Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Here's Where Google Hid Chrome's SSL Certificate Information' (vortex.com)

Posted by EditorDavid on from the searching-for-certs dept.

"Google Chrome users have been contacting me wondering why they no longer could access the detailed status of Chrome https: connections, or view the organization and other data associated with SSL certificates for those connections," writes Slashdot reader Lauren Weinstein, adding "Google took a simple click in an intuitive place and replaced it with a bunch of clicks scattered around." Up to now for the stable version of Chrome, you simply clicked the little green padlock icon on an https: connection, clicked on the "Details" link that appeared, and a panel then opened that gave you that status, along with an obvious button to click for viewing the actual certificate data such as Organization, issuance and expiration dates, etc. Suddenly, that "Details" link no longer is present...

The full certificate data is available from the "Developers tools" panel under the "Security" label. In fact, that's where this info has been for quite some time, but since the now missing "Details" link took you directly to that panel, most users probably didn't even realize that they were deep in the Developers tools section of the browser.
On some systems you can just press F12, but the alternate route is to click on the three vertical dots in the upper right, then select "More Tools", and then "Developer Tools". (And if you don't then see "Security", click on the " >>".)

63 of 105 comments (clear)

  1. Which version? by Anonymous Coward · · Score: 2, Informative

    v55 still has the "details" link.

    1. Re:Which version? by BenJeremy · · Score: 5, Insightful

      v58 has the lock icon, but no details about the cert.

      What a stupid decision to remove details. I'm really more interested in the reason for this idiocy, but I'm guessing the person responsible is too much of a coward to face the criticism and be held accountable.

    2. Re:Which version? by quonset · · Score: 1

      As we routinely read on here, it's never the developer's fault. For anything. It's always someone else's fault when bug-ridden software is pushed out or when changes such as this one are made.

      So don't hold your breath expecting a developer, or group of developers, to stand up and claim ownership for this.

    3. Re:Which version? by mysidia · · Score: 5, Interesting

      I don't know.... But this issue needs to get Security Vulnerability status, Because I am sure considering it as one.

      I was previously recommending Chrome above Internet Explorer for security reasons, but because of this issue I have to reverse that now......

    4. Re: Which version? by Anonymous Coward · · Score: 1

      Can I ask why? Is moving the information making it less secure?

    5. Re:Which version? by johannesg · · Score: 2

      And that's entirely correct. Developers develop. Managers decide. After they make their decision they inform the developers what to do. The developers will then either do that, or get fired. Would you really want to get fired over a single button?

    6. Re:Which version? by thegarbz · · Score: 1

      v56 doesn't.

    7. Re:Which version? by thegarbz · · Score: 4, Interesting

      I'm really more interested in the reason for this idiocy

      I'll take a guess. Google the absolute master of telemetry and information gathering probably noticed that it was one of the least used buttons on the screen and that yet another option just adds to the confusion for end users in that already massive menu. They probably also could correlate people who use developer tools with people who would actually check the details of a security certificate.

      I've done it once this year. Wanted to check if my own security cert updated correctly on my website. Developer tools is a great place for that information, and let's face it, no normal user ever checked the certificate. Hell back before the little green / red bars, back before they said secure, back when we were actively telling users to check the status by clicking up there no one did it.

    8. Re:Which version? by bmo · · Score: 4, Insightful

      A rock is the perfect design then.

      Since it has no features except the physical ones, it is as minimalistic as it can get.

      It does have uses, though.

      You can throw it at the minimalist developer/designer's head.

      --
      BMO

    9. Re:Which version? by 93+Escort+Wagon · · Score: 3, Insightful

      What a stupid decision to remove details. I'm really more interested in the reason for this idiocy, but I'm guessing the person responsible is too much of a coward to face the criticism and be held accountable.

      Having filed bug reports / feature requests agains Chrome a few times in the past, and having been involved in a few tedious back-and-forth exchanges with Chrome developers... I'm reasonably confident in saying any communication which might happen regarding this removal will boil down to: "We at Google know better than you".

      But it's not cowardice - it's arrogance.

