Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Here's Where Google Hid Chrome's SSL Certificate Information' (vortex.com)

Posted by EditorDavid on from the searching-for-certs dept.

"Google Chrome users have been contacting me wondering why they no longer could access the detailed status of Chrome https: connections, or view the organization and other data associated with SSL certificates for those connections," writes Slashdot reader Lauren Weinstein, adding "Google took a simple click in an intuitive place and replaced it with a bunch of clicks scattered around." Up to now for the stable version of Chrome, you simply clicked the little green padlock icon on an https: connection, clicked on the "Details" link that appeared, and a panel then opened that gave you that status, along with an obvious button to click for viewing the actual certificate data such as Organization, issuance and expiration dates, etc. Suddenly, that "Details" link no longer is present...

The full certificate data is available from the "Developers tools" panel under the "Security" label. In fact, that's where this info has been for quite some time, but since the now missing "Details" link took you directly to that panel, most users probably didn't even realize that they were deep in the Developers tools section of the browser.
On some systems you can just press F12, but the alternate route is to click on the three vertical dots in the upper right, then select "More Tools", and then "Developer Tools". (And if you don't then see "Security", click on the " >>".)

105 comments

  1. Which version? by Anonymous Coward · · Score: 2, Informative

    v55 still has the "details" link.

    1. Re:Which version? by BenJeremy · · Score: 5, Insightful

      v58 has the lock icon, but no details about the cert.

      What a stupid decision to remove details. I'm really more interested in the reason for this idiocy, but I'm guessing the person responsible is too much of a coward to face the criticism and be held accountable.

    2. Re:Which version? by quonset · · Score: 1

      As we routinely read on here, it's never the developer's fault. For anything. It's always someone else's fault when bug-ridden software is pushed out or when changes such as this one are made.

      So don't hold your breath expecting a developer, or group of developers, to stand up and claim ownership for this.

    3. Re:Which version? by mysidia · · Score: 5, Interesting

      I don't know.... But this issue needs to get Security Vulnerability status, Because I am sure considering it as one.

      I was previously recommending Chrome above Internet Explorer for security reasons, but because of this issue I have to reverse that now......

    4. Re: Which version? by Anonymous Coward · · Score: 0

      It isn't removed - it's moved. You could argue that it isn't as easy to get too, but it certainly isn't removed.

    5. Re: Which version? by Anonymous Coward · · Score: 1

      Can I ask why? Is moving the information making it less secure?

    6. Re: Which version? by Anonymous Coward · · Score: 0

      Hiding the security settings that were once easily available could be.

      Though all this chicken little "Google CONSPIRACY!1!" is typical FUD.

    7. Re:Which version? by Anonymous Coward · · Score: 0

      Modern UI design theology say: fewer features is streamlined and therefore betterer. Hiding a feature is (apparently) the next best thing.

    8. Re:Which version? by Anonymous Coward · · Score: 0

      wonder if there is a way to crossreference people who worked on Mozilla UI with Chrome UI.

    9. Re:Which version? by johannesg · · Score: 2

      And that's entirely correct. Developers develop. Managers decide. After they make their decision they inform the developers what to do. The developers will then either do that, or get fired. Would you really want to get fired over a single button?

    10. Re:Which version? by Anonymous Coward · · Score: 0

      On a number of occasions as a developer I have been forced to make changes I flag as being awful. At the end of the day i'm paid to do what my manager instructs. If I don't someone else gets the job. I absolutely don't take responsibility for these bad choices or the problems they have cause.

    11. Re:Which version? by thegarbz · · Score: 1

      v56 doesn't.

    12. Re:Which version? by thegarbz · · Score: 4, Interesting

      I'm really more interested in the reason for this idiocy

      I'll take a guess. Google the absolute master of telemetry and information gathering probably noticed that it was one of the least used buttons on the screen and that yet another option just adds to the confusion for end users in that already massive menu. They probably also could correlate people who use developer tools with people who would actually check the details of a security certificate.

      I've done it once this year. Wanted to check if my own security cert updated correctly on my website. Developer tools is a great place for that information, and let's face it, no normal user ever checked the certificate. Hell back before the little green / red bars, back before they said secure, back when we were actively telling users to check the status by clicking up there no one did it.

    13. Re:Which version? by bmo · · Score: 4, Insightful

      A rock is the perfect design then.

      Since it has no features except the physical ones, it is as minimalistic as it can get.

      It does have uses, though.

      You can throw it at the minimalist developer/designer's head.

