Tired of managing certificates? Automate it with ZeroSSL   Learn about ZeroSSL Automation x

SSL Certificates in Google Chrome

Google's new web browser, Chrome, has sparked a lot of discussion and interest in many of its new features. Though still in beta, it handles many things much better than all other current browsers. But how does it handle SSL certificates? Does it give the appropriate error messages and user interface notifications? That is what we are going to investigate.

First off, of course, it supports normal SSL certificates without any problem. It just displays a yellow background in the address bar, a lock icon on the right, and makes the https in the address bar green:

 Normal SSL Certificate in Google Chrome

Support for EV SSL certificates seems a little buggy in the current version. It is supposed to display the name of the validated company in green on the right side of the address bar like this:

 EV SSL Certificate in Google Chrome

The company name seems to display sometimes and not display at other times. This is a bug that will most likely be fixed by the next release of Googe Chrome.

SSL Error Messages in Google Chrome

How does Google Chrome handle SSL error messages? Very well. First let's look at a domain mismatch error. This occurs when the name on the SSL certificate doesn't match the name that the site is being accessed with in the browser. This is what Google Chrome displays in this case:

 Domain Mismatch error in Google Chrome

This is a great solution because it makes it very clear that something is wrong but it informs the user of exactly what the problem is and lets them easily proceed if they decide to. This is in contrast to the way Firefox makes you add an exception for each site.

The next error message is an untrusted certificate error (including self-signed certificates or incorrectly installed certificates from certificate authorities). This is the message that displays:

 Untrusted certificate error in Google Chrome

Again, it is very clear and allows you to easily proceed to the page anyway or go "back to safety".

Finally, what does Google Chrome do when some of the content on a page is not loaded from a secure source? It displays a warning icon in the right of the address bar and, when clicked, shows that the identity is verified but that parts of the page are not encrypted.

 Unauthenticated content error in Google Chrome

Also, client certificates don't seem to be supported yet. Overall, Google Chrome is on the right track in making sure that SSL errors are correctly identified and communicated to users.

Compare SSL Certificates

Originally posted on Sun Sep 7, 2008

Comments


Duane(2014-12-13)

Nice review article, although I don't see it as a bad thing if EV extensions are ignored they generally do very little, the following quote comes from a post on one of the XMPP lists:

"Have a look at the latest black hat. They had certs for big corporate sites from some of the bigger CAs. They even rerouted the traffic there and nobody noticed. They showed logs of this at the end of the conference."

doc(2014-12-13)

i have an internal host path to a webserver that i access with a cert that doesn't match the webserver's cert. this is *normal* for people who do web work. it's also *normal* for a non ecommerce site, like an open source site, to have a cert for "www" but not for every sub domain. by not allowing exceptions, they make it VERY hard to work with chrome... which made me, just today, put firefox BACK as my default browser

Georgi(2014-12-13)

In fact, Chrome is not applying all my certificates at all. I suppose this is some kind of a bug. I've imported my banking P12 certificates. When a virtual banking site needs the appropriate certificate, Firefox and IE are applying Crypto API as is needed, but the Chrome doesn't. I hope someday Google will fix this AWFUL issue...

Robert(2014-12-13)

That's true, doc. It would be nice to have it remember whether you've trusted a certificate before. Of course, for ecommerce sites that doesn't help because customers will be scared away before adding it as an exception. The solution for ecommerce sites is to redirect traffic to www (or vice versa) or get a certificate with both names in it (a SAN/UC certificate)

Robert(2014-12-13)

Duane,

That quote was talking about normal SSL certificates. The whole point of EV certificates is to standardize and make it almost impossible for someone to get a certificate unless they are authorized to do so which will prevent these "black hat" hackers from getting a certificate for a big company or any company that they don't own. It is important for there to be a noticeable difference in the web browser between a normal certificate and an EV certificate or hackers will be able to continue using normal certificates and get away with it.

Duane(2014-12-13)

All it takes is for one vendor to issue a certificate by mistake and all vendors cop the blame because there is nothing on the browser interface that effectively communicates who the CA responsible is.

The only websites this is useful for are companies like amazon.com, if the snakeoil sales men hadn't gotten things their way we could easily check the certs our banks use are the right ones based on the information on their stationary.

EV isn't the be all and end all everyone seems to be pushing it as, neither is SSL for that matter, which I wouldn't trust for anything other than credit card transactions especially since a Verisign rep said they would issue duplicated certs to government agencies if compelled, although I'd be interested to know which governments they'd comply with. Then of course no one is going to yank Verisign roots from browsers because their certs are too prolific, the whole thing is a big house of cards waiting to come crashing down, it's not a matter of if, but when.

Robert(2014-12-13)

Georgi, I believe this is due to the fact that Chrome doesn't yet support client certificates. I'm sure support for it will be added before the final product is released, though.