      --
      #DeleteChrome
    10. Re:Which version? by stephanruby · · Score: 1

      Do you actually use that? I know I don't. I'm pretty sure most people don't.

    11. Re:Which version? by jarkus4 · · Score: 1

      Its not about user checking the cert, but about UI. In both cases the chance for checking would be near 0, but now the UI has one useless button less for those remaining 99%

    12. Re:Which version? by beuges · · Score: 1

      Interestingly, Microsoft also collects telemetry related to Windows usage, but then it's labelled spyware.
      When Google uses telemetry and correlation to identify that the people viewing cert details also typically make use of developer tools, it's called cleaning up 'yet another option [that] just adds to the confusion for end users'.
      When Microsoft uses telemetry and correlation to reposition OS features, it's called spyware that sends all your documents to the NSA.

    13. Re: Which version? by Midnight+Thunder · · Score: 1

      Just like the stupid URL display choice in the address bar. Maybe they are secretly wanting to recreate an AOL experience, minus the coasters?

      --
      Jumpstart the tartan drive.
    14. Re:Which version? by BenJeremy · · Score: 1

      Good thing to see that many people use the MIDI device enable button!!!! I'd hate soooo much to see Google remove that!

      Something as fundamental as details about the cert should never be buried, no matter how rarely it is used. Let's also talk about Extensions... a useful feature, but functionality is buried under several layers of UI "goop" just to get new extensions. Seems like it's designed to discourage users from getting new extensions.

      Also, if I use certs for servers I have on my own LAN (for example, WebMin to run Linux servers I keep in my basement), Google has just made things a bit more difficult to access self-signed certs which are completely adequate for such a use, but require some additional up-front steps to use.

    15. Re:Which version? by EndlessNameless · · Score: 2

      Developers own the bugs they write. However, management determines when they're allowed to fix them.

      In commercial software, new features historically got priority over bug fixes---unless the bugs in question were really bad.

      But this is a feature change. Bringing up bugs is a distraction.

      It's almost impossible for an entire UI option to disappear from one place and move somewhere else due to a mere bug.

      This was a deliberate change in the way the software works, and so the decision was ultimately made or approved by management.

      --

      ---
      According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
    16. Re: Which version? by operagost · · Score: 1

      Yes. For example, on this site, it gets a green lock icon because it uses a valid certificate chain with TLS 1.2. However, it uses an obsolete cipher. This may be seen as nitpicking for most, but hiding this information might cause the end user to not bother investigating when it might actually be a risk.

      --

      Gamingmuseum.com: Give your 3D accelerator a rest.
  2. Re:Chrome? by Anonymous Coward · · Score: 1

    It also applies to chromium >=56...

  3. Obscurity is... by lloy0076 · · Score: 3, Funny

    ...security? Isn't it?

    1. Re:Obscurity is... by thegarbz · · Score: 1

      No, but irrelevance is irrelevant. Users didn't understand what they were looking at, and those few that do are more than able to find what is effectively debugging information in the developer tools panel.

  4. Users are Idiots by Anonymous Coward · · Score: 1

    Present company not withstanding, probably less than 10% of users have any idea what a public key certificate is, who issues them and what a chain of trust is. Hiding this information from idiot users is acceptable if the browser also, by default, refuses to connect to HTTPS sites with expired certificates or certificates not issued by a trusted authority. If something is not right with the certificates the regular idiot user should get the big red warning page with the "Here be Dragons!" message.

    1. Re:Users are Idiots by mmell · · Score: 1

      Screw that! This would mean that if I have a small organization and use HTTP internally (a very common practice), I can't let my employees use Chrome? The alternative is to obtain and maintain valid certificates for intranet sites, and nearly all small businesses lack the money and/or the expertise to do so. While I'm generally in favor of more security as opposed to less, I don't think Google has thought this one through all the way.

    2. Re: Users are Idiots by Doloresanto · · Score: 2

      You can get this in Chrome by using HTTPS Everywhere extension, optionally in strict mode.