      --
      BMO

    14. Re:Which version? by Anonymous Coward · · Score: 0

      Google the absolute master of telemetry and information gathering probably noticed that it was one of the least used buttons on the screen

      What's the next least-used button on the screen? And the one after that? And after that?
      The "biting nails" approach to UI is a downward spiral.

    15. Re:Which version? by 93+Escort+Wagon · · Score: 3, Insightful

      What a stupid decision to remove details. I'm really more interested in the reason for this idiocy, but I'm guessing the person responsible is too much of a coward to face the criticism and be held accountable.

      Having filed bug reports / feature requests agains Chrome a few times in the past, and having been involved in a few tedious back-and-forth exchanges with Chrome developers... I'm reasonably confident in saying any communication which might happen regarding this removal will boil down to: "We at Google know better than you".

      But it's not cowardice - it's arrogance.

      --
      #DeleteChrome
    16. Re:Which version? by Anonymous Coward · · Score: 0

      Didn't realize no developer is ever responsible for a single bug, error, or security hole. It was all those managers forcing perfect developers to write imperfect code the whole time! Damned managers, without them interfering, security updates would be a thing of the past!

    17. Re:Which version? by stephanruby · · Score: 1

      Do you actually use that? I know I don't. I'm pretty sure most people don't.

    18. Re: Which version? by Anonymous Coward · · Score: 0

      This is not a bug though, somebody decided to remove it.

    19. Re:Which version? by Anonymous Coward · · Score: 0

      Google would remove the Z from your keyboard if they could.

    20. Re:Which version? by Anonymous Coward · · Score: 0

      Even if we take your assertion that users are not looking at certificates as true (I''m not prepared to do so without data), I fail to see how burying access to certificate information behind menus and dialogs will increase the likelihood that a user will check certificate information.

    21. Re:Which version? by jarkus4 · · Score: 1

      Its not about user checking the cert, but about UI. In both cases the chance for checking would be near 0, but now the UI has one useless button less for those remaining 99%

    22. Re: Which version? by Anonymous Coward · · Score: 0

      Cowardice? It takes *courage* to remove things!

    23. Re:Which version? by beuges · · Score: 1

      Interestingly, Microsoft also collects telemetry related to Windows usage, but then it's labelled spyware.
      When Google uses telemetry and correlation to identify that the people viewing cert details also typically make use of developer tools, it's called cleaning up 'yet another option [that] just adds to the confusion for end users'.
      When Microsoft uses telemetry and correlation to reposition OS features, it's called spyware that sends all your documents to the NSA.

    24. Re: Which version? by Anonymous Coward · · Score: 0

      Hiding the security settings that were once easily available could be.

      Though all this chicken little "Google CONSPIRACY!1!" is typical FUD.

      Well, it's not a conspiracy to spy on your entire fucking life when Google is only one entity.

    25. Re: Which version? by Midnight+Thunder · · Score: 1

      Just like the stupid URL display choice in the address bar. Maybe they are secretly wanting to recreate an AOL experience, minus the coasters?

      --
      Jumpstart the tartan drive.
    26. Re:Which version? by BenJeremy · · Score: 1

      Good thing to see that many people use the MIDI device enable button!!!! I'd hate soooo much to see Google remove that!

      Something as fundamental as details about the cert should never be buried, no matter how rarely it is used. Let's also talk about Extensions... a useful feature, but functionality is buried under several layers of UI "goop" just to get new extensions. Seems like it's designed to discourage users from getting new extensions.

      Also, if I use certs for servers I have on my own LAN (for example, WebMin to run Linux servers I keep in my basement), Google has just made things a bit more difficult to access self-signed certs which are completely adequate for such a use, but require some additional up-front steps to use.

    27. Re:Which version? by Anonymous Coward · · Score: 0

      Google has an opt-out option for data collection (yes, really). Microsoft does not.

    28. Re:Which version? by EndlessNameless · · Score: 2

      Developers own the bugs they write. However, management determines when they're allowed to fix them.

      In commercial software, new features historically got priority over bug fixes---unless the bugs in question were really bad.

      But this is a feature change. Bringing up bugs is a distraction.

      It's almost impossible for an entire UI option to disappear from one place and move somewhere else due to a mere bug.

      This was a deliberate change in the way the software works, and so the decision was ultimately made or approved by management.

      --

      ---
      According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
    29. Re:Which version? by Anonymous Coward · · Score: 0

      How does a minor UI decision result in name-calling and incitements of violence? Why don't all of you so concerned explain your use cases calmly in a place where the Chrome team can read and understand them and ask you follow-up questions? Stop throwing rocks at people you don't know.

