'Here's Where Google Hid Chrome's SSL Certificate Information' (vortex.com) 105
"Google Chrome users have been contacting me wondering why they no longer could access the detailed status of Chrome https: connections, or view the organization and other data associated with SSL certificates for those connections," writes Slashdot reader Lauren Weinstein, adding "Google took a simple click in an intuitive place and replaced it with a bunch of clicks scattered around."
Up to now for the stable version of Chrome, you simply clicked the little green padlock icon on an https: connection, clicked on the "Details" link that appeared, and a panel then opened that gave you that status, along with an obvious button to click for viewing the actual certificate data such as Organization, issuance and expiration dates, etc. Suddenly, that "Details" link no longer is present...
The full certificate data is available from the "Developers tools" panel under the "Security" label. In fact, that's where this info has been for quite some time, but since the now missing "Details" link took you directly to that panel, most users probably didn't even realize that they were deep in the Developers tools section of the browser.
On some systems you can just press F12, but the alternate route is to click on the three vertical dots in the upper right, then select "More Tools", and then "Developer Tools". (And if you don't then see "Security", click on the " >>".)
The full certificate data is available from the "Developers tools" panel under the "Security" label. In fact, that's where this info has been for quite some time, but since the now missing "Details" link took you directly to that panel, most users probably didn't even realize that they were deep in the Developers tools section of the browser.
On some systems you can just press F12, but the alternate route is to click on the three vertical dots in the upper right, then select "More Tools", and then "Developer Tools". (And if you don't then see "Security", click on the " >>".)
Which version? (Score:2, Informative)
Re:Which version? (Score:5, Insightful)
v58 has the lock icon, but no details about the cert.
What a stupid decision to remove details. I'm really more interested in the reason for this idiocy, but I'm guessing the person responsible is too much of a coward to face the criticism and be held accountable.
Re: (Score:1)
As we routinely read on here, it's never the developer's fault. For anything. It's always someone else's fault when bug-ridden software is pushed out or when changes such as this one are made.
So don't hold your breath expecting a developer, or group of developers, to stand up and claim ownership for this.
Re: (Score:3)
And that's entirely correct. Developers develop. Managers decide. After they make their decision they inform the developers what to do. The developers will then either do that, or get fired. Would you really want to get fired over a single button?
Re: (Score:3)
Developers own the bugs they write. However, management determines when they're allowed to fix them.
In commercial software, new features historically got priority over bug fixes---unless the bugs in question were really bad.
But this is a feature change. Bringing up bugs is a distraction.
It's almost impossible for an entire UI option to disappear from one place and move somewhere else due to a mere bug.
This was a deliberate change in the way the software works, and so the decision was ultimately made or appr
Re:Which version? (Score:5, Interesting)
I don't know.... But this issue needs to get Security Vulnerability status, Because I am sure considering it as one.
I was previously recommending Chrome above Internet Explorer for security reasons, but because of this issue I have to reverse that now......
Re: Which version? (Score:1)
Can I ask why? Is moving the information making it less secure?
Re: (Score:1)
Re:Which version? (Score:5, Insightful)
A rock is the perfect design then.
Since it has no features except the physical ones, it is as minimalistic as it can get.
It does have uses, though.
You can throw it at the minimalist developer/designer's head.
--
BMO
Re:Which version? (Score:5, Interesting)
I'm really more interested in the reason for this idiocy
I'll take a guess. Google the absolute master of telemetry and information gathering probably noticed that it was one of the least used buttons on the screen and that yet another option just adds to the confusion for end users in that already massive menu. They probably also could correlate people who use developer tools with people who would actually check the details of a security certificate.
I've done it once this year. Wanted to check if my own security cert updated correctly on my website. Developer tools is a great place for that information, and let's face it, no normal user ever checked the certificate. Hell back before the little green / red bars, back before they said secure, back when we were actively telling users to check the status by clicking up there no one did it.
Interesting theory (Score:2)
> They probably also could correlate people who use developer tools with people who would actually check the details of a security certificate.
Interesting theory. Google *is* all about correlation.