    3. Re: Users are Idiots by Anonymous Coward · · Score: 1

      I'm pretty sure you can do a custom Chrome install that has your certificates pre-installed. But if you are arguing that the "whoa there, this site's SSL info looks fishy!" page should be disabled by default, then you are trading in an inconvenience for a glaring vulnerability.

    4. Re:Users are Idiots by thegarbz · · Score: 1

      Business lack the expertise to obtain valid certificates, but have the expertise to generate their own?
      They have the expertise to generate their own certificates but are too inept to import them as a trusted source into the windows machines thereby not only ensuring Chrome has the right security approach but all other applications as well?

      What kind of strange businesses have you worked with?

    5. Re:Users are Idiots by thegarbz · · Score: 1

      Hiding this information from idiot users is acceptable if the browser also, by default, refuses to connect to HTTPS sites with expired certificates or certificates not issued by a trusted authority.

      Exactly what Chrome is doing. Except the users don't get a warning page, they get a thou shall not pass page.

  5. Google Voice is free to U.S. and Canada. by Futurepower(R) · · Score: 1

    Error: I should have said that Google Voice is free for calls to the U.S. & Canada.

  6. Google sucks at UX/UI by Anonymous Coward · · Score: 1

    You think they'd be able to hire good people for it.

    1. Re:Google sucks at UX/UI by thegarbz · · Score: 1

      Oh? You think good UX/UI is feeding the end user gobbledegook they can't understand and only serves to confuse them about the nature of their security?

      Genius!

  7. WTF? by Lisandro · · Score: 2

    I'd say "slow news days" but it's not like nothing is happening in the world right now.

    1. Re:WTF? by Anonymous Coward · · Score: 1

      I'd say "slow news days" but it's not like nothing is happening in the world right now.

      Found the dev responsible for this idiocy :-P

  8. Re:Google management is now often sloppy. by lesincompetent · · Score: 1

    Google "management"?
    Think about the state of google's messaging platform(s). Then every other fuckup will be clear.

  9. Leave a comment at the link by hudsucker · · Score: 4, Interesting

    The "Details" link was replaced by a "Learn more" link, which leads to a less than useful Chrome Help page. That page lets you submit a comment as to how helpful the page is. If the "Learn more" link is not helpful in viewing the security certificate, we should leave a comment to tell them that.

  10. Re:Security, The Google Way... by WarJolt · · Score: 1

    Better than nothing, which is typical of most users.

  11. That's a great idea, google... by QuietLagoon · · Score: 5, Insightful

    Make it more difficult to check the security cert when I'm browsing. What bright spark at google came up with this idea?

    1. Re:That's a great idea, google... by thegarbz · · Score: 1

      You check certificates while you're browsing? Shit I'm going to go buy a lottery ticket.

      The bright spark at Google who came up with this idea is the same bright spark who realises that no users actually do this. It says secure up the top, that's what people look for, assuming they look at all. The rest is just security gobbledegook that really only a few seasoned developers understand. So it makes sense to have that in the development tab.

      And blow me down if it isn't much faster simply hitting F12 than it is to actually grab my mouse, click the damn lock icon, and click through to details.

    2. Re:That's a great idea, google... by operagost · · Score: 1

      F12 is not a discoverable part of the UI.

      I see that developers STILL have no clue how to build user interfaces.

      --

      Gamingmuseum.com: Give your 3D accelerator a rest.
    3. Re:That's a great idea, google... by thegarbz · · Score: 1

      F12 is not a discoverable part of the UI.

      F12 is something we call a shortcut. Developers love them. It saves them time. Slashdot users often like knowing them, so you're bucking the trend here. You can also get to the same menu by clicking Ctrl+Shift+I. If you're not the type of person who actually knows how to use shortcuts then it is in a completely non-intuitive* place: Settings > More Tools > Developer Tools

      *This was sarcastic. If you're complaining about not being able to find how to open developer tools given the existing setup of Chrome then it's not the UI that is the problem.

  12. Just one more step in dumbing down anapplication. by edibobb · · Score: 1

    "Just think how much money we'll save on tech support and development when the application doesn't do anything at all!"

