Hello Chromium security team,
While using Chrome Version 40.0.2214.111 (64-bit) in Debian Jessie, I'm
receiving the Chrome SHA1 deprecation warning when visiting
https://firstlook.org/. However, this is not only a false positive, but
we can't figure out how to reproduce this in Chrome running on other
systems. I think this might be some sort of obscure, hard to reproduce,
bug in the SHA1 detection code.
Here are some screenshots from my Chrome (one from
firstlook.org, and
one from our CDN at
prod01-cdn03.cdn.firstlook.org):
https://imgur.com/a/EHShW
I also get the same warning when viewing our domain in an incognito window.
This warning doesn't appear in Chrome on other platforms, or in Debian
VMs we test on, but it reliably happens on my computer. At first we
thought this was some sort of fluke (like maybe my Chrome profile is
corrupt), but it turns out that other users are in fact seeing this too:
https://twitter.com/ageis/status/563647806334717953
As far as we can tell, everything on our end is configured properly. The
Qualys SSL test gives us an A+:
https://www.ssllabs.com/ssltest/analyze.html?d=firstlook.org
Is there a way to gather more information about why my browser is giving
this warning? Is there a log that I can look at that might contain more
information, or a way to get my browser to reload the domain in some
sort of verbose debug mode?
Thanks.
--
Micah Lee
The Intercept -
https://theintercept.com/