enable the optimized features in the stable version of Chrome 88 released on January 19.

Google engineers also said that it is still strongly recommended that webmasters encrypt connections throughout the entire process, instead of redirecting users to plaintext links after they log in.

Via: bleepingcomputer

Tags: