Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×
Chrome Google Privacy Security

'Here's Where Google Hid Chrome's SSL Certificate Information' (vortex.com) 105

"Google Chrome users have been contacting me wondering why they no longer could access the detailed status of Chrome https: connections, or view the organization and other data associated with SSL certificates for those connections," writes Slashdot reader Lauren Weinstein, adding "Google took a simple click in an intuitive place and replaced it with a bunch of clicks scattered around." Up to now for the stable version of Chrome, you simply clicked the little green padlock icon on an https: connection, clicked on the "Details" link that appeared, and a panel then opened that gave you that status, along with an obvious button to click for viewing the actual certificate data such as Organization, issuance and expiration dates, etc. Suddenly, that "Details" link no longer is present...

The full certificate data is available from the "Developers tools" panel under the "Security" label. In fact, that's where this info has been for quite some time, but since the now missing "Details" link took you directly to that panel, most users probably didn't even realize that they were deep in the Developers tools section of the browser.

On some systems you can just press F12, but the alternate route is to click on the three vertical dots in the upper right, then select "More Tools", and then "Developer Tools". (And if you don't then see "Security", click on the " >>".)
This discussion has been archived. No new comments can be posted.

'Here's Where Google Hid Chrome's SSL Certificate Information'

Comments Filter:
  • Which version? (Score:2, Informative)

    by Anonymous Coward
    v55 still has the "details" link.
    • Re:Which version? (Score:5, Insightful)

      by BenJeremy ( 181303 ) on Sunday January 29, 2017 @03:04PM (#53760771)

      v58 has the lock icon, but no details about the cert.

      What a stupid decision to remove details. I'm really more interested in the reason for this idiocy, but I'm guessing the person responsible is too much of a coward to face the criticism and be held accountable.

      • As we routinely read on here, it's never the developer's fault. For anything. It's always someone else's fault when bug-ridden software is pushed out or when changes such as this one are made.

        So don't hold your breath expecting a developer, or group of developers, to stand up and claim ownership for this.

        • And that's entirely correct. Developers develop. Managers decide. After they make their decision they inform the developers what to do. The developers will then either do that, or get fired. Would you really want to get fired over a single button?

      • Re:Which version? (Score:5, Interesting)

        by mysidia ( 191772 ) on Sunday January 29, 2017 @03:09PM (#53760803)

        I don't know.... But this issue needs to get Security Vulnerability status, Because I am sure considering it as one.

        I was previously recommending Chrome above Internet Explorer for security reasons, but because of this issue I have to reverse that now......

        • by Anonymous Coward

          Can I ask why? Is moving the information making it less secure?

          • Yes. For example, on this site, it gets a green lock icon because it uses a valid certificate chain with TLS 1.2. However, it uses an obsolete cipher. This may be seen as nitpicking for most, but hiding this information might cause the end user to not bother investigating when it might actually be a risk.
      • Re:Which version? (Score:5, Interesting)

        by thegarbz ( 1787294 ) on Sunday January 29, 2017 @04:42PM (#53761347)

        I'm really more interested in the reason for this idiocy

        I'll take a guess. Google the absolute master of telemetry and information gathering probably noticed that it was one of the least used buttons on the screen and that yet another option just adds to the confusion for end users in that already massive menu. They probably also could correlate people who use developer tools with people who would actually check the details of a security certificate.

        I've done it once this year. Wanted to check if my own security cert updated correctly on my website. Developer tools is a great place for that information, and let's face it, no normal user ever checked the certificate. Hell back before the little green / red bars, back before they said secure, back when we were actively telling users to check the status by clicking up there no one did it.

        • > They probably also could correlate people who use developer tools with people who would actually check the details of a security certificate.

          Interesting theory. Google *is* all about correlation.

