Chrome and misleading security information

by tcarnellon 6/25/2012, 9:41:46 AM with 5 comments
  • by dcheston 6/25/2012, 10:00:23 AM

    Did you read the warning? It pretty much answers your question:

    "This may mean that the server has generated its own security credentials, which Google Chrome cannot rely on for identity information, or an attacker may be trying to intercept your communications."

    I just want to ensure the user that information passed to/from the server is encrypted.

    Self-signed certificate doesn't guarantee the encrypted communication to/from your server. An attacker can intercept your handshake request and provide their own self-signed certificate.

    You can create your own CA, sign a server certificate with it, and then ask users to install your CA certificate into their browsers.

    Or you can get a free certificate from StartSSL.

    Alternatively, you can contribute to some replacement for TLS.

  • by Piskvorrron 6/25/2012, 9:47:23 AM

    What makes Chrome special here? AFAIK, every browser (FF, IE, Opera, you name it) treats HTTPS with problems as "extremely scary, alert the President" (which is, IMNSHO, absolutely correct behavior - "this site says it's HTTPS://whatever, but I'm unable to verify this, so let's crash and burn - it might just as well be https://evilsite.evil, for all I know"), whereas unsecured, plain HTTP is seen as "meh, whatever."

    Moreover, "why can't Google fix the Internet?" is, essentially, saying "do away with the other CAs, and make Google the ultimate CA" - doesn't fix the problem, plus makes it worse.

    (FWIW, there are cheap SSL certs out there which are signed by known CAs and thus don't trigger the security error.)

  • by mooism2on 6/25/2012, 9:48:18 AM

    Without verifying the identity of the site somehow, you are vulnerable to a mitm attack. So no, it's not a separate issue.

    What is your proposed site authentication mechanism that Chrome should use (and does it scale to Firefox, Safari, etc)?

  • by Sambdalaon 6/25/2012, 9:50:07 AM

    The red warning page you have to click through also seems irresponsible to use in cases like this.

    It's the same page you get when there's malware on a site.

  • by tcarnellon 6/25/2012, 9:49:04 AM

    I think I would be more relaxed if browsers used an additional icon to indicate if a site identity is verified or not.

    And just because somebody has paid for a site certificate and gets a nice green padlock icon on the URL bar does not mean they wont misuse peoples personal information, does it?