    30. Re: Which version? by Anonymous Coward · · Score: 0

      Don't be retarded, Ms collects telemetry the same as Google, they don't need to "identify" anyone just get a percentage of the number users that click on that. Why would you need to get the name and correlate it to the browsing history of someone to know this?, they don't but don't let that stop you from you hysterical bitching that serves so much for the people that actually fight for privacy with rational arguments.

      TLDR: Take your meds

    31. Re: Which version? by Anonymous Coward · · Score: 0

      Having the information there is a quick and easy way for people to look at the security settings. By putting the info into developer tools, it makes it seem like that information is only useful or helpful to developers. The last thing we need is people abdicating all responsibility for ensuring they are using security sites because they aren't developers.

    32. Re: Which version? by operagost · · Score: 1

      Yes. For example, on this site, it gets a green lock icon because it uses a valid certificate chain with TLS 1.2. However, it uses an obsolete cipher. This may be seen as nitpicking for most, but hiding this information might cause the end user to not bother investigating when it might actually be a risk.

      --

      Gamingmuseum.com: Give your 3D accelerator a rest.
    33. Re: Which version? by Anonymous Coward · · Score: 0

      Unless it is a bug that it isn't clickable and the "workaround" is the only way to access it.

  2. Re:Chrome? by Anonymous Coward · · Score: 1

    It also applies to chromium >=56...

  3. Obscurity is... by lloy0076 · · Score: 3, Funny

    ...security? Isn't it?

    1. Re: Obscurity is... by Anonymous Coward · · Score: 0

      Depends. Do they:

      A. Not give a shit about DMCA style laws?

      B. Have access to the machine code?

      C. Have a debugger, and either knowledge of the instruction set used and / or an instruction set reference chart?

      If you answered yes to all 3 questions, then congratulations! There is no obscurity, and if that's all your security system had going for it, you are now hacked! Better luck next time!

    2. Re:Obscurity is... by thegarbz · · Score: 1

      No, but irrelevance is irrelevant. Users didn't understand what they were looking at, and those few that do are more than able to find what is effectively debugging information in the developer tools panel.

  4. Users are Idiots by Anonymous Coward · · Score: 1

    Present company not withstanding, probably less than 10% of users have any idea what a public key certificate is, who issues them and what a chain of trust is. Hiding this information from idiot users is acceptable if the browser also, by default, refuses to connect to HTTPS sites with expired certificates or certificates not issued by a trusted authority. If something is not right with the certificates the regular idiot user should get the big red warning page with the "Here be Dragons!" message.

    1. Re:Users are Idiots by mmell · · Score: 1

      Screw that! This would mean that if I have a small organization and use HTTP internally (a very common practice), I can't let my employees use Chrome? The alternative is to obtain and maintain valid certificates for intranet sites, and nearly all small businesses lack the money and/or the expertise to do so. While I'm generally in favor of more security as opposed to less, I don't think Google has thought this one through all the way.

    2. Re: Users are Idiots by Doloresanto · · Score: 2

      You can get this in Chrome by using HTTPS Everywhere extension, optionally in strict mode.

    3. Re: Users are Idiots by Anonymous Coward · · Score: 1

      I'm pretty sure you can do a custom Chrome install that has your certificates pre-installed. But if you are arguing that the "whoa there, this site's SSL info looks fishy!" page should be disabled by default, then you are trading in an inconvenience for a glaring vulnerability.

    4. Re:Users are Idiots by thegarbz · · Score: 1

      Business lack the expertise to obtain valid certificates, but have the expertise to generate their own?
      They have the expertise to generate their own certificates but are too inept to import them as a trusted source into the windows machines thereby not only ensuring Chrome has the right security approach but all other applications as well?

      What kind of strange businesses have you worked with?

    5. Re:Users are Idiots by thegarbz · · Score: 1

      Hiding this information from idiot users is acceptable if the browser also, by default, refuses to connect to HTTPS sites with expired certificates or certificates not issued by a trusted authority.

      Exactly what Chrome is doing. Except the users don't get a warning page, they get a thou shall not pass page.

    6. Re:Users are Idiots by Anonymous Coward · · Score: 0

      Surely you meant "use HTTPS internally"...

  5. Hipsters and UI by Anonymous Coward · · Score: 0

    Oil and water.

  6. Google management is now often sloppy. by Futurepower(R) · · Score: 0

    We are seeing a lot of instances of sloppy, insufficient Google management. Here are some:

    1) Google maps says that Woodland, WA state is a few miles from St. Helens, OR state. But the Columbia River flows between those cities, and there is no bridge. I gave feedback about that perhaps 2 years ago. Maybe no one reads the feedback.

