Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Here's Where Google Hid Chrome's SSL Certificate Information' (vortex.com)

Posted by EditorDavid on from the searching-for-certs dept.

"Google Chrome users have been contacting me wondering why they no longer could access the detailed status of Chrome https: connections, or view the organization and other data associated with SSL certificates for those connections," writes Slashdot reader Lauren Weinstein, adding "Google took a simple click in an intuitive place and replaced it with a bunch of clicks scattered around." Up to now for the stable version of Chrome, you simply clicked the little green padlock icon on an https: connection, clicked on the "Details" link that appeared, and a panel then opened that gave you that status, along with an obvious button to click for viewing the actual certificate data such as Organization, issuance and expiration dates, etc. Suddenly, that "Details" link no longer is present...

The full certificate data is available from the "Developers tools" panel under the "Security" label. In fact, that's where this info has been for quite some time, but since the now missing "Details" link took you directly to that panel, most users probably didn't even realize that they were deep in the Developers tools section of the browser.
On some systems you can just press F12, but the alternate route is to click on the three vertical dots in the upper right, then select "More Tools", and then "Developer Tools". (And if you don't then see "Security", click on the " >>".)

19 of 105 comments (clear)

  1. Which version? by Anonymous Coward · · Score: 2, Informative

    v55 still has the "details" link.

    1. Re:Which version? by BenJeremy · · Score: 5, Insightful

      v58 has the lock icon, but no details about the cert.

      What a stupid decision to remove details. I'm really more interested in the reason for this idiocy, but I'm guessing the person responsible is too much of a coward to face the criticism and be held accountable.

    2. Re:Which version? by mysidia · · Score: 5, Interesting

      I don't know.... But this issue needs to get Security Vulnerability status, Because I am sure considering it as one.

      I was previously recommending Chrome above Internet Explorer for security reasons, but because of this issue I have to reverse that now......

    3. Re:Which version? by johannesg · · Score: 2

      And that's entirely correct. Developers develop. Managers decide. After they make their decision they inform the developers what to do. The developers will then either do that, or get fired. Would you really want to get fired over a single button?

    4. Re:Which version? by thegarbz · · Score: 4, Interesting

      I'm really more interested in the reason for this idiocy

      I'll take a guess. Google the absolute master of telemetry and information gathering probably noticed that it was one of the least used buttons on the screen and that yet another option just adds to the confusion for end users in that already massive menu. They probably also could correlate people who use developer tools with people who would actually check the details of a security certificate.

      I've done it once this year. Wanted to check if my own security cert updated correctly on my website. Developer tools is a great place for that information, and let's face it, no normal user ever checked the certificate. Hell back before the little green / red bars, back before they said secure, back when we were actively telling users to check the status by clicking up there no one did it.

    5. Re:Which version? by bmo · · Score: 4, Insightful

      A rock is the perfect design then.

      Since it has no features except the physical ones, it is as minimalistic as it can get.

      It does have uses, though.

      You can throw it at the minimalist developer/designer's head.

      --
      BMO

    6. Re:Which version? by 93+Escort+Wagon · · Score: 3, Insightful

      What a stupid decision to remove details. I'm really more interested in the reason for this idiocy, but I'm guessing the person responsible is too much of a coward to face the criticism and be held accountable.

      Having filed bug reports / feature requests agains Chrome a few times in the past, and having been involved in a few tedious back-and-forth exchanges with Chrome developers... I'm reasonably confident in saying any communication which might happen regarding this removal will boil down to: "We at Google know better than you".

      But it's not cowardice - it's arrogance.

      --
      #DeleteChrome
    7. Re:Which version? by EndlessNameless · · Score: 2

      Developers own the bugs they write. However, management determines when they're allowed to fix them.

      In commercial software, new features historically got priority over bug fixes---unless the bugs in question were really bad.

      But this is a feature change. Bringing up bugs is a distraction.

      It's almost impossible for an entire UI option to disappear from one place and move somewhere else due to a mere bug.

      This was a deliberate change in the way the software works, and so the decision was ultimately made or approved by management.

      --

      ---
      According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
  2. Obscurity is... by lloy0076 · · Score: 3, Funny

    ...security? Isn't it?

  3. WTF? by Lisandro · · Score: 2

    I'd say "slow news days" but it's not like nothing is happening in the world right now.

  4. Leave a comment at the link by hudsucker · · Score: 4, Interesting

    The "Details" link was replaced by a "Learn more" link, which leads to a less than useful Chrome Help page. That page lets you submit a comment as to how helpful the page is. If the "Learn more" link is not helpful in viewing the security certificate, we should leave a comment to tell them that.

  5. That's a great idea, google... by QuietLagoon · · Score: 5, Insightful

    Make it more difficult to check the security cert when I'm browsing. What bright spark at google came up with this idea?

  6. Re:Google management is now often sloppy. by johannesg · · Score: 5, Insightful

    It's called "alphabet" in an open and blatant reference to "alphabet agencies". It's for the people who didn't realize Google is an extension of the CIA, NSA, etc.

  7. bug by Cronq · · Score: 2

    That's a bug right?

    https://bugs.chromium.org/p/ch...

  8. Re: Users are Idiots by Doloresanto · · Score: 2

    You can get this in Chrome by using HTTPS Everywhere extension, optionally in strict mode.

  9. Qualification Necessary by Tim12s · · Score: 2

    The average person, is not qualified to read or understand that tab about when it is secure and when it isnt. Hell, the average university masters graduate is not qualified to understand the information on the SSL security certificate.

    I recon they are simplifying the browser security to make websites more ruthless in adhering to good security practices by punishing those admins who give their users a false sense of security.

  10. Re:Chrome? by thegarbz · · Score: 2

    People still use that spyware..?

    More people now than ever with a user base that is still on a steady upwards trend.

    But hey we get it. You're cool for calling it spyware bro.

  11. Use secure or not, don't pretend by raymorris · · Score: 2

    GP said invalid or expired certificates. If you want to use http (vs https), fine. You know it's not a secured connection.

    If you use https with a certificate that can't be verified, you've not secured the connection, only pretended to. I can generate an (unvalidated) certificate for any of your hosts and mitm you, if you use unvalidated certs.

    GP suggestion allows it be either be secure, or not secure, you just can't PRETEND that it's secure when it's really not.

  12. That may be the reason that they hid it by Chrisq · · Score: 3, Interesting

    And if you go to the security section in chrome and check the slashdot cert you see "and an obsolete cipher (AES_256_CBC with HMAC-SHA1)" ! So slashdot should really update to a better than sha1 certificate to be really secure!

    That may be the reason that they hid it. Naive users might get worried about this sort of warning. Of course SHA1 is still good enough for sites like Slashdot, nobody is going to use the immense computational time required to break SHA1 so that they can mess up your karma.