New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 425158 link

Starred by 47 users

Issue metadata

Status: Verified
Owner:
Not on Chrome
Closed: Apr 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 2
Type: Bug

Blocking:
issue 302553
issue 420813


Participants' hotlists:
Security-UX-WebDev


Sign in to add a comment

Detailed connection info on Android

Project Member Reported by egm@chromium.org, Oct 20 2014

Issue description

With the launch of the new PageInfo on Clank we will be temporarily removing the Connection info that used to be accessed by clicking on the lock. We need to bring it back in a subtle way that will satisfy the needs of power users but not distract the majority of our users who will never need it. 

See conversation here: https://code.google.com/p/chromium/issues/detail?id=302561
 
Cc: egm@chromium.org rolfe@chromium.org
Owner: hannahs@chromium.org
Status: Assigned
Assigning to me to find a resource / cc'ing Rebecca as Android contact.
Blocking: chromium:302553

Comment 3 by sashab@chromium.org, Dec 19 2014

Cc: benwells@chromium.org f...@chromium.org sashab@chromium.org
 Issue 442962  has been merged into this issue.

Comment 4 by rolfe@chromium.org, Jan 6 2015

Cc: maxwalker@chromium.org
Ccing Max, the dev tools designer for Chrome.

Comment 5 by pennymac@google.com, Jan 15 2015

Labels: -M-41 M-42 MovedFrom-41
Moving all non essential bugs to the next Milestone.

Comment 6 by egm@chromium.org, Jan 15 2015

Owner: lgar...@chromium.org
Assigning to Lucas for now. 
Labels: Cr-Security-UX-WebDev
We should make sure this works with remote debugging when we move connection info to dev tools, but it would also be nice to have *some* way to view it on the device alone (even something buried three clicks deep).
Cc: -maxwalker@chromium.org hannahs@chromium.org pfeldman@chromium.org
Blocking: chromium:420813
Owner: ----
Status: Available
Removing myself as owner, because I am unlikely to be the person implementing this.

Instead, this is now a blocker for  Issue 420813 : Security UX for (Web) Developers
Cc: tsergeant@chromium.org
Adding tsergeant who might want to take a look at this. Do we have any idea what the UI could look like?
Summary: Detailed connection info on Android (was: Detailed connection info on Clank)
Idea: we only make connection info available when the device is in developer mode.

If the original idea for exclusion was simply to avoid overwhelming normal users, we could append the old information to the end of the OIB (when the device is in developer mode).

But if we want to keep connection information separate from the OIB, we could also add a button to the Chrome menu (when the device is in developer mode).
Something like "technical details" or "more" button on the OIB would be better. 
I do not use such information only for development purpose. 
Ex. There is a security warning and depending on the exact reason I will carry on or not (and sometimes a company may have issued instructions to help users make such decisions). 
Or the non trusted certificate can be a private one I could trust enough if I can see the issuer/signature. 
Or I had to put a company proxy private certificate as trusted, but not trust it for anything, so need to check. 
Or want to check that the CA is still the expected/usual one for some sensitive site. 
... 
If my colleagues involved with  https://crbug.com/302561  thought it was important to keep a "More" button for all users, I think they would have added it.

To address your reasons:
- Security warning: what exact reasons?
- Non-trusted certificate: The issuer is trivial to fake.
- Proxy: Android Chrome connection info gave you no way to check if the issue is caused only by the proxy.
- CA: Android Chrome connection info told you only the intermediate CA. If anyone is working with/hacks another CA, they can trivially issue an intermediate CA with the same name.

I understand your desire to see if an error is really "what you expected", but that isn't really possible with the old connection info – even if you know what you're doing!
In practice, connection info helps developers debug their websites much more than it gives a reliable indication of the security/errors of the connection for end users.

That said, I'd also love to see it available without developer mode. (My suggestion was an alternative, in case this is undesirable UX for the common user.)
Thanks for your answer. 
- security warnings : that's the point,  the reasons may be various (and different over time/version),  such as not anymore fully trusted encryption (sslv3, key length,...), CA trusted but not anymore the same that before for the site,... whatever is considered not completely safe by a given chrome version. 
-issuer is easy to fake, but not the signature hash. I have already seen sites (ex. internal company sites) instructing to check the signature (they show you a screenshot of what is expected...). 
- CA info.  I do not remember exactly what details were in the connection info. I know on the desktop there is all the chain visible,  and I sometimes check it. Would be good if it was available info here too. 