    2) More and more, Google software like Chrome and Android is getting a bad reputation for being invasive and destructive. The first comment in this story is "Chrome? People still use that spyware..?"

    I used Chrome a long time ago. I uninstalled it when I realized it installed 3 system services.

    It's not possible to update Android on most phones, without risking bricking the phone. Abusive phone companies want you to buy another phone with a 2-year contract; they don't want updates. Google allows the bad reputation.

    3) Google Voice is a wonderful free service. Only 1 cent per minute to call Brazil! But the woman who writes the documentation, "Megan", obviously has no technical knowledge, and no interest in full understanding. The Google Voice user interface has hidden flaws; no one is fixing them, apparently.

    4) Perhaps 3 years ago, a Google manager told me that Google does not properly document what the company is doing. She said it is difficult or impossible for Google employees to follow the progress of their company.

    5) It was foolish for Google to adopt the name Alphabet. Every time someone sees the name, it is necessary to realize it's not about an alphabet.

    6) There are many more areas of poor and sloppy management at Google, now Alphabet, but that's enough for now.

    Why do good companies deteriorate? At one time, an employee of Google said the company should "Do no evil." Now Google apparently does evil when some not very clear-minded Google manager thinks, "Evil will make more money."

    1. Re:Google management is now often sloppy. by Anonymous Coward · · Score: 0

      Well what do you expect from a company funded by the CIA? As always the peasants believe whatever they are told, like googles "do no harm" mantra or every presidents speeches against the establishment.
      They always lie. Its the one thing you can count on from corporations and politicians.

    2. Re:Google management is now often sloppy. by Anonymous Coward · · Score: 0

      Add one more to the list:

      I got a Nexus 4 back in the day, ordered it directly from Google. First one I got was broken out of the box, and the next one I got worked for three weeks and then the cellular radio shat itself, and it stopped being functional as a phone. I was just a poor schlub at the time, and by the time the second one got around, my bank account was nearly empty, but they refused to do an RMA without that money in the account. They refused, REFUSED, after talking to the highest management I could get a hold of, to allow me to send in the defective unit FIRST, and THEN have them send me a new one.

      No, they could ONLY put a hold on $300 in my account, and then send me a new one, and then release the hold when they got the broken one, and since I didn't have that money, they basically just said "too bad for you, fuck off" and I decided after having a gmail account for 10 years and me willingly allowing them my data for that time, and then willingly paying them my own money for their product to have them fuck me this bad that I had no intention to give a fuck about Google anymore.

    3. Re:Google management is now often sloppy. by lesincompetent · · Score: 1

      Google "management"?
      Think about the state of google's messaging platform(s). Then every other fuckup will be clear.

    4. Re:Google management is now often sloppy. by Anonymous Coward · · Score: 0

      Dropping widely-used products is the other big issue. This is out of date, but still true:

      https://www.theguardian.com/technology/2013/mar/22/google-keep-services-closed

      Which shows a mean time of 1,459 days before Google kills a product.

    5. Re:Google management is now often sloppy. by johannesg · · Score: 5, Insightful

      It's called "alphabet" in an open and blatant reference to "alphabet agencies". It's for the people who didn't realize Google is an extension of the CIA, NSA, etc.

    6. Re: Google management is now often sloppy. by Anonymous Coward · · Score: 0

      1) 42.5 miles via Longview or further via Portland seem reasonable enough for a road trip. Certainly not taking some ficticious as-the-crow-flies bridge directly across the river.

    7. Re:Google management is now often sloppy. by Anonymous Coward · · Score: 0

      Google does 2 things very well. The rest is 'ok' and fits into their advertising eco system.

      Those 2 things? Search and advertising.

      Everything else in the 'long term' (2 or more years with no monetizeation) is killed off when whoever was running it gets bored and leaves the company.

      It is the same reason IE6 sucked. When it first came out? It was actually the best of the best. Yet MS then proceeded to ignore it and do nothing with it. Everyone, including google ran by them. MS *OWNED* that market then let it go. They did not lose one penny on letting it go. But they had sunk huge amounts of time and money into making it work in the first place. My guess is google eventually comes to the same conclusion. The only way they can monetize chrome is by telemetry going back to the mother ship. The same thing everyone criticizes MS for doing with win10 (and rightfully so). If that selling of telemetry becomes a burden to google you will see them radically change the program then kill it.

      "Evil will make more money."
      I think it has more to do with the idea that they can somehow champion particular causes. They think 'a bit of evil' is OK somehow. When it will erode the very core of their business, ethics, and eventually end up exactly where you say.

