Chrome False Positive Insecure Form Page Warning

112 views
Skip to first unread message

Greg Scott

unread,
Dec 14, 2020, 12:37:23 PM12/14/20
to securi...@chromium.org, Alexander Howard

Hello,

Please help, we have a weird scenario where some Chrome user on Version 87.0.4280.88 (Official Build) (32-bit) get the information not secure page as referenced in

https://blog.chromium.org/2020/08/protecting-google-chrome-users-from.html

 

This error just started today 12/12/20 for these users. If you look at the screen shots you can see there are no mixed content or insecure resources loaded.

 

The next set of screen shots are here to provide additional details of what we see in the browser when the user clicks the login  button and get the error page

 

 

 

 

 

I can be reached by cell phone below. Thanks for any guidance you can provide.

 

Greg Scott
Online Insight
404-600-5222 O
404-626-6066 M

Online Insight

Empowering health insurance e-marketplaces.
www.onlineinsight.com

 

 

Emily Stark

unread,
Dec 14, 2020, 12:42:58 PM12/14/20
to Greg Scott, securi...@chromium.org, Alexander Howard
Hello,
Thanks for the report! We are currently tracking this at https://bugs.chromium.org/p/chromium/issues/detail?id=1158169; please follow that bug for further updates. It looks like your form submission is redirecting through an insecure http:// URL which is why the warning is triggering. You may want to investigate your server configuration to see if there is a way to prevent that http:// redirect.
Best,
Emily


--
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev...@chromium.org.

Greg Scott

unread,
Dec 14, 2020, 12:57:21 PM12/14/20
to Emily Stark, securi...@chromium.org, Alexander Howard

Hi Emily,

Thanks for the response.

We use AWS Load Balancer in a TLS Termination(Off Loading) Configuration

 

 

From what we can tell the form is submitted over HTTPS but the response from the web server over HTTP to the Load Balancer is making it all the way to the Client’s browser(Chrome) instead of being terminated and converted to HTTPS. We submitted an issue to AWS however we believe the message presented to the consumer from Chrome is a false positive since the form does get submitted over HTTPS and it’s the response that is HTTP.

 

To resolve we had to move to a SSL Bridging Configuration basically making SSL Off Loading pointless

 

Hope this helps.

 

Thanks,

Nick Harper

unread,
Dec 14, 2020, 4:59:04 PM12/14/20
to Greg Scott, Emily Stark, securi...@chromium.org, Alexander Howard
One of your screenshots shows that the request made to https://enroll.brighthealthplan.com/ehpportal/eapp/login is returning a redirect response code with a Location header pointing to an http:// (not https) URL. That would be the insecure resource that gets loaded, and is likely the cause of the warning you're seeing.

Greg Scott

unread,
Dec 14, 2020, 5:03:35 PM12/14/20
to Nick Harper, Emily Stark, securi...@chromium.org, Alexander Howard

Thanks Nick,

 

We agree something is happening at the Load Balancer layer that’s pushing the HTTP redirect response all the way up to the client browser, however my point is that the HTTP is in the response and not part of the submission which the Google Warning page seems to imply.

Reply all
Reply to author
Forward
0 new messages