I'd very much like this all to be available in non developer mode. Though for myself I can  turn it on anyway... 
Cc: tedc...@chromium.org lgar...@chromium.org
 Issue 457104  has been merged into this issue.
Cc: klo...@chromium.org
 Issue 462289  has been merged into this issue.
Labels: -M-42 MovedFrom-42
Status: Untriaged
[AUTO] This issue has already been moved once and is lower than Priority 1,therefore removing mstone.
Echoing sashab's #11 - do we have any ideas of the UI for this?

rolfe - any thoughts?
Owner: rolfe@chromium.org
Status: Assigned
Confirming the design ownership. Will keep you posted!

Comment 22 by rolfe@chromium.org, Mar 10 2015

Tried to set up a meeting for everyone but schedules are crazy for the next couple weeks. Who is the most invested eng for integrating connection info onto the revamped page info/OIB? I've got some questions and would love to meet 1:1 to figure out the connection info parameters.

Comment 23 by f...@chromium.org, Mar 11 2015

Re #20: Ben, can Tim pick this up? If so, Rebecca perhaps you could meet with me and Tim. I can help answer security questions.
This probably fits well with Tim's stuff. I'm not sure if Lucas is already looking into this though?

Maybe we could quickly get together to discuss the overall game plan, I'm not sure what we're doing at a high level (sorry, I think it got paged out).

Comment 25 by c...@cem.me, Mar 12 2015

I just wanted to throw out a design idea, you can take it, make it better, or leave it. This is just a little mock up I made of what I'd like to see when this gets resolved. I've tried to keep Material Design in mind as well while making the design.
mobileSecurityDetails.png
385 KB View Download
 Issue 467842  has been merged into this issue.
The UI proposal in #25 looks like a good balance between not overwhelming regular users, while offering developers the same valuable information already available in desktop Chromium. I'd hate for it to be visible only when the device is in developer mode.
I talked a bit in person with rolfe@ yesterday. My view is roughly:

- We need connection info on Android, for developers and power users.
- The current mobile summary is flawed (see comment #15), but we should bring it back for now.
- Once security stuff in DevTools has launched, we can revisit power users and mobile use cases.

I believe rolfe@ is working on mocks for adding a "Details" link to site settings (in the vein of comment #25).

Comment 29 by rolfe@chromium.org, Mar 19 2015

Status: Started
A decent usecase was this recent twitter thread: https://twitter.com/sideshowbarker/status/578373861147705344

Comment 31 by rolfe@chromium.org, Mar 26 2015

"Details" link was approved! (a link to be appended at the end of the security string.)
https://folio.googleplex.com/chrome-ux/mocks/236-fizz/page-info/032515_Mobile#%2F01_Mobile_NoPermissions.jpg

egm@ - feel free to assign to dev to implement.

No spec needed I'm guessing, but let me know if there are questions.

Comment 32 by c...@cem.me, Mar 26 2015

ro...@  could you attach that image to this thread for better viewing? (that was a private URL)

Comment 33 by egm@chromium.org, Mar 26 2015

Cc: -tsergeant@chromium.org
Owner: tsergeant@chromium.org
Assigning the bug to tsergeant, who will be handling the implementation. Also attaching a screenshot of rolfe's mock. 
02_Mobile_SitePermissions.jpg
166 KB View Download
Cc: -sashab@chromium.org
Screenshots of implementation:
Screenshot_2015-04-24-11-54-00.png
173 KB View Download
Screenshot_2015-04-24-11-50-41.png
166 KB View Download
Screenshot_2015-04-24-11-50-50.png
172 KB View Download
Screenshot_2015-04-24-11-50-46.png
115 KB View Download
Oops, forgot to add:

rolfe@ - I tweaked the padding in the dialog compared to the old version. Can you please double check that everything looks okay?

Comment 37 by rolfe@chromium.org, Apr 24 2015

Hey! Thanks for sending. Looks really good.