    8. Re:Google management is now often sloppy. by thegarbz · · Score: 1

      2) More and more, Google software like Chrome and Android is getting a bad reputation for being invasive and destructive. The first comment in this story is "Chrome? People still use that spyware..?"

      That reputation is among the very few that care about things like that. Regardless of which graph you look at, or who provides the data, Chrome use is still on a steady upwards trend meaning more people use it than ever. As for that first comment, well at least it lives up to the reputation of first comments. I wouldn't use it as a data point.

      It's not possible to update Android on most phones, without risking bricking the phone.

      That hasn't been true since gingerbread and nearly all vendors offer a nice auto upgrade process which reboots, does checks, applies the updates, and drops you right back where you left off. Actually I don't think I've ever heard of a case where an official update executed through proper normal channels has bricked a device, much less "most phones".

      4) Perhaps 3 years ago, a Google manager told me that Google does not properly document what the company is doing.

      This is essentially true for every company working on every project that isn't someway government related.

      5) It was foolish for Google to adopt the name Alphabet [wikipedia.org].

      Google is not Alphabet. Alphabet owns Google. No user will ever see Alphabet on a product or service page. The only people who will see Alphabet are investors, economists, and traders, and if they can't figure out which company they are looking at then maybe they should quit their day jobs and find something more suited to their mental capacity, like flipping burgers.

      Why do good companies deteriorate? At one time, an employee of Google said the company should "Do no evil." Now Google apparently does evil when some not very clear-minded Google manager thinks, "Evil will make more money."

      Only because people see what they want to see and take statements out of context, apply their own biases and pre-conceptions and then declare the company to be going against a direction the person themselves mentally created. Kind of like the "evil" thing. I've yet to see someone complain that "do no evil" doesn't apply, where there is actual "evil" involved.

    9. Re:Google management is now often sloppy. by Anonymous Coward · · Score: 0

      Google Maps used to be the best, but it has definitely lost its ways. When I try to get directions to my parents house, it puts me in the wrong city several hours away. The problem is for some reason they misspelled the name of the street. Even if you GOOGLE for the street name, it corrects you with the right one. But on Maps it is wrong. I've submitted a ticket to have it fixed but it is still wrong.

    10. Re:Google management is now often sloppy. by tepples · · Score: 1

      It's not possible to update Android on most phones, without risking bricking the phone.

      That hasn't been true since gingerbread and nearly all vendors offer a nice auto upgrade process which reboots, does checks, applies the updates, and drops you right back where you left off. Actually I don't think I've ever heard of a case where an official update executed through proper normal channels has bricked a device, much less "most phones".

      I think the implication is that "most phones" don't have "an official update executed through proper normal channels" available at all. Therefore the only possibility to update is through CM or Lineage or what they're calling it now, and the installation process for that is what risks a brick.

    11. Re:Google management is now often sloppy. by thegarbz · · Score: 1

      I think the implication is that "most phones" don't have "an official update executed through proper normal channels" available at all.

      Then it would still be wrong. Every major Android manufacturer has an update process through official channels. The only exceptions are some of the stupid US specific carrier issues which cause one-off phone models to be created and have updates hampered by the carriers themselves.

      The length that updates are available are a different question, but much like the very issue we are discussing, it has nothing to do with Google. We also don't blame Ubuntu when downstream forks/remxies aren't updated either. Google provides the updates, provides them in a timely way and provides an official channel. HTC (for a completely unsubstantiated example) not providing an update for the HTC One is entirely irrelevant when discussing Google management.

  7. Google Voice is free to U.S. and Canada. by Futurepower(R) · · Score: 1

    Error: I should have said that Google Voice is free for calls to the U.S. & Canada.

  8. It's who APPROVED the developer's work. by Anonymous Coward · · Score: 0

    It's who APPROVED the developer's work.

    Fault? Not if the goddamned entire thing is planned, meeting'd to death, and signed off a dozen times over.

  9. Google sucks at UX/UI by Anonymous Coward · · Score: 1

    You think they'd be able to hire good people for it.

    1. Re:Google sucks at UX/UI by thegarbz · · Score: 1

      Oh? You think good UX/UI is feeding the end user gobbledegook they can't understand and only serves to confuse them about the nature of their security?

      Genius!

  10. WTF? by Lisandro · · Score: 2

    I'd say "slow news days" but it's not like nothing is happening in the world right now.

    1. Re:WTF? by Anonymous Coward · · Score: 1

      I'd say "slow news days" but it's not like nothing is happening in the world right now.