Re: (Score:2)
Its not about user checking the cert, but about UI. In both cases the chance for checking would be near 0, but now the UI has one useless button less for those remaining 99%
Re: (Score:2)
Good thing to see that many people use the MIDI device enable button!!!! I'd hate soooo much to see Google remove that!
Something as fundamental as details about the cert should never be buried, no matter how rarely it is used. Let's also talk about Extensions... a useful feature, but functionality is buried under several layers of UI "goop" just to get new extensions. Seems like it's designed to discourage users from getting new extensions.
Also, if I use certs for servers I have on my own LAN (for example,
Re: (Score:2)
Interestingly, Microsoft also collects telemetry related to Windows usage, but then it's labelled spyware.
When Google uses telemetry and correlation to identify that the people viewing cert details also typically make use of developer tools, it's called cleaning up 'yet another option [that] just adds to the confusion for end users'.
When Microsoft uses telemetry and correlation to reposition OS features, it's called spyware that sends all your documents to the NSA.
Re:Which version? (Score:4, Insightful)
What a stupid decision to remove details. I'm really more interested in the reason for this idiocy, but I'm guessing the person responsible is too much of a coward to face the criticism and be held accountable.
Having filed bug reports / feature requests agains Chrome a few times in the past, and having been involved in a few tedious back-and-forth exchanges with Chrome developers... I'm reasonably confident in saying any communication which might happen regarding this removal will boil down to: "We at Google know better than you".
But it's not cowardice - it's arrogance.
Re: (Score:2)
Do you actually use that? I know I don't. I'm pretty sure most people don't.
Re: Which version? (Score:2)
Just like the stupid URL display choice in the address bar. Maybe they are secretly wanting to recreate an AOL experience, minus the coasters?
Re: (Score:2)
v56 doesn't.
Obscurity is... (Score:3, Funny)
Re: (Score:2)
No, but irrelevance is irrelevant. Users didn't understand what they were looking at, and those few that do are more than able to find what is effectively debugging information in the developer tools panel.
Users are Idiots (Score:1)
Present company not withstanding, probably less than 10% of users have any idea what a public key certificate is, who issues them and what a chain of trust is. Hiding this information from idiot users is acceptable if the browser also, by default, refuses to connect to HTTPS sites with expired certificates or certificates not issued by a trusted authority. If something is not right with the certificates the regular idiot user should get the big red warning page with the "Here be Dragons!" message.
Re: (Score:2)
Re: Users are Idiots (Score:1)
I'm pretty sure you can do a custom Chrome install that has your certificates pre-installed. But if you are arguing that the "whoa there, this site's SSL info looks fishy!" page should be disabled by default, then you are trading in an inconvenience for a glaring vulnerability.
Re: (Score:2)
Business lack the expertise to obtain valid certificates, but have the expertise to generate their own?
They have the expertise to generate their own certificates but are too inept to import them as a trusted source into the windows machines thereby not only ensuring Chrome has the right security approach but all other applications as well?
What kind of strange businesses have you worked with?
Use secure or not, don't pretend (Score:3)
GP said invalid or expired certificates. If you want to use http (vs https), fine. You know it's not a secured connection.
If you use https with a certificate that can't be verified, you've not secured the connection, only pretended to. I can generate an (unvalidated) certificate for any of your hosts and mitm you, if you use unvalidated certs.
GP suggestion allows it be either be secure, or not secure, you just can't PRETEND that it's secure when it's really not.
Re: Users are Idiots (Score:2)
Re: (Score:2)
Hiding this information from idiot users is acceptable if the browser also, by default, refuses to connect to HTTPS sites with expired certificates or certificates not issued by a trusted authority.
Exactly what Chrome is doing. Except the users don't get a warning page, they get a thou shall not pass page.
Google Voice is free to U.S. and Canada. (Score:2)
Re: (Score:2)
Think about the state of google's messaging platform(s). Then every other fuckup will be clear.
Re:Google management is now often sloppy. (Score:5, Insightful)
It's called "alphabet" in an open and blatant reference to "alphabet agencies". It's for the people who didn't realize Google is an extension of the CIA, NSA, etc.
Re: (Score:2)
2) More and more, Google software like Chrome and Android is getting a bad reputation for being invasive and destructive. The first comment in this story is "Chrome? People still use that spyware..?"