- Can you remove "Copy URL" bit or is it too soon?
- What part of the padding changed? Comparing connection info to the preview sgabriel@ made the top margin is 12px taller. Not sure if that's it though.
- If you're referring to the Certificate dialog I don't think design has ever done much with that (no specs in our file.) But it would be great if padding was consistent between the title and the rest of the text. Might be nice too to make it have a #FFFFFF background and give the text the same darker gray as text elsewhere (which I believe is #444444.) I know we don't touch this much though too so also fine to leave as is.
I'm comparing my screenshot of the connection info popup to image number 5 in your folio link from #31 - I removed some padding from the top and bottom of the dialog and reduced the padding around the two links.

For the certificate dialog, I didn't touch anything, but I should be able to quickly make changes you've suggested.

Finally, I'll follow up on the Copy URL button in another bug.

Comment 39 by rolfe@chromium.org, Apr 27 2015

Ah sorry. I wouldn't recommend using my crummy mock as a reference. I thought the connection info layout was still live somewhere so you wouldn't have to re-create it (or whatever magic you engineers work to bring back code from the dead.)

Sgabriel's Material design is the best reference:
https://drive.google.com/a/google.com/file/d/0B6x6iYCtKinEdi1RTTdRaXVJTTA/edit

But he didn't make a spec for it. From what I see your file looked A-OK to me. Also fine to leave the certificate as if if you want to. The only thing that really bums me out is the inconsistent padding, but I can live with it since I'm sure you have other priorities.
The screenshots from #35 are mostly the old code (brought back from the dead) with a few tweaks. Anyway, it wasn't too much work to make the additional changes you suggested, so I think that everyone is happy and this is ready to land!
Project Member

Comment 41 by bugdroid1@chromium.org, Apr 29 2015

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f21c52aeafa701b18ed505347ee0e7a7d07e5d53

commit f21c52aeafa701b18ed505347ee0e7a7d07e5d53
Author: tsergeant <tsergeant@chromium.org>
Date: Wed Apr 29 03:26:54 2015

Add connection info popup within Page Info on Android.

Partial revert of 00e86ade3b71d372ebe49c3e24da75361e841dc7

This is a revived version of WebsiteSettingsPopupLegacy, which contains
detailed connection and certificate information, similar to the desktop
website settings popup. The popup is accessed through a 'Details' link
in the page info popup.