      Found the dev responsible for this idiocy :-P

  11. Leave a comment at the link by hudsucker · · Score: 4, Interesting

    The "Details" link was replaced by a "Learn more" link, which leads to a less than useful Chrome Help page. That page lets you submit a comment as to how helpful the page is. If the "Learn more" link is not helpful in viewing the security certificate, we should leave a comment to tell them that.

  12. Re:Security, The Google Way... by WarJolt · · Score: 1

    Better than nothing, which is typical of most users.

  13. That's a great idea, google... by QuietLagoon · · Score: 5, Insightful

    Make it more difficult to check the security cert when I'm browsing. What bright spark at google came up with this idea?

    1. Re:That's a great idea, google... by thegarbz · · Score: 1

      You check certificates while you're browsing? Shit I'm going to go buy a lottery ticket.

      The bright spark at Google who came up with this idea is the same bright spark who realises that no users actually do this. It says secure up the top, that's what people look for, assuming they look at all. The rest is just security gobbledegook that really only a few seasoned developers understand. So it makes sense to have that in the development tab.

      And blow me down if it isn't much faster simply hitting F12 than it is to actually grab my mouse, click the damn lock icon, and click through to details.

    2. Re:That's a great idea, google... by Anonymous Coward · · Score: 0

      You think a mouse click on the visible padlock icon is somehow crazy esoteric. And yet the alternative you are A-OK with is a hidden shortcut to an inscrutable console interface?

      I can tell you that there are a hell of lot more people that understand the basic idea of security certificates and how they are used then there are who can make sense of the developer console.

    3. Re:That's a great idea, google... by Anonymous Coward · · Score: 0

      You have obviously never had to use internal web-based tools that may be in beta.

      Being able to check that the "SSL error!" is just that the cert for www.betalauch.thiscompany.com is issued from www.it.thiscompany.com is pretty useful, and lets face it, clicking on the the lock to get more details was very intuitive.

    4. Re:That's a great idea, google... by Anonymous Coward · · Score: 0

      how much does googlensa pay you for shilling here?

    5. Re:That's a great idea, google... by operagost · · Score: 1

      F12 is not a discoverable part of the UI.

      I see that developers STILL have no clue how to build user interfaces.

      --

      Gamingmuseum.com: Give your 3D accelerator a rest.
    6. Re:That's a great idea, google... by thegarbz · · Score: 1

      F12 is not a discoverable part of the UI.

      F12 is something we call a shortcut. Developers love them. It saves them time. Slashdot users often like knowing them, so you're bucking the trend here. You can also get to the same menu by clicking Ctrl+Shift+I. If you're not the type of person who actually knows how to use shortcuts then it is in a completely non-intuitive* place: Settings > More Tools > Developer Tools

      *This was sarcastic. If you're complaining about not being able to find how to open developer tools given the existing setup of Chrome then it's not the UI that is the problem.

  14. Just one more step in dumbing down anapplication. by edibobb · · Score: 1

    "Just think how much money we'll save on tech support and development when the application doesn't do anything at all!"

  15. bug by Cronq · · Score: 2

    That's a bug right?

    https://bugs.chromium.org/p/ch...

    1. Re:bug by SmilingBoy · · Score: 1

      A fixed bug even... Maybe worth checking before submitting a story like this!

  16. Qualification Necessary by Tim12s · · Score: 2

    The average person, is not qualified to read or understand that tab about when it is secure and when it isnt. Hell, the average university masters graduate is not qualified to understand the information on the SSL security certificate.

    I recon they are simplifying the browser security to make websites more ruthless in adhering to good security practices by punishing those admins who give their users a false sense of security.

    1. Re:Qualification Necessary by SJ · · Score: 1

      The average person, is not qualified to read or understand that tab about when it is secure and when it isnt.

      Bullhockey. The average person is absolutely qualified to understand that americanbank.com probably didn't buy their EV certificate from China Internet Network Information Center.

      Google just made it easier for scammers to hide. Heck they may as well just default accept self-signed certs.

      A chain of trust is useless if you make it difficult to check the chain.

  17. Problematic in an enterprise environment... by slasher999 · · Score: 0

    In many enterprise environments the developer tools are disabled via group policy. This change means many users who may want to view this information now will no longer be able to. Considering how enterprise security teams are always trying to educate users on safety this simple check now cannot be done.

    1. Re:Problematic in an enterprise environment... by Anonymous Coward · · Score: 0

      In the old version, the details pops up in the developper tools. So if they can't access it, they wouldn't be able to see the details right now...

