The plan is to replace it with a "Learn more" link that points to the HC, right?

Uh, is it?

I'd prefer not to put a link in the exact same place, if somewhere else is reasonable.

I suspect that people are actively looking there for an explanation, esp with http-bad coming soon. Why don't you want a link in the same place? With the right wording it could be different enough-- like "What does this mean?"

emilyschechter have you thought about this yet?

I think we should change the link to the help center and remove the link to the security panel. Users are now much more likely to click on this than devs.

In terms of string and placement -- I don't think we should worry about confusion between current state (DevTools) and future state (HC). I think the vast majority of people clicking are users who will just be happy that it gives them more details. Devs will already know how to open Security Panel. So if people previously saw DevTools and now see the help center, I don't really think that's a big deal or confusing.

We should just focus on getting the right string. I'll +1 "What does this mean?" But "Learn more" or "Details" I also think could be OK.

+max for his thoughts

Alright, it seems my placement concern is outnumbered. :-P

One small note: in the case of errors caused by the network, HC links may not load. This was a problem with the old link, but that link was much less prominent (hidden inside the connection tab).

"Learn more" sounds fine to me. Who is in charge of the article, and do we know what URL it will have?

I'm in charge. It's replacing https://support.google.com/chrome/answer/95617 and will have the same URL. Proposed updates are here https://docs.google.com/document/d/146kaEuXNeARXm6QxOCEwYx4BtYLQ649mNd2m8j_DUOE/edit

Alright.

Shouldn't we be using https://support.google.com/chrome/?p=ui_security_indicator [1] as the URL, though?

(Will Chrome OS have a different page?)


[1] https://chromium.googlesource.com/chromium/src/+/master/chrome/common/url_constants.cc#479

Also, when should I make this change? Should I make it now and trust that the article will be updated by M55 stable?

Confirming #7 in doc.

#8 -- I think the HC will take ~3 weeks to be localized and updated. Absolutely by M55 stable.

elawrence@, this should be a fairly straightforward fix. I need to focus on other stuff, but some people really care about this change.

Interested?

 Issue 602758  has been merged into this issue.

This is explicitly not a priority anymore.

emilyschechter@, let me know if this becomes a higher priority again.

lgarron, I don't think we should block this on  issue 663971  and I think we should do this for M56. Will you get be able to get to it this week? If not I can probably do it, so feel free to re-assign to me.

Tagging this as Hotlist-HttpBad since it's important to have this to go along with the HTTP-bad rollout.

+1 to c#17 -- I think we should go with Option #1 you laid out in  Issue 663971  and look into Options 3,4 for future releases. I acknowledge that this will cause a tiny bit more dev pain for devs who use this every day. But I believe that pain will be trumped by pain of scared users, who need to be able to get to the help center where we can explain the warning in more detail.

Okes-dokes, I'll upload my CL.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7ef72beedd573b8a81ad2f88e53f760c87bc34f1

commit 7ef72beedd573b8a81ad2f88e53f760c87bc34f1
Author: lgarron <lgarron@chromium.org>
Date: Tue Nov 22 20:22:51 2016

Page Info (native Mac): Change "Details" link (sec. panel) to "Learn more" (help center).

This CL also removes the isDevToolsDisabled boolean calculation, which was
(only) used to show the Details button conditionally.

BUG= 646465 
NO_DEPENDENCY_CHECKS=true
TEST=
1) Visit https://google.com
2) Click on the lock icon in the omnibox.
3) Verify that there is a link with the text "Learn more"
4) Verify that the link opens the Chrome Help Center page titled "Check Chrome's connection to a site" [1]

[1] https://support.google.com/chrome/answer/95617?hl=en

Review-Url: https://codereview.chromium.org/2504453003
Cr-Commit-Position: refs/heads/master@{#433962}

[modify] https://crrev.com/7ef72beedd573b8a81ad2f88e53f760c87bc34f1/chrome/browser/ui/cocoa/website_settings/website_settings_bubble_controller.h
[modify] https://crrev.com/7ef72beedd573b8a81ad2f88e53f760c87bc34f1/chrome/browser/ui/cocoa/website_settings/website_settings_bubble_controller.mm
[modify] https://crrev.com/7ef72beedd573b8a81ad2f88e53f760c87bc34f1/chrome/browser/ui/cocoa/website_settings/website_settings_bubble_controller_unittest.mm

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b822f27141186d301f3ee03805d29ecd9d00bbf7

commit b822f27141186d301f3ee03805d29ecd9d00bbf7
Author: lgarron <lgarron@chromium.org>
Date: Tue Nov 29 21:49:16 2016

Page Info (Views): Change "Details" link (sec. panel) to "Learn more" (help center).