That reputation is among the very few that care about things like that. Regardless of which graph you look at, or who provides the data, Chrome use is still on a steady upwards trend meaning more people use it than ever. As for that first comment, well at least it lives up to the reputation of first comments. I wouldn't use it as a data point.
It's not possible to update Android on most phones, without risking bricking the phone.
That hasn't been true since gingerbread and nearly all vendors offer a nice auto upgrade process which reboots, does checks, applies the updates, and drops you right b
Re: (Score:2)
It's not possible to update Android on most phones, without risking bricking the phone.
That hasn't been true since gingerbread and nearly all vendors offer a nice auto upgrade process which reboots, does checks, applies the updates, and drops you right back where you left off. Actually I don't think I've ever heard of a case where an official update executed through proper normal channels has bricked a device, much less "most phones".
I think the implication is that "most phones" don't have "an official update executed through proper normal channels" available at all. Therefore the only possibility to update is through CM or Lineage or what they're calling it now, and the installation process for that is what risks a brick.
Re: (Score:2)
I think the implication is that "most phones" don't have "an official update executed through proper normal channels" available at all.
Then it would still be wrong. Every major Android manufacturer has an update process through official channels. The only exceptions are some of the stupid US specific carrier issues which cause one-off phone models to be created and have updates hampered by the carriers themselves.
The length that updates are available are a different question, but much like the very issue we are discussing, it has nothing to do with Google. We also don't blame Ubuntu when downstream forks/remxies aren't updated either. Goog
Google could use Google Play Store as a cudgel (Score:2)
Every major Android manufacturer has an update process through official channels. The only exceptions are some of the stupid US specific carrier issues which cause one-off phone models to be created and have updates hampered by the carriers themselves.
For one thing, both Google and SlashdotMedia are headquartered in the US, making "US specific [...] issues" on-topic. For another, "carrier issues" don't explain why manufacturers of tablets can't manage to deliver usable updates. One reason is that newer Android versions tend to require more RAM and a faster, larger NAND. Upgrading a first-generation Nexus 7 tablet (Tegra 3, 1 GB RAM, 8 GB NAND) from Android 4.4 to 5.x, for example, leads to an unusably janky system with lag that often reaches five seconds
Re: (Score:2)
making "US specific [...] issues"
You conflated two points into one. US specific issues don't make it off topic. The fact that Android by virtue of being open source and by the fact that vendors take and then heavily modify the OS to the point where Google is unable to offer a central update is what makes it off topic.
One reason is that newer Android versions tend to require more RAM and a faster, larger NAND
Goalpost moving. We're not talking about the length of updates, the GP said that no official channel was supplied for updates from most vendors. That is just wrong.
Upgrading a first-generation Nexus 7 tablet (Tegra 3, 1 GB RAM, 8 GB NAND) from Android 4.4 to 5.x, for example
Oh good so you're agreeing with me, given that the Nexus 7 was
Google maps tells me it's 49 miles via Longview (Score:2)
> 1) Google maps says that Woodland, WA state is a few miles from St. Helens, OR state. But the Columbia River flows between those cities, and there is no bridge.
Google maps tells ME that you have to go all thev way up to Longview, 49 miles. Maybe you clicked the plane icon they used to have?
The rest of your points are all opinions and you're welcome to your opinion, of course. If those opinions are based on anything like your mistaken fact in point #1 ...
Google sucks at UX/UI (Score:1)
You think they'd be able to hire good people for it.
Re: (Score:2)
Oh? You think good UX/UI is feeding the end user gobbledegook they can't understand and only serves to confuse them about the nature of their security?
Genius!
WTF? (Score:3)
I'd say "slow news days" but it's not like nothing is happening in the world right now.
Re: (Score:1)
I'd say "slow news days" but it's not like nothing is happening in the world right now.
Found the dev responsible for this idiocy :-P
Leave a comment at the link (Score:5, Interesting)
That's a great idea, google... (Score:5, Insightful)
Re: (Score:2)
You check certificates while you're browsing? Shit I'm going to go buy a lottery ticket.
The bright spark at Google who came up with this idea is the same bright spark who realises that no users actually do this. It says secure up the top, that's what people look for, assuming they look at all. The rest is just security gobbledegook that really only a few seasoned developers understand. So it makes sense to have that in the development tab.