  18. Google? Why bother by Anonymous Coward · · Score: 1

    They re only after your life, the universe and everything about you so that they can use it to send you adverts
    That is their sole function in life these days.

    Avoid them like the plague. Don't give them the keys to your life.

  19. I hate such UI changes by 140Mandak262Jamuna · · Score: 1

    I have a 24 inch full hd screen. The UI seems to be optimized for a 5 inch handheld screen. Three dots, or three lines, sometimes nine dots, some times a gear sometimes something else, press and hold but sometimes press will be a click.... And on top of it the developers play where did they hide my cheese....

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  20. Who needs certificate information by Anonymous Coward · · Score: 0

    Who needs to verify certificates, if you can just put all malware sites into a hosts file?

  21. Annoying by Anonymous Coward · · Score: 0

    So several domains of a business I run recently needed new certificates. I always like to make sure everything looks proper after I make a change like that. I hadn't used Chrome in a while and spent a good hour of time trying to figure out how to view what Chrome thought of my certificate. I figured this was a change Google did a while ago but I guess it's recent breakage.

    Google has jumped the shark long ago. They are the new Microsoft. Amusingly Microsoft is now the company following standards and doing the right thing. Go figure.

  22. At least Google DNS is ok... by Anonymous Coward · · Score: 0

    At least Google DNS hasn't been fucked up yet. Still the fastest in my location, according to GRC's DNSBench.

  23. Re:Just one more step in dumbing down anapplicatio by thegarbz · · Score: 1

    Implying that there exists a user who's smart enough to read and understand the details of an SSL cert but is too dumb to open up the development tools by hitting F12?

  24. Re:Chrome? by thegarbz · · Score: 2

    People still use that spyware..?

    More people now than ever with a user base that is still on a steady upwards trend.

    But hey we get it. You're cool for calling it spyware bro.

  25. Google maps tells me it's 49 miles via Longview by raymorris · · Score: 1

    > 1) Google maps says that Woodland, WA state is a few miles from St. Helens, OR state. But the Columbia River flows between those cities, and there is no bridge.

    Google maps tells ME that you have to go all thev way up to Longview, 49 miles. Maybe you clicked the plane icon they used to have?

    The rest of your points are all opinions and you're welcome to your opinion, of course. If those opinions are based on anything like your mistaken fact in point #1 ...

  26. Interesting theory by raymorris · · Score: 1

    > They probably also could correlate people who use developer tools with people who would actually check the details of a security certificate.

    Interesting theory. Google *is* all about correlation.

  27. Use secure or not, don't pretend by raymorris · · Score: 2

    GP said invalid or expired certificates. If you want to use http (vs https), fine. You know it's not a secured connection.

    If you use https with a certificate that can't be verified, you've not secured the connection, only pretended to. I can generate an (unvalidated) certificate for any of your hosts and mitm you, if you use unvalidated certs.

    GP suggestion allows it be either be secure, or not secure, you just can't PRETEND that it's secure when it's really not.

  28. Silent changes by KonstantinBoyandin · · Score: 1

    Most unpleasant is this is this change having been done silently. When I click on padlock icon, no more hint where to look for that information.

    Personally, I don't like software products that change interface etc. without even a short hint where to look for relocated information. it's not a rocket science to open Dev.tools, but hell, why should I solve that simple quest at all?

    (a rhetoric question)

  29. Re: Chrome? by Anonymous Coward · · Score: 0

    And you don't think it is.... tell us more, cool bro.

  30. Feeling lucky by Anonymous Coward · · Score: 0

    Does anyone actually use the I'm feeling lucky button?

  31. Great to hide corp or govt ordered SSL intercepts by Anonymous Coward · · Score: 1

    The Subject says it all..

  32. Re:Chrome? by mcloaked · · Score: 1

    And if you go to the security section in chrome and check the slashdot cert you see "and an obsolete cipher (AES_256_CBC with HMAC-SHA1)" ! So slashdot should really update to a better than sha1 certificate to be really secure!

    --
    mike c
  33. If you miss the easy way by John.Banister · · Score: 1

    Vivaldi browser provides just that described functionality when you click on the lock icon.

  34. That may be the reason that they hid it by Chrisq · · Score: 3, Interesting

    And if you go to the security section in chrome and check the slashdot cert you see "and an obsolete cipher (AES_256_CBC with HMAC-SHA1)" ! So slashdot should really update to a better than sha1 certificate to be really secure!

