My favorites | Sign in
Project Home Downloads Wiki Issues
New issue   Search
for
  Advanced search   Search tips
Issue 110191: Error message for untrusted certificates does not describe why Proceed button is missing
8 people starred this issue and may be notified of changes. Back to list
 
Reported by ej...@google.com, Jan 13, 2012 
Chrome Version       : 17.0.963.33
OS Version: Ubuntu 10.04.2 LTS, Linux 2.6.38.8 x86_64

What steps will reproduce the problem?
1. Visit a site that has a self-signed certificate, but the site's domain is protected by HSTS or Chrome's hard-coded list.
2. Chrome displays the typically "This site's security certificate is not trusted!", but does not inform you why the Proceed button is missing

What is the expected result?
The error message should give some clue that increased domain security is preventing clicking through the error.

Providing more information to a user is very important, as HSTS can includeSubDomains. Without providing more information, a subdomain's website operator may not even understand why the self-signed certificate is being blocked without the click-through option, since HSTS can be enabled without his knowledge and he would not know to contact his parent domain's maintainer.

What happens instead?
The error message is the same as when the Proceed button is present. The message even includes "You should not proceed, especially if you have never seen this warning before for this site," which does not apply.

UserAgentString: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.33 Safari/535.11
Comment 1 by pal...@chromium.org, Jan 13, 2012 
(No comment was entered for this change.)
Status: Assigned
Owner: pal...@chromium.org
Labels: -OS-Linux -Area-Undefined -Pri-2 OS-All Area-UI Pri-1 Mstone-18 Feature-Security
Comment 2 by rsleevi@chromium.org, Jan 13, 2012 
The matter of the "You should not proceed" text was resolved in http://crrev.com/114744 , which should be a part of the next Chrome release (Chrome 18).
Labels: Internals-Network-SSL
Comment 3 by pal...@google.com, Jan 19, 2012 
In addition to the matter of the "You should not proceed" text, I propose: "You cannot proceed, because the website operator has requested heightened security for this domain."

On sites where you can proceed (no HSTS), we currently (as of the patch rsleevi noted) say: "You should not proceed, <strong>especially</strong> if you have never seen this warning before for this site."

So the proposed "cannot proceed" text mirrors the "should not". How's that?

https://chromiumcodereview.appspot.com/9195027
Status: Started
Comment 4 by bugdro...@chromium.org, Jan 20, 2012 
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=118557

------------------------------------------------------------------------
r118557 | palmer@chromium.org | Fri Jan 20 16:09:26 PST 2012

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ssl/ssl_blocking_page.cc?r1=118557&r2=118556&pathrev=118557
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/app/generated_resources.grd?r1=118557&r2=118556&pathrev=118557
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/resources/ssl_error.html?r1=118557&r2=118556&pathrev=118557

In cases of SSL error page due to HSTS, explain why the user cannot proceed.

BUG=110191
TEST=none

Review URL: http://codereview.chromium.org/9195027
------------------------------------------------------------------------
Comment 5 by ejon...@gmail.com, Jan 20, 2012 
I had trouble determining who the "How's that?" question was to. Apparently it was to me.

Yes, the new text is reasonable and conveys a reasonable amount of why the Proceed button is missing. Thank you very much!
Comment 6 by pal...@google.com, Jan 20, 2012 
Thanks for reporting the issue! It's the kind of thing I like to fix.
Status: Fixed
Comment 7 by pavanv@chromium.org, Feb 6, 2012 
 Issue 112861  has been merged into this issue.
Comment 8 by pavanv@chromium.org, Feb 13, 2012 
 Issue 114012  has been merged into this issue.
Comment 9 by wetherin...@gmail.com, Feb 13, 2012 
If I understood this correctly, this issue should have been fixed in 18 with two options, one for you shouldn't proceed, but you can at your own risk, and one for cannot proceed because of heightened security from the website operator.

I just download 19.0.1040.0 canary, and when I try to get to my appspot, the same issue still exists.  I recieve "You cannot proceed because the website operator has requested heightened security for this domain."  We have not done anything additional, and I am still able to access the dev sites on IE7, 8, 9, Safari 5.2.1 and FF10.  We tell our users that Chrome is our preferred browser, but I can't say that if I can't test in Chrome before it goes live.  Help would be greatly appreciated.
Chromium Canary appspot.PNG
176 KB   View   Download
Comment 10 by a...@chromium.org, Feb 13, 2012 
wetherington13: the "123.appid.appspot.com" URLs do not work and hopefully AppEngine will be soon be updating their documentation to remove mentions of them.

The working version of the URL from your screenshot is "https://160-dot-viewpath3.appspot.com".
Comment 11 by rsleevi@chromium.org, Feb 13, 2012 
All of appspot.com is protected by the higher security protections, and has been opted-in to at Google's request.

Note, to work around this issue, you can visit https://160-viewpath3.appspot.com . Note that the dash is substituted for the dot between the first and second domain components. This will properly validate with the *.appspot.com certificate and you should receive no warnings.
Sign in to add a comment

Powered by Google Project Hosting