  13. Re:Google management is now often sloppy. by johannesg · · Score: 5, Insightful

    It's called "alphabet" in an open and blatant reference to "alphabet agencies". It's for the people who didn't realize Google is an extension of the CIA, NSA, etc.

  14. bug by Cronq · · Score: 2

    That's a bug right?

    https://bugs.chromium.org/p/ch...

    1. Re:bug by SmilingBoy · · Score: 1

      A fixed bug even... Maybe worth checking before submitting a story like this!

  15. Qualification Necessary by Tim12s · · Score: 2

    The average person, is not qualified to read or understand that tab about when it is secure and when it isnt. Hell, the average university masters graduate is not qualified to understand the information on the SSL security certificate.

    I recon they are simplifying the browser security to make websites more ruthless in adhering to good security practices by punishing those admins who give their users a false sense of security.

    1. Re:Qualification Necessary by SJ · · Score: 1

      The average person, is not qualified to read or understand that tab about when it is secure and when it isnt.

      Bullhockey. The average person is absolutely qualified to understand that americanbank.com probably didn't buy their EV certificate from China Internet Network Information Center.

      Google just made it easier for scammers to hide. Heck they may as well just default accept self-signed certs.

      A chain of trust is useless if you make it difficult to check the chain.

  16. Re:Google management is now often sloppy. by thegarbz · · Score: 1

    2) More and more, Google software like Chrome and Android is getting a bad reputation for being invasive and destructive. The first comment in this story is "Chrome? People still use that spyware..?"

    That reputation is among the very few that care about things like that. Regardless of which graph you look at, or who provides the data, Chrome use is still on a steady upwards trend meaning more people use it than ever. As for that first comment, well at least it lives up to the reputation of first comments. I wouldn't use it as a data point.

    It's not possible to update Android on most phones, without risking bricking the phone.

    That hasn't been true since gingerbread and nearly all vendors offer a nice auto upgrade process which reboots, does checks, applies the updates, and drops you right back where you left off. Actually I don't think I've ever heard of a case where an official update executed through proper normal channels has bricked a device, much less "most phones".

    4) Perhaps 3 years ago, a Google manager told me that Google does not properly document what the company is doing.

    This is essentially true for every company working on every project that isn't someway government related.

    5) It was foolish for Google to adopt the name Alphabet [wikipedia.org].

    Google is not Alphabet. Alphabet owns Google. No user will ever see Alphabet on a product or service page. The only people who will see Alphabet are investors, economists, and traders, and if they can't figure out which company they are looking at then maybe they should quit their day jobs and find something more suited to their mental capacity, like flipping burgers.

    Why do good companies deteriorate? At one time, an employee of Google said the company should "Do no evil." Now Google apparently does evil when some not very clear-minded Google manager thinks, "Evil will make more money."

    Only because people see what they want to see and take statements out of context, apply their own biases and pre-conceptions and then declare the company to be going against a direction the person themselves mentally created. Kind of like the "evil" thing. I've yet to see someone complain that "do no evil" doesn't apply, where there is actual "evil" involved.

  17. Google? Why bother by Anonymous Coward · · Score: 1

    They re only after your life, the universe and everything about you so that they can use it to send you adverts
    That is their sole function in life these days.

    Avoid them like the plague. Don't give them the keys to your life.

  18. I hate such UI changes by 140Mandak262Jamuna · · Score: 1

    I have a 24 inch full hd screen. The UI seems to be optimized for a 5 inch handheld screen. Three dots, or three lines, sometimes nine dots, some times a gear sometimes something else, press and hold but sometimes press will be a click.... And on top of it the developers play where did they hide my cheese....

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  19. Re:Just one more step in dumbing down anapplicatio by thegarbz · · Score: 1

    Implying that there exists a user who's smart enough to read and understand the details of an SSL cert but is too dumb to open up the development tools by hitting F12?

  20. Re:Chrome? by thegarbz · · Score: 2

    People still use that spyware..?

    More people now than ever with a user base that is still on a steady upwards trend.

    But hey we get it. You're cool for calling it spyware bro.

