fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Google Chrome Disables Insecure Form Warnings After Complaints

Google Chrome Disables Insecure Form Warnings After Complaints

Google has disabled a feature that displays a warning when submitting insecure forms after receiving many complaints from users and website administrators.

Google has been focusing on removing mixed-content in Google Chrome, when a secure page (HTTPS) loads content from an insecure (HTTP) URL. As part of this initiative, Google rolled out a new feature in Chrome 86 that warns users when submitting insecure forms from a secure (HTTPS) page to an insecure (HTTP) URL.

Submitting an insecure form would display a warning about the risks of doing so and asks the user if they wish to continue submitting the information.

Insecure form warning
Insecure form warning

With the release of Chrome 87, this new feature went live for everyone, and many website administrators began reporting problems in a Chromium bug report.

Also Read: Going Beyond DPO Meaning: Ever Heard of Outsourced DPO?

The problem is that Google Chrome would show the insecure form warning even if the form submissions were secure, but the user was redirected to an HTTP URL after submitting the form.

For example, a form submission flow of HTTPS Form > HTTPS URL > Redirect to HTTP URL would generate a warning in Chrome, even though the form was submitted securely. These warnings would then break the redirect chain websites use after submitting a form or logging into the site.

Chrome users say that this is a bug as the form submissions are secure, and only the redirect went to an HTTP URL.

Complaint about insecure form warnings
Insecure form warning complaints
Insecure form warning complaints

Google disables feature while they make changes

On December 15th, Google software engineer Carlos Joan Rafael Ibarra Lopez stated that they are disabling the feature in Chrome 87 to adjust it, so HTTP redirects after a secure form submission do not generate a warning.

“After considering the unexpectedly large impact this change had on form submissions that involve redirects through HTTP sites, we have decided to roll back the change for Chrome 87. We expect the configuration to be out later today, at which point it will take effect on the next Chrome restart. I’ll ping this bug with updates.

We are planning to re-enable the warnings in Chrome 88 (tentatively going to stable on January 19, 2021), but warning only on forms that directly submit to http://, or that redirect to http:// with the form data preserved through the redirect, so it won’t trigger for the cases mentioned in this bug where the http:// hop didn’t carry the form data.

That being said, I still encourage sites to keep https:// throughout the whole redirect chain, as http:// steps still compromise user privacy (by exposing the form target location) even if no form data is being exposed.

Apologies for the issues caused by this new warning.”

The rollback has already been pushed to Google Chrome, and users who are still seeing these errors should restart the browser to get the new configuration change.

Lopez recommends that users test their sites by enabling the “Mixed forms interstitial” flag in chrome://flags before Chrome 88 is released to make sure their forms and redirects are working as expected.

“Re #210: This behavior can be enabled by switching the “Mixed forms interstitial” feature on from chrome://flags. If you do it in the current version of Chrome this will enable the stricter behavior that we had in 87 (it will eventually be changed to match what we plan to relaunch in 88), but if you check your website doesn’t trigger a warning with this behavior, it will definitely not trigger one in 88, since enforcement will be less strict.”

Also Read: 5 Common Sections in an Agreement Form Example

Google will enable this feature again in Chrome 88, which is expected to be released on January 19th, 2021.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us