BUG= 425158 

Review URL: https://codereview.chromium.org/1100283002

Cr-Commit-Position: refs/heads/master@{#327429}

[add] http://crrev.com/f21c52aeafa701b18ed505347ee0e7a7d07e5d53/chrome/android/java/res/drawable-hdpi/pageinfo_bad.png
[add] http://crrev.com/f21c52aeafa701b18ed505347ee0e7a7d07e5d53/chrome/android/java/res/drawable-hdpi/pageinfo_good.png
[add] http://crrev.com/f21c52aeafa701b18ed505347ee0e7a7d07e5d53/chrome/android/java/res/drawable-hdpi/pageinfo_warning.png
[add] http://crrev.com/f21c52aeafa701b18ed505347ee0e7a7d07e5d53/chrome/android/java/res/drawable-mdpi/pageinfo_bad.png
[add] http://crrev.com/f21c52aeafa701b18ed505347ee0e7a7d07e5d53/chrome/android/java/res/drawable-mdpi/pageinfo_good.png
[add] http://crrev.com/f21c52aeafa701b18ed505347ee0e7a7d07e5d53/chrome/android/java/res/drawable-mdpi/pageinfo_warning.png
[add] http://crrev.com/f21c52aeafa701b18ed505347ee0e7a7d07e5d53/chrome/android/java/res/drawable-xhdpi/pageinfo_bad.png
[add] http://crrev.com/f21c52aeafa701b18ed505347ee0e7a7d07e5d53/chrome/android/java/res/drawable-xhdpi/pageinfo_good.png
[add] http://crrev.com/f21c52aeafa701b18ed505347ee0e7a7d07e5d53/chrome/android/java/res/drawable-xhdpi/pageinfo_warning.png
[add] http://crrev.com/f21c52aeafa701b18ed505347ee0e7a7d07e5d53/chrome/android/java/res/drawable-xxhdpi/pageinfo_bad.png
[add] http://crrev.com/f21c52aeafa701b18ed505347ee0e7a7d07e5d53/chrome/android/java/res/drawable-xxhdpi/pageinfo_good.png
[add] http://crrev.com/f21c52aeafa701b18ed505347ee0e7a7d07e5d53/chrome/android/java/res/drawable-xxhdpi/pageinfo_warning.png
[add] http://crrev.com/f21c52aeafa701b18ed505347ee0e7a7d07e5d53/chrome/android/java/res/drawable-xxxhdpi/pageinfo_bad.png
[add] http://crrev.com/f21c52aeafa701b18ed505347ee0e7a7d07e5d53/chrome/android/java/res/drawable-xxxhdpi/pageinfo_good.png
[add] http://crrev.com/f21c52aeafa701b18ed505347ee0e7a7d07e5d53/chrome/android/java/res/drawable-xxxhdpi/pageinfo_warning.png
[add] http://crrev.com/f21c52aeafa701b18ed505347ee0e7a7d07e5d53/chrome/android/java/res/drawable/connection_info_reset_cert_decisions.xml
[add] http://crrev.com/f21c52aeafa701b18ed505347ee0e7a7d07e5d53/chrome/android/java/res/layout/connection_info.xml
[modify] http://crrev.com/f21c52aeafa701b18ed505347ee0e7a7d07e5d53/chrome/android/java/res/layout/website_settings.xml
[modify] http://crrev.com/f21c52aeafa701b18ed505347ee0e7a7d07e5d53/chrome/android/java/res/layout/website_settings_permission_row.xml
[modify] http://crrev.com/f21c52aeafa701b18ed505347ee0e7a7d07e5d53/chrome/android/java/res/values/colors.xml
[modify] http://crrev.com/f21c52aeafa701b18ed505347ee0e7a7d07e5d53/chrome/android/java/res/values/dimens.xml
[add] http://crrev.com/f21c52aeafa701b18ed505347ee0e7a7d07e5d53/chrome/android/java/src/org/chromium/chrome/browser/CertificateViewer.java
[add] http://crrev.com/f21c52aeafa701b18ed505347ee0e7a7d07e5d53/chrome/android/java/src/org/chromium/chrome/browser/ConnectionInfoPopup.java
[modify] http://crrev.com/f21c52aeafa701b18ed505347ee0e7a7d07e5d53/chrome/android/java/src/org/chromium/chrome/browser/WebsiteSettingsPopup.java
[modify] http://crrev.com/f21c52aeafa701b18ed505347ee0e7a7d07e5d53/chrome/android/java/strings/android_chrome_strings.grd
[modify] http://crrev.com/f21c52aeafa701b18ed505347ee0e7a7d07e5d53/chrome/browser/android/chrome_jni_registrar.cc
[modify] http://crrev.com/f21c52aeafa701b18ed505347ee0e7a7d07e5d53/chrome/browser/android/resource_id.h
[add] http://crrev.com/f21c52aeafa701b18ed505347ee0e7a7d07e5d53/chrome/browser/ui/android/certificate_viewer_android.cc
[add] http://crrev.com/f21c52aeafa701b18ed505347ee0e7a7d07e5d53/chrome/browser/ui/android/certificate_viewer_android.h
[add] http://crrev.com/f21c52aeafa701b18ed505347ee0e7a7d07e5d53/chrome/browser/ui/android/connection_info_popup_android.cc
[add] http://crrev.com/f21c52aeafa701b18ed505347ee0e7a7d07e5d53/chrome/browser/ui/android/connection_info_popup_android.h
[modify] http://crrev.com/f21c52aeafa701b18ed505347ee0e7a7d07e5d53/chrome/chrome_browser.gypi
[modify] http://crrev.com/f21c52aeafa701b18ed505347ee0e7a7d07e5d53/chrome/chrome_browser_ui.gypi

Status: Fixed
Status: Verified
Lookin' good! :-D
Screenshot_2015-05-05-13-48-53.png
152 KB View Download
Screenshot_2015-05-05-13-48-50.png
84.2 KB View Download

Comment 44 by f...@chromium.org, Jun 4 2015

Labels: -MovedFrom-41 -MovedFrom-42 M-44
Looking at the date this code landed, I think this went with M-44. Is that right? Updating labels.
Yes, M44 is correct.
(I just double-checked.)
Components: -Security>UX>WebDev
Labels: Hotlist-Security-UX-WebDev
Components: -Security>UX
Labels: Team-Security-UX
Security>UX component is deprecated in favor of the Team-Security-UX label

Sign in to add a comment