Since "Learn more" should show up unconditionally, this CL also removes the
include_details_label_link calculation/parameter.

BUG= 646465 

Review-Url: https://codereview.chromium.org/2506473002
Cr-Commit-Position: refs/heads/master@{#435083}

[modify] https://crrev.com/b822f27141186d301f3ee03805d29ecd9d00bbf7/chrome/browser/ui/views/website_settings/website_settings_popup_view.cc

Requesting to merge 7ef72beedd573b8a81ad2f88e53f760c87bc34f1 and b822f27141186d301f3ee03805d29ecd9d00bbf7 into M56.

Your change meets the bar and is auto-approved for M56 (branch: 2924)

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/38f8fd333c78ff82539ace2d70d226046555723e

commit 38f8fd333c78ff82539ace2d70d226046555723e
Author: Lucas Garron <lgarron@chromium.org>
Date: Thu Dec 01 22:05:46 2016

Page Info (native Mac): Change "Details" link (sec. panel) to "Learn more" (help center).

This CL also removes the isDevToolsDisabled boolean calculation, which was
(only) used to show the Details button conditionally.

BUG= 646465 
NO_DEPENDENCY_CHECKS=true
TEST=
1) Visit https://google.com
2) Click on the lock icon in the omnibox.
3) Verify that there is a link with the text "Learn more"
4) Verify that the link opens the Chrome Help Center page titled "Check Chrome's connection to a site" [1]

[1] https://support.google.com/chrome/answer/95617?hl=en

Review-Url: https://codereview.chromium.org/2504453003
Cr-Commit-Position: refs/heads/master@{#433962}
(cherry picked from commit 7ef72beedd573b8a81ad2f88e53f760c87bc34f1)

Review URL: https://codereview.chromium.org/2543023002 .

Cr-Commit-Position: refs/branch-heads/2924@{#267}
Cr-Branched-From: 3a87aecc31cd1ffe751dd72c04e5a96a1fc8108a-refs/heads/master@{#433059}

[modify] https://crrev.com/38f8fd333c78ff82539ace2d70d226046555723e/chrome/browser/ui/cocoa/website_settings/website_settings_bubble_controller.h
[modify] https://crrev.com/38f8fd333c78ff82539ace2d70d226046555723e/chrome/browser/ui/cocoa/website_settings/website_settings_bubble_controller.mm
[modify] https://crrev.com/38f8fd333c78ff82539ace2d70d226046555723e/chrome/browser/ui/cocoa/website_settings/website_settings_bubble_controller_unittest.mm

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/18643a2eb8c9685eeab7942fba55cd7a9f156a52

commit 18643a2eb8c9685eeab7942fba55cd7a9f156a52
Author: Lucas Garron <lgarron@chromium.org>
Date: Thu Dec 01 22:34:38 2016

Page Info (Views): Change "Details" link (sec. panel) to "Learn more" (help center).

Since "Learn more" should show up unconditionally, this CL also removes the
include_details_label_link calculation/parameter.

BUG= 646465 

Review-Url: https://codereview.chromium.org/2506473002
Cr-Commit-Position: refs/heads/master@{#435083}
(cherry picked from commit b822f27141186d301f3ee03805d29ecd9d00bbf7)

Review URL: https://codereview.chromium.org/2547653003 .

