Google has announced that beginning in the M86 development branch of Chrome, users will be warned whenever they try to interact with forms on HTTPS pages that are being submitted unsecurely.
Some HTTPS websites don’t submit inputs from users through forms via a secure HTTPS channel, which can put the end-users privacy and security at risk. The information submitted on these ‘mixed forms’ can be eavesdropped on, which means any malicious third-party can read or even change form data that could include personal sensitive information.
To safeguard user’s security, following the change, Chrome will disable autofill on mixed forms. However, this change will not affect the browser’s password manager, which will continue to function normally.
Also, when a user interacts with a mixed form, they’ll be alerted with a warning, which says, “This form is not secure. Autofill has been turned off”.
Still, if the user continues filling the form, Chrome will alert them again with a full-page warning that their security and privacy might be at risk.
Earlier, unsecure forms were marked by removing the lock icon beside the website’s URL from the address bar. However, since this did not communicate the risks completely, Google is moving to alerts for unsecure forms on HTTPS pages.
Last month, Google rolled out two tools that are aimed at enhancing the security of the Chrome’s autofill feature, which includes a biometric authentication to fill in saved payment information and new touch-to-fill control in the browser’s password manager.
Until now, any cards saved in a user’s Google account were only accessed by Chrome when needed for a transaction and a CVV or CVC number was needed to confirm that transaction. With the update, Google is adding another security layer — fingerprint authentication — that will be required whenever Chrome needs permission to access the autofill information for user’s credit or debit card from their Google account.
The second tool is a touch-to-fill feature that enables users to sign-in with ease at it presents all the saved accounts for the current website in a neat dialogue box at the bottom of the screen. This means users don’t need to scroll to respective fields in the form to choose the correct sign-in information for the account.