And blow me down if it isn't much faster simply hitting F12 than it i
Re: (Score:1)
F12 is not a discoverable part of the UI.
I see that developers STILL have no clue how to build user interfaces.
Re: (Score:2)
F12 is not a discoverable part of the UI.
F12 is something we call a shortcut. Developers love them. It saves them time. Slashdot users often like knowing them, so you're bucking the trend here. You can also get to the same menu by clicking Ctrl+Shift+I. If you're not the type of person who actually knows how to use shortcuts then it is in a completely non-intuitive* place: Settings > More Tools > Developer Tools
*This was sarcastic. If you're complaining about not being able to find how to open developer tools given the existing setup of Chro
Just one more step in dumbing down anapplication. (Score:2)
Re: (Score:2)
Implying that there exists a user who's smart enough to read and understand the details of an SSL cert but is too dumb to open up the development tools by hitting F12?
bug (Score:2)
That's a bug right?
https://bugs.chromium.org/p/ch... [chromium.org]
Re: (Score:2)
Qualification Necessary (Score:3)
The average person, is not qualified to read or understand that tab about when it is secure and when it isnt. Hell, the average university masters graduate is not qualified to understand the information on the SSL security certificate.
I recon they are simplifying the browser security to make websites more ruthless in adhering to good security practices by punishing those admins who give their users a false sense of security.
Re: (Score:2)
The average person, is not qualified to read or understand that tab about when it is secure and when it isnt.
Bullhockey. The average person is absolutely qualified to understand that americanbank.com probably didn't buy their EV certificate from China Internet Network Information Center.
Google just made it easier for scammers to hide. Heck they may as well just default accept self-signed certs.
A chain of trust is useless if you make it difficult to check the chain.
Problematic in an enterprise environment... (Score:1)
In many enterprise environments the developer tools are disabled via group policy. This change means many users who may want to view this information now will no longer be able to. Considering how enterprise security teams are always trying to educate users on safety this simple check now cannot be done.
Google? Why bother (Score:1)
They re only after your life, the universe and everything about you so that they can use it to send you adverts
That is their sole function in life these days.
Avoid them like the plague. Don't give them the keys to your life.
I hate such UI changes (Score:2)
Silent changes (Score:1)
Most unpleasant is this is this change having been done silently. When I click on padlock icon, no more hint where to look for that information.
Personally, I don't like software products that change interface etc. without even a short hint where to look for relocated information. it's not a rocket science to open Dev.tools, but hell, why should I solve that simple quest at all?
(a rhetoric question)
Great to hide corp or govt ordered SSL intercepts (Score:1)
The Subject says it all..
If you miss the easy way (Score:2)
Re: (Score:1)
It also applies to chromium >=56...
Re: (Score:1)
That may be the reason that they hid it (Score:4, Interesting)
And if you go to the security section in chrome and check the slashdot cert you see "and an obsolete cipher (AES_256_CBC with HMAC-SHA1)" ! So slashdot should really update to a better than sha1 certificate to be really secure!
That may be the reason that they hid it. Naive users might get worried about this sort of warning. Of course SHA1 is still good enough for sites like Slashdot, nobody is going to use the immense computational time required to break SHA1 so that they can mess up your karma.
Re: (Score:1)
That may be the reason that they hid it. Naive users might get worried about this sort of warning.
I am a Naive user when it comes to SSL. But I Need to have the cert information so I can compare the fingerprints and hashes against my local copy when I access sites where I created my own private SSL cert. There is no other way for me to be sure the certificate does not belong to a MITM. But do tell me if I am wrong, I may just be Naive. I would imagine there is a way to generate client certs as an alternative, but this is not well documented for Naive users.
Throwing the SSL details into some obscure loca
Re: (Score:2)
Slashdot is using a certificate with a SHA-256 signature. You are talking about the encryption cipher the webserver is using, which has been superseded, but is not yet considered a security risk.
Re: (Score:3)
People still use that spyware..?
More people now than ever with a user base that is still on a steady upwards trend.
But hey we get it. You're cool for calling it spyware bro.
Re: (Score:2)
Better than nothing, which is typical of most users.