        • by beuges ( 613130 )

          Interestingly, Microsoft also collects telemetry related to Windows usage, but then it's labelled spyware.
          When Google uses telemetry and correlation to identify that the people viewing cert details also typically make use of developer tools, it's called cleaning up 'yet another option [that] just adds to the confusion for end users'.
          When Microsoft uses telemetry and correlation to reposition OS features, it's called spyware that sends all your documents to the NSA.

      • Re:Which version? (Score:4, Insightful)

        by 93 Escort Wagon ( 326346 ) on Sunday January 29, 2017 @05:33PM (#53761567)

        What a stupid decision to remove details. I'm really more interested in the reason for this idiocy, but I'm guessing the person responsible is too much of a coward to face the criticism and be held accountable.

        Having filed bug reports / feature requests agains Chrome a few times in the past, and having been involved in a few tedious back-and-forth exchanges with Chrome developers... I'm reasonably confident in saying any communication which might happen regarding this removal will boil down to: "We at Google know better than you".

        But it's not cowardice - it's arrogance.

      • Do you actually use that? I know I don't. I'm pretty sure most people don't.

      • Just like the stupid URL display choice in the address bar. Maybe they are secretly wanting to recreate an AOL experience, minus the coasters?

    • v56 doesn't.

  • by lloy0076 ( 624338 ) on Sunday January 29, 2017 @03:04PM (#53760775) Homepage

    ...security? Isn't it?

    • No, but irrelevance is irrelevant. Users didn't understand what they were looking at, and those few that do are more than able to find what is effectively debugging information in the developer tools panel.

  • by Anonymous Coward

    Present company not withstanding, probably less than 10% of users have any idea what a public key certificate is, who issues them and what a chain of trust is. Hiding this information from idiot users is acceptable if the browser also, by default, refuses to connect to HTTPS sites with expired certificates or certificates not issued by a trusted authority. If something is not right with the certificates the regular idiot user should get the big red warning page with the "Here be Dragons!" message.

    • by mmell ( 832646 )
      Screw that! This would mean that if I have a small organization and use HTTP internally (a very common practice), I can't let my employees use Chrome? The alternative is to obtain and maintain valid certificates for intranet sites, and nearly all small businesses lack the money and/or the expertise to do so. While I'm generally in favor of more security as opposed to less, I don't think Google has thought this one through all the way.
      • by Anonymous Coward

        I'm pretty sure you can do a custom Chrome install that has your certificates pre-installed. But if you are arguing that the "whoa there, this site's SSL info looks fishy!" page should be disabled by default, then you are trading in an inconvenience for a glaring vulnerability.

      • Business lack the expertise to obtain valid certificates, but have the expertise to generate their own?
        They have the expertise to generate their own certificates but are too inept to import them as a trusted source into the windows machines thereby not only ensuring Chrome has the right security approach but all other applications as well?

        What kind of strange businesses have you worked with?

      • GP said invalid or expired certificates. If you want to use http (vs https), fine. You know it's not a secured connection.

        If you use https with a certificate that can't be verified, you've not secured the connection, only pretended to. I can generate an (unvalidated) certificate for any of your hosts and mitm you, if you use unvalidated certs.

        GP suggestion allows it be either be secure, or not secure, you just can't PRETEND that it's secure when it's really not.

    • You can get this in Chrome by using HTTPS Everywhere extension, optionally in strict mode.
    • Hiding this information from idiot users is acceptable if the browser also, by default, refuses to connect to HTTPS sites with expired certificates or certificates not issued by a trusted authority.

      Exactly what Chrome is doing. Except the users don't get a warning page, they get a thou shall not pass page.

  • by Anonymous Coward

    You think they'd be able to hire good people for it.

    • Oh? You think good UX/UI is feeding the end user gobbledegook they can't understand and only serves to confuse them about the nature of their security?

      Genius!

  • by Lisandro ( 799651 ) on Sunday January 29, 2017 @03:40PM (#53760997)

    I'd say "slow news days" but it's not like nothing is happening in the world right now.

    • by Anonymous Coward

      I'd say "slow news days" but it's not like nothing is happening in the world right now.