  21. Google maps tells me it's 49 miles via Longview by raymorris · · Score: 1

    > 1) Google maps says that Woodland, WA state is a few miles from St. Helens, OR state. But the Columbia River flows between those cities, and there is no bridge.

    Google maps tells ME that you have to go all thev way up to Longview, 49 miles. Maybe you clicked the plane icon they used to have?

    The rest of your points are all opinions and you're welcome to your opinion, of course. If those opinions are based on anything like your mistaken fact in point #1 ...

  22. Interesting theory by raymorris · · Score: 1

    > They probably also could correlate people who use developer tools with people who would actually check the details of a security certificate.

    Interesting theory. Google *is* all about correlation.

  23. Use secure or not, don't pretend by raymorris · · Score: 2

    GP said invalid or expired certificates. If you want to use http (vs https), fine. You know it's not a secured connection.

    If you use https with a certificate that can't be verified, you've not secured the connection, only pretended to. I can generate an (unvalidated) certificate for any of your hosts and mitm you, if you use unvalidated certs.

    GP suggestion allows it be either be secure, or not secure, you just can't PRETEND that it's secure when it's really not.

  24. Re:Google management is now often sloppy. by tepples · · Score: 1

    It's not possible to update Android on most phones, without risking bricking the phone.

    That hasn't been true since gingerbread and nearly all vendors offer a nice auto upgrade process which reboots, does checks, applies the updates, and drops you right back where you left off. Actually I don't think I've ever heard of a case where an official update executed through proper normal channels has bricked a device, much less "most phones".

    I think the implication is that "most phones" don't have "an official update executed through proper normal channels" available at all. Therefore the only possibility to update is through CM or Lineage or what they're calling it now, and the installation process for that is what risks a brick.

  25. Silent changes by KonstantinBoyandin · · Score: 1

    Most unpleasant is this is this change having been done silently. When I click on padlock icon, no more hint where to look for that information.

    Personally, I don't like software products that change interface etc. without even a short hint where to look for relocated information. it's not a rocket science to open Dev.tools, but hell, why should I solve that simple quest at all?

    (a rhetoric question)

  26. Great to hide corp or govt ordered SSL intercepts by Anonymous Coward · · Score: 1

    The Subject says it all..

  27. Re:Chrome? by mcloaked · · Score: 1

    And if you go to the security section in chrome and check the slashdot cert you see "and an obsolete cipher (AES_256_CBC with HMAC-SHA1)" ! So slashdot should really update to a better than sha1 certificate to be really secure!

    --
    mike c
  28. If you miss the easy way by John.Banister · · Score: 1

    Vivaldi browser provides just that described functionality when you click on the lock icon.

  29. That may be the reason that they hid it by Chrisq · · Score: 3, Interesting

    And if you go to the security section in chrome and check the slashdot cert you see "and an obsolete cipher (AES_256_CBC with HMAC-SHA1)" ! So slashdot should really update to a better than sha1 certificate to be really secure!

    That may be the reason that they hid it. Naive users might get worried about this sort of warning. Of course SHA1 is still good enough for sites like Slashdot, nobody is going to use the immense computational time required to break SHA1 so that they can mess up your karma.

    1. Re:That may be the reason that they hid it by peawormsworth · · Score: 1

      That may be the reason that they hid it. Naive users might get worried about this sort of warning.

      I am a Naive user when it comes to SSL. But I Need to have the cert information so I can compare the fingerprints and hashes against my local copy when I access sites where I created my own private SSL cert. There is no other way for me to be sure the certificate does not belong to a MITM. But do tell me if I am wrong, I may just be Naive. I would imagine there is a way to generate client certs as an alternative, but this is not well documented for Naive users.

      Throwing the SSL details into some obscure location in the browser to keep this information from worrying Naive users, makes the browser useless when they desire to securely communication with their own servers.

      I don't use Chrome because it sucks for people who want to control their own security and remove trust from the makers of the browser. This is just another reason why I am happy to not be using Chrome.

  30. Re:Google management is now often sloppy. by thegarbz · · Score: 1

    I think the implication is that "most phones" don't have "an official update executed through proper normal channels" available at all.