Frances Fraser(2014-12-13)

I much prefer google chrome but will have to use Internet Explorer( which keeps crashing on me) at the income tax site because of problems related to encryption and SSL signing as discussed above. The site does not support Google Chrome.

bilal(2014-12-13)

just adjust the date and time!!!!!!!!!!!!!

kaushal(2014-12-13)

thanxx I just adjusted the date & time..and nw it is running properly

Jivan jyoti maity(2014-12-13)

Thanx for this helpful article

lojze.kamnik@gmail.com(2014-12-13)

Na brskalniku Google Crhrome bi želel koristiti tudi storitev "abanet"; dostop do ban?nih storitev Abanke katere komintent sem. Za to storitev banke imam registriran certificat "sigenca".
Program Google Chrome pa me ne spusti na program, ker ne najde certifikata, ?eprav ga pod možnosti in naprednimi storitvami programa najdem.
Kaj storiti?
Druga?e pa je brskalnik Google Chrome zelo dober.

Jonathan(2014-12-13)

I had adjusted the date on my computer to take advantage of an trial offer on a software and that was causing the problem. Thank bilal for the suggestion.

franc(2014-12-13)

Yes, good old Firefox allows me to add an exception. But chrome still doesn't, which is very annoying.
And there is no extension to solve this problem of chrome.
I know the site very well, it's mine, but every time i have to do this ugly procedure of pretending security.

rom(2014-12-13)

thank you for posting some helpful things i adjust the time of my PC

mart(2014-12-13)

thanx, i have encountered this mssge many times. now i know! adjust the date and time...

Fran(2014-12-13)

I cant believe that i waited for zanga games to fix my problem with the game not loading properly. But all it was, was the date had to be changed. OMG how simple was that.

thanks guys and girls

Vinay Raghu(2014-12-13)

It was the date and time. Thanks! I reset it and everything was working fine!

null(2014-12-13)

Wow! A big thanks to you buddy!. It helps me.. Thanks a lot. :)

Ecka(2014-12-13)

Can't believe that changing date sort my security problem lol
Thanks

BA(2014-12-13)

How do I send a digitally signed email that is secure and can be encrypted? I have already tried StartCom and Comodo, and neither supports Google Chrome email.

BTW - At least I can read the security code. NICE! :o}

Mark Moore(2014-12-13)

How do I examine (or download) a security certificate when the certificate is *good*? In the Chrome browser, and it lets me save bad certificates, but it won't let me save good ones. Help!

Martin(2014-12-13)

Does anyone know why even secured sites sometimes shows up as insecured (Usually refreshing the page fixes it, but sometimes it changes to dangerous statuss even though the site is verified as safe and has a sertificate)? Is this some sort of a bug? Or does it take time for Chrome to load each sertificate and that is why it shows "insecured" at first? Was just curious, yes, refreshing the page actualy fixes it in the most cases, but still :/

nayab khed(2014-12-13)

By adjusting time and time it fixed

John Talmadge(2014-12-13)

As an end user of Chrome (and IE)I have been getting error messages when trying to access certain secured sites in which the Chrome error states "Cannot connect to the real ***.com"; *** being the name of the real name of the site. Clicking the "more" button reveals the reason as being a malformed certificate, stating that Chrome will not access the site because of this. It shows the subject as the url of the site I'm trying to access and it shows the Issuer of the certificate (I guess). I can access the site with other computers using the same network or my iPad; it's only my desktop that has the problem. The other computers are also using Chrome. Can you tell me what could be causing this to only occur on this one computer? I've searched the internet through and have yet to find a solution. I would appreciate your input.

Monojit(2014-12-13)

Thanks for give such an easy and great solution.
I thought some critical settings I need to change.

Could you please tell How SSL related to Date and time.

B(2014-12-13)

i spent whole noon to figure it out. I'm luckily here to view this!!! just change the date and time!!! I am so sorry being rude and said wtf end up with laughed. Ha-ha!

roshan(2014-12-13)

thanks the date and time settings change really works

Pradeep(2014-12-13)

Thanks a Ton All Dosto.... will try the solution within some mins..

Varania(2014-12-13)

Thanks Bilal...That was great. I just adjusted the date and time!!

Harsha(2014-12-13)

Hi All,



I need to perform Mutual authentication in chrome headless browser in LINUX system. I have imported the SSL(.p12 format) cert using "pk12util -d sql:$HOME/.pki/nssdb -i .p12" command. It was imported successfully but when i try to access the URL, i am unable to access. The log says timed out. Could any one here please tell me from which location does the chrome picks the certificate info and proceed with the request.



to avoid the prompting, i have also added the chrome policy setting into /opt/google/chrome/policies/ folder. The JSON added had the below content.



{

"AutoSelectCertificateForUrls": &#91"{\\\"pattern\\\"":\\\""https://*.example.com\\\""

Advertisement • Hide