TLS blocking pages

[Clemens Gruber]

Hi,

I regularly visit webservers which use self-signed certificates.

With the new interstitial TLS warning pages, I have to click at least two times to acknowledge in contrast to one time before.

This is extremely annoying, if you have to deal with self-signed certs a lot.

In Chrome 37 I could at least still opt-out and set chrome://flags/#ssl-interstitial-version to the old one, but now with Chrome 38, that flag is gone too :(

Are there any other options to disable this annoying "double-check" ?

There should at least be a flag somewhere, saying "I know what I am doing, let me ignore this with one click." And besides that, remember my decision.

Am I the only one who is bothered by these new fancy looking SSL error pages? (Not by the design itself but because of me having to click twice every time)

If there are other possibilities to solve this, please let me know.

Otherwise, please add the ssl-interstitial-version flag again.

Thank you!

[Torne (Richard Coles)]

Add the self-signed certs you trust to the certificate store, and then there won't be an interstitial at all.

It's unlikely we will make the interstitials easier, since the purpose of them is to discourage users from just clicking through.

--
--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss

[Clemens Gruber]

Hi,

> Add the self-signed certs you trust to the certificate store, and then there won't be an interstitial at all.

That’s a workaround I am aware of. But I do not want to add every site to my cert store just because they use a self-signed certificate. I do that for my self signed certs which I trust completely but not for others.
Isn’t it better to have a transport-level security instead of no security at all? Many community websites can’t afford to buy a cert. So in every case where I do not fear a MITM attack, I do not care so much about the cert, but more about the transport encryption. It’s better to have HTTPS with TLS and a self-signed-cert than normal HTTP.

>
> It's unlikely we will make the interstitials easier, since the purpose of them is to discourage users from just clicking through.

I can see why you set this new V2 screen as a default, but there are advanced users who do not need to be told twice to get the idea that it is not a VeriSign cert ;)
I know the risk, I do not want to be asked twice in a row. I also do not want to hide the warning completely I just want to opt-out from the V2 behavior and use V1 again.

Isn’t one click enough for advanced users? As an opt-in/opt-out flag it would not do much harm, would it? :)

Regards,
Clemens

[Ryan Sleevi]

Of course, adding these certs to your store potentially means anyone who obtains the private key can compromise all future connections. Generally, if someone cannot be bothered to obtain a free or low cost (<$10) cert, it is unlikely they're practicing good key hygiene, making this risk possible.

As Torne noted, it's unlikely that we will reduce the clicks, for many reasons, but also because most people who say they know what they're doing tend not to know what they're doing. That said, jww@ has been experimenting with models that might make it easier to both remember and forget these cert decisions.

But really, if you find yourself bothered by having to click through, isn't it just worth grabbing a cheap $8 cert off NameCheap or the like? Is it any different than buying a domain name so you don't have to type in an IPv4 address (... Or worse, v6?) Does something prevent you from doing that?

[Ryan Sleevi]

On Sep 1, 2014 5:49 AM, "Clemens Gruber" <cleme...@gmail.com> wrote:
>
> Hi,
>
> > Add the self-signed certs you trust to the certificate store, and then there won't be an interstitial at all.
>
> That's a workaround I am aware of. But I do not want to add every site to my cert store just because they use a self-signed certificate. I do that for my self signed certs which I trust completely but not for others.
> Isn't it better to have a transport-level security instead of no security at all? Many community websites can't afford to buy a cert.

If they can afford a $4/year domain, I'm betting they can afford a $8/year cert.

> So in every case where I do not fear a MITM attack, I do not care so much about the cert, but more about the transport encryption. It's better to have HTTPS with TLS and a self-signed-cert than normal HTTP.
>

Not really. In theory, yes. In practice, you're either conditioning users to click through your warnings (bad), or you're conditioning them to trust on first use, without any validation (also bad). In either case, you're encouraging bad behaviors that, even if they were acceptable for your small community sites, now become conditioned responses to things like your email provider or bank.