    Then it would still be wrong. Every major Android manufacturer has an update process through official channels. The only exceptions are some of the stupid US specific carrier issues which cause one-off phone models to be created and have updates hampered by the carriers themselves.

    The length that updates are available are a different question, but much like the very issue we are discussing, it has nothing to do with Google. We also don't blame Ubuntu when downstream forks/remxies aren't updated either. Google provides the updates, provides them in a timely way and provides an official channel. HTC (for a completely unsubstantiated example) not providing an update for the HTC One is entirely irrelevant when discussing Google management.

  31. Google could use Google Play Store as a cudgel by tepples · · Score: 1

    Every major Android manufacturer has an update process through official channels. The only exceptions are some of the stupid US specific carrier issues which cause one-off phone models to be created and have updates hampered by the carriers themselves.

    For one thing, both Google and SlashdotMedia are headquartered in the US, making "US specific [...] issues" on-topic. For another, "carrier issues" don't explain why manufacturers of tablets can't manage to deliver usable updates. One reason is that newer Android versions tend to require more RAM and a faster, larger NAND. Upgrading a first-generation Nexus 7 tablet (Tegra 3, 1 GB RAM, 8 GB NAND) from Android 4.4 to 5.x, for example, leads to an unusably janky system with lag that often reaches five seconds. I've read rumors that this has something to do with disk-level encryption becoming enabled by default in newer versions of Android, and I guess part of the problem might be that encryption breaks data compression, which some NAND controllers use to improve write speed by fitting more logical sectors in each erase block.

    We also don't blame Ubuntu when downstream forks/remxies aren't updated either.

    We do when Canonical announces plans to remove from its repository the libraries needed for compatibility with Wine and other 32-bit applications, as it has announced for Ubuntu 18.10.

    HTC (for a completely unsubstantiated example) not providing an update for the HTC One is entirely irrelevant when discussing Google management.

    In theory, Google has the power under copyright to require licensees of the proprietary Google Play Store application to offer Android OS updates for however many months.

    1. Re:Google could use Google Play Store as a cudgel by thegarbz · · Score: 1

      making "US specific [...] issues"

      You conflated two points into one. US specific issues don't make it off topic. The fact that Android by virtue of being open source and by the fact that vendors take and then heavily modify the OS to the point where Google is unable to offer a central update is what makes it off topic.

      One reason is that newer Android versions tend to require more RAM and a faster, larger NAND

      Goalpost moving. We're not talking about the length of updates, the GP said that no official channel was supplied for updates from most vendors. That is just wrong.

      Upgrading a first-generation Nexus 7 tablet (Tegra 3, 1 GB RAM, 8 GB NAND) from Android 4.4 to 5.x, for example

      Oh good so you're agreeing with me, given that the Nexus 7 was not released with 4.4 but rather several versions earlier.

      We do when Canonical announces plans to remove from its repository the libraries needed for compatibility with Wine and other 32-bit applications, as it has announced for Ubuntu 18.10.

      Sure and if Google decide to remove the ability to make phone calls from the OS then you'd have a point. This isn't goalpost moving, now you're deciding we are playing rugby instead of football.

      In theory, Google has the power under copyright to require licensees of the proprietary Google Play Store application to offer Android OS updates for however many months.

      In practice Google relies a lot on not pissing off its integrators who are all looking for opportunities to bypass Google with custom stores and alternative OSes as it is. In more practice suddenly introducing this requirement will see them fall afoul of competition regulators which is entirely why their approach has been one of enabling smooth upgrades (standard upgrade processes were introduced a few years ago, splitting of carrier data and device drivers was introduced, core OS parts such as APIs relevant for security were integrated into the playstore) rather than forcing 3rd parties to incur unreasonable expense introduced by Google's framework.

  32. Re:Chrome? by tweak13 · · Score: 1

    You have no idea what you're talking about, and probably a good example of why they hid this information away

    Slashdot is using a certificate with a SHA-256 signature. You are talking about the encryption cipher the webserver is using, which has been superseded, but is not yet considered a security risk.