Cr-Commit-Position: refs/branch-heads/2924@{#270}
Cr-Branched-From: 3a87aecc31cd1ffe751dd72c04e5a96a1fc8108a-refs/heads/master@{#433059}

[modify] https://crrev.com/18643a2eb8c9685eeab7942fba55cd7a9f156a52/chrome/browser/ui/views/website_settings/website_settings_popup_view.cc

Verified the issue on Mac 10.11.6,Ubuntu 14.04 and Win 10.0 using chrome latest Dev M56-56.0.2924.14 by following steps mentioned in the comment#29. Observed that learn more link opens the Chrome Help Center page titled "Check Chrome's connection to a site".Please find the screen cast for reference.Hence adding TE-Verified label.

Thank you!

Deleted: 646465.mp4 2.1 MB

	646465.mp4 2.1 MB View Download

"Devs will already know how to open Security Panel. So if people previously saw DevTools and now see the help center, I don't really think that's a big deal or confusing."

It was very confusing, and not obvious where I should go to download the site's certificate.  All the articles when googling how to do this point to the old way, chrome release notes are very not searchable (you get the 2 sentence version in the release blog, or you have to search through large amounts of commits manually in hopes that you find a bug issue that correlates to this).

I also asked my peers where this functionality went, and no one knew where it went or where to look.

It seems pretty obvious to me that the first thing you want to do when seeing an invalid cert is inspect the certificate!  I understand adding the "learn more" link for the layperson, but that's no reason to take out the actionable part of that dialog which is "look at the cert for details".

sglajch@: I share some of the concerns, but Page Info has been on track to be aimed at the "common user" for along while. (Until a year ago, we had tried to make it useful both to devs and non-devs, but it ended up being bad for both.)

Could you chime in on  Issue 663971  with your concerns and ideas about making it easy to access the certificate?

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/af5642ce6ecd280d6f07f4d1222b34b0f479af3f

commit af5642ce6ecd280d6f07f4d1222b34b0f479af3f
Author: einbinder <einbinder@chromium.org>
Date: Thu Dec 15 01:14:07 2016

DevTools: Remove ShowSecurityPanel as it is no longer used

There is no longer a link to the DevTools security panel in the url bar.

BUG= 646465 

Review-Url: https://codereview.chromium.org/2570423002
Cr-Commit-Position: refs/heads/master@{#438695}

[modify] https://crrev.com/af5642ce6ecd280d6f07f4d1222b34b0f479af3f/chrome/browser/devtools/devtools_toggle_action.cc
[modify] https://crrev.com/af5642ce6ecd280d6f07f4d1222b34b0f479af3f/chrome/browser/devtools/devtools_toggle_action.h
[modify] https://crrev.com/af5642ce6ecd280d6f07f4d1222b34b0f479af3f/chrome/browser/devtools/devtools_window.cc

I checked on some of the WebsiteSettings.Action and DevTools.PanelShown stats in response to a Twitter conversation, and the recent numbers support the latest change even more than I thought:

- The number of UMA users who opened Page Info on stable is an order of magnitude more than those who ever open the Security panel. [1]
- The number of times Page Info was opened [2] significantly increased [3] after the new icon rollout [4], and increased again on Beta [5] with the "Not Secure" password/credit card rollout [6]. Looks like roughly 1.5x each time, but the numbers after the "Not Secure" rollout might settle down again.
- The number of times the Security panel is shown rises and falls [3][5] with the number of times Page Info is opened – for example, Security panel opens are dropping precipitously on Beta right now [5]. It seems that Page Info was driving a *lot* of people to the Security panel who would otherwise not have opened it – probably non-devs.

[1] https://goto.google.com/uma-histograms?endDate=20161214&dayCount=7&histograms=DevTools.PanelShown%2CWebsiteSettings.Action&fixupData=true&uniqueUsers=true&showMax=true&filters=channel%2Ceq%2C4%2Cisofficial%2Ceq%2CTrue&implicitFilters=isofficial#DevTools.PanelShown
[2] Unfortunately, it seems timelines can't dedup buckets by number of users.
[3] https://goto.google.com/page-info-opened-vs-security-panel-shown-stable-channel
[4] https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/aAtvHYFXRVo
[5] https://goto.google.com/page-info-opened-vs-security-panel-shown-beta-channel
[6] https://blog.chromium.org/2016/12/chrome-56-beta-not-secure-warning-web.html

Note: [1], [3], and [5] above are Google-internal links; we don't usually publicly share actual numbers.