    That may be the reason that they hid it. Naive users might get worried about this sort of warning. Of course SHA1 is still good enough for sites like Slashdot, nobody is going to use the immense computational time required to break SHA1 so that they can mess up your karma.

    1. Re:That may be the reason that they hid it by peawormsworth · · Score: 1

      That may be the reason that they hid it. Naive users might get worried about this sort of warning.

      I am a Naive user when it comes to SSL. But I Need to have the cert information so I can compare the fingerprints and hashes against my local copy when I access sites where I created my own private SSL cert. There is no other way for me to be sure the certificate does not belong to a MITM. But do tell me if I am wrong, I may just be Naive. I would imagine there is a way to generate client certs as an alternative, but this is not well documented for Naive users.

      Throwing the SSL details into some obscure location in the browser to keep this information from worrying Naive users, makes the browser useless when they desire to securely communication with their own servers.

      I don't use Chrome because it sucks for people who want to control their own security and remove trust from the makers of the browser. This is just another reason why I am happy to not be using Chrome.

  35. Google could use Google Play Store as a cudgel by tepples · · Score: 1

    Every major Android manufacturer has an update process through official channels. The only exceptions are some of the stupid US specific carrier issues which cause one-off phone models to be created and have updates hampered by the carriers themselves.

    For one thing, both Google and SlashdotMedia are headquartered in the US, making "US specific [...] issues" on-topic. For another, "carrier issues" don't explain why manufacturers of tablets can't manage to deliver usable updates. One reason is that newer Android versions tend to require more RAM and a faster, larger NAND. Upgrading a first-generation Nexus 7 tablet (Tegra 3, 1 GB RAM, 8 GB NAND) from Android 4.4 to 5.x, for example, leads to an unusably janky system with lag that often reaches five seconds. I've read rumors that this has something to do with disk-level encryption becoming enabled by default in newer versions of Android, and I guess part of the problem might be that encryption breaks data compression, which some NAND controllers use to improve write speed by fitting more logical sectors in each erase block.

    We also don't blame Ubuntu when downstream forks/remxies aren't updated either.

    We do when Canonical announces plans to remove from its repository the libraries needed for compatibility with Wine and other 32-bit applications, as it has announced for Ubuntu 18.10.

    HTC (for a completely unsubstantiated example) not providing an update for the HTC One is entirely irrelevant when discussing Google management.

    In theory, Google has the power under copyright to require licensees of the proprietary Google Play Store application to offer Android OS updates for however many months.

    1. Re:Google could use Google Play Store as a cudgel by thegarbz · · Score: 1

      making "US specific [...] issues"

      You conflated two points into one. US specific issues don't make it off topic. The fact that Android by virtue of being open source and by the fact that vendors take and then heavily modify the OS to the point where Google is unable to offer a central update is what makes it off topic.

      One reason is that newer Android versions tend to require more RAM and a faster, larger NAND

      Goalpost moving. We're not talking about the length of updates, the GP said that no official channel was supplied for updates from most vendors. That is just wrong.

      Upgrading a first-generation Nexus 7 tablet (Tegra 3, 1 GB RAM, 8 GB NAND) from Android 4.4 to 5.x, for example

      Oh good so you're agreeing with me, given that the Nexus 7 was not released with 4.4 but rather several versions earlier.

      We do when Canonical announces plans to remove from its repository the libraries needed for compatibility with Wine and other 32-bit applications, as it has announced for Ubuntu 18.10.

      Sure and if Google decide to remove the ability to make phone calls from the OS then you'd have a point. This isn't goalpost moving, now you're deciding we are playing rugby instead of football.

      In theory, Google has the power under copyright to require licensees of the proprietary Google Play Store application to offer Android OS updates for however many months.

      In practice Google relies a lot on not pissing off its integrators who are all looking for opportunities to bypass Google with custom stores and alternative OSes as it is. In more practice suddenly introducing this requirement will see them fall afoul of competition regulators which is entirely why their approach has been one of enabling smooth upgrades (standard upgrade processes were introduced a few years ago, splitting of carrier data and device drivers was introduced, core OS parts such as APIs relevant for security were integrated into the playstore) rather than forcing 3rd parties to incur unreasonable expense introduced by Google's framework.

  36. Re:Chrome? by tweak13 · · Score: 1

    You have no idea what you're talking about, and probably a good example of why they hid this information away

    Slashdot is using a certificate with a SHA-256 signature. You are talking about the encryption cipher the webserver is using, which has been superseded, but is not yet considered a security risk.

  37. Re:Chrome? by Anonymous Coward · · Score: 0

    Works fine for me. Only a fool updates their browser.

    CAP === 'schools'