      Found the dev responsible for this idiocy :-P

  • by hudsucker ( 676767 ) on Sunday January 29, 2017 @03:41PM (#53761003)
    The "Details" link was replaced by a "Learn more" link, which leads to a less than useful Chrome Help page. That page lets you submit a comment as to how helpful the page is. If the "Learn more" link is not helpful in viewing the security certificate, we should leave a comment to tell them that.
  • by QuietLagoon ( 813062 ) on Sunday January 29, 2017 @03:57PM (#53761109)
    Make it more difficult to check the security cert when I'm browsing. What bright spark at google came up with this idea?
    • You check certificates while you're browsing? Shit I'm going to go buy a lottery ticket.

      The bright spark at Google who came up with this idea is the same bright spark who realises that no users actually do this. It says secure up the top, that's what people look for, assuming they look at all. The rest is just security gobbledegook that really only a few seasoned developers understand. So it makes sense to have that in the development tab.

      And blow me down if it isn't much faster simply hitting F12 than it i

      • F12 is not a discoverable part of the UI.

        I see that developers STILL have no clue how to build user interfaces.

        • F12 is not a discoverable part of the UI.

          F12 is something we call a shortcut. Developers love them. It saves them time. Slashdot users often like knowing them, so you're bucking the trend here. You can also get to the same menu by clicking Ctrl+Shift+I. If you're not the type of person who actually knows how to use shortcuts then it is in a completely non-intuitive* place: Settings > More Tools > Developer Tools

          *This was sarcastic. If you're complaining about not being able to find how to open developer tools given the existing setup of Chro

  • "Just think how much money we'll save on tech support and development when the application doesn't do anything at all!"
    • Implying that there exists a user who's smart enough to read and understand the details of an SSL cert but is too dumb to open up the development tools by hitting F12?

  • by Cronq ( 169424 )

    That's a bug right?

    https://bugs.chromium.org/p/ch... [chromium.org]

  • by Tim12s ( 209786 ) on Sunday January 29, 2017 @04:39PM (#53761331) Homepage

    The average person, is not qualified to read or understand that tab about when it is secure and when it isnt. Hell, the average university masters graduate is not qualified to understand the information on the SSL security certificate.

    I recon they are simplifying the browser security to make websites more ruthless in adhering to good security practices by punishing those admins who give their users a false sense of security.

    • by SJ ( 13711 )

      The average person, is not qualified to read or understand that tab about when it is secure and when it isnt.

      Bullhockey. The average person is absolutely qualified to understand that americanbank.com probably didn't buy their EV certificate from China Internet Network Information Center.

      Google just made it easier for scammers to hide. Heck they may as well just default accept self-signed certs.

      A chain of trust is useless if you make it difficult to check the chain.

  • In many enterprise environments the developer tools are disabled via group policy. This change means many users who may want to view this information now will no longer be able to. Considering how enterprise security teams are always trying to educate users on safety this simple check now cannot be done.

  • by Anonymous Coward

    They re only after your life, the universe and everything about you so that they can use it to send you adverts
    That is their sole function in life these days.

    Avoid them like the plague. Don't give them the keys to your life.

  • I have a 24 inch full hd screen. The UI seems to be optimized for a 5 inch handheld screen. Three dots, or three lines, sometimes nine dots, some times a gear sometimes something else, press and hold but sometimes press will be a click.... And on top of it the developers play where did they hide my cheese....
  • Most unpleasant is this is this change having been done silently. When I click on padlock icon, no more hint where to look for that information.

    Personally, I don't like software products that change interface etc. without even a short hint where to look for relocated information. it's not a rocket science to open Dev.tools, but hell, why should I solve that simple quest at all?

    (a rhetoric question)

  • The Subject says it all..

  • Vivaldi browser [vivaldi.com] provides just that described functionality when you click on the lock icon.

You are in a maze of little twisting passages, all different.

Working...