Not having certificate info and security info after clicking the lock is seriously annoying. I now go to the security panel when I _really really_ want it, but most of the time, I'm just sad that it's been buried, and walk away muttering something about firefox's servo resurgence. Can you add this back? I don't like it not being there. And neither do many of my developer friends. Big step backwards in UX.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/53ce627c8aa95544706c84a918170a8e53f5a20e

commit 53ce627c8aa95544706c84a918170a8e53f5a20e
Author: lgarron <lgarron@chromium.org>
Date: Thu Jan 05 21:09:17 2017

Remove SetSelectedTab() and deprecate unused WebsiteSettingsAction values.

This gets rid of the remaining call to SetSelectedTab(), which has no effect on any platforms anymore.

BUG= 646465 ,  571533 ,  675239 ,  675238 

Review-Url: https://codereview.chromium.org/2521173004
Cr-Commit-Position: refs/heads/master@{#441749}

[modify] https://crrev.com/53ce627c8aa95544706c84a918170a8e53f5a20e/chrome/browser/ui/android/page_info/connection_info_popup_android.cc
[modify] https://crrev.com/53ce627c8aa95544706c84a918170a8e53f5a20e/chrome/browser/ui/android/page_info/connection_info_popup_android.h
[modify] https://crrev.com/53ce627c8aa95544706c84a918170a8e53f5a20e/chrome/browser/ui/android/page_info/website_settings_popup_android.cc
[modify] https://crrev.com/53ce627c8aa95544706c84a918170a8e53f5a20e/chrome/browser/ui/android/page_info/website_settings_popup_android.h
[modify] https://crrev.com/53ce627c8aa95544706c84a918170a8e53f5a20e/chrome/browser/ui/cocoa/website_settings/website_settings_bubble_controller.h
[modify] https://crrev.com/53ce627c8aa95544706c84a918170a8e53f5a20e/chrome/browser/ui/cocoa/website_settings/website_settings_bubble_controller.mm
[modify] https://crrev.com/53ce627c8aa95544706c84a918170a8e53f5a20e/chrome/browser/ui/views/website_settings/website_settings_popup_view.cc
[modify] https://crrev.com/53ce627c8aa95544706c84a918170a8e53f5a20e/chrome/browser/ui/views/website_settings/website_settings_popup_view.h
[modify] https://crrev.com/53ce627c8aa95544706c84a918170a8e53f5a20e/chrome/browser/ui/website_settings/website_settings.cc
[modify] https://crrev.com/53ce627c8aa95544706c84a918170a8e53f5a20e/chrome/browser/ui/website_settings/website_settings.h
[modify] https://crrev.com/53ce627c8aa95544706c84a918170a8e53f5a20e/chrome/browser/ui/website_settings/website_settings_ui.h
[modify] https://crrev.com/53ce627c8aa95544706c84a918170a8e53f5a20e/chrome/browser/ui/website_settings/website_settings_unittest.cc
[modify] https://crrev.com/53ce627c8aa95544706c84a918170a8e53f5a20e/tools/metrics/histograms/histograms.xml

Re 36: Those statistics would also support the hypothesis that many users who were previously trying to view certificate details now just gave up.

Shouldn't it be important to educate non-dev users about understanding details such as certificate issuers - *especially* in light of HTTPS everywhere?

Hi,

This sort of UI/UX change is counterproductive. 

In many environments we do need to see the certificate chain to verify that there is no MITM occurring. Hiding this information to make it only accessible via obscure developers menus isn't helpful.

Can we please put this back in it's original location or at least give us a browser config / command line option to offer it to users as needed?

Thanks.

RE: #38, #41 - Please star  Issue #663971  for updates on a new mechanism for examining certificates.

That said, we do not expect users to conduct manual examination of certificate chains for the purposes of detecting a MITM. The browser relies on the system trust store to validate that certificates chain to a trusted certificate anchor. If an attacker can manipulate the system's trusted certificate store, they typically also have the permissions to manipulate memory and running processes, thus hiding themselves from any certificate inspection logic.