In short, your self-signed cert ends up making the web a less secure place, ironically while trying to make it more.

> >
> > It's unlikely we will make the interstitials easier, since the purpose of them is to discourage users from just clicking through.
>
> I can see why you set this new V2 screen as a default, but there are advanced users who do not need to be told twice to get the idea that it is not a VeriSign cert ;)
> I know the risk, I do not want to be asked twice in a row. I also do not want to hide the warning completely I just want to opt-out from the V2 behavior and use V1 again.
>
> Isn't one click enough for advanced users? As an opt-in/opt-out flag it would not do much harm, would it? :)
>
> Regards,
> Clemens

Chrome doesn't do flags like this, and it doesn't cater UI to the advanced user, precisely because such UI almost always inevitably makes things harder for the normal user.

[Adrienne Porter Felt]

We have no immediate plans to remove the additional click, as it serves several purposes for the general use case.

As Ryan notes, you can opt into another experiment in Chrome 38 that might ease your pain: go to chrome://flags#remember-cert-error-decisions and change the setting to remember your decisions for up to 3mo.

But also if this is your website, +1 to buying a really cheap cert. It'll take a few min to set up once but you'll get to stop seeing our warnings, which I assure you will only grow more annoying over time. :)

[Markus Gutschke (顧孟勤)]

In the past, I used to be a lot more understanding of having self-signed or otherwise incorrect SSL certificates. But I don't think most of the reasons hold true any more:

• certificates used to be very expensive. These days, the most basic certificates cost only a few dollars, or in some cases they are free altogether.
• upgrading certificates takes somewhere on the order of 30-60min of work (depending on choice of certificate vendor and server). For low-traffic "unimportant" sites, that's a significant percentage of the annual maintenance work. These days, it is fortunately easy to buy certificates that are good for five years, making it much easier to schedule maintenance. Even minor sites should probably be reviewed every couple of years, just to make sure they don't have known security holes.
• embedded devices (e.g. "internet of things") often don't provide options to upload a proper SSL certificate. In most cases, these device shouldn't even be generally accessible, since as a rule they often have lots of security problems. But if they need to be accessible, it is trivial to hide them behind a NGINX reverse proxy that provides proper access control and proper SSL certificates.
• multi-domain or wildcard SSL certificates used to be necessary, whenever virtual hosting multiple domains on the same IP address. These days, pretty much every browser supports SNI, so that's no longer a problem. Instead, each virtually-hosted domain can get their own certificate.

In other words, most of the reasons for skimping on proper SSL certificates have gradually disappeared. I am sure there are still some legitimate corner cases, but most of them are probably just due to apathy and possibly ignorance.

Markus

[Joel Weinberger]

On Mon, Sep 1, 2014 at 5:59 AM, Adrienne Porter Felt <fe...@chromium.org> wrote:

We have no immediate plans to remove the additional click, as it serves several purposes for the general use case.

As Ryan notes, you can opt into another experiment in Chrome 38 that might ease your pain: go to chrome://flags#remember-cert-error-decisions and change the setting to remember your decisions for up to 3mo.

I'm definitely of the view that the basic click through should not be made easier. We want the default case to be "don't do it." Put differently, how would you feel if users went to your website and were being MiTM, and Chrome made it super easy for them to still get to your site? I hope you'd be sad :-)

But this is why we're working on alternatives (such as the mentioned flag) that will ease the pain for those who do click through on purpose.

[Clemens Gruber]

Adrienne: Thanks for mentioning the remember-cert-error-decisions flag. That's good enough (for me).

Please have a look at this paper by Bruce Schneier about CAs & PKI: https://www.schneier.com/paper-pki-ft.txt

There are legitimate reasons why some people do not want to pay CAs for "feeling secure" and be included in a browsers certificate store. There were many incidents with CAs issuing fake certs and intelligence agencies could also force popular CAs to do the same thing.

I think it is a good choice to warn the normal user and requiring two clicks from them, but do not forget advanced users who proceed on purpose. Remembering the decision is a good starting point though!