(Feature Request) Update user-facing error string for SHA1 certificates to be more user friendly |
|||||||||
Issue descriptionIn M56, we will no longer support sites that use SHA1 certificates per http://crbug.com/652527 Visiting a test site like https://sha1.badssl.com/ in M56+ shows: ======== Your connection is not private Attackers might be trying to steal your information from sha1.badssl.com (for example, passwords, messages, or credit cards). NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM Automatically report details of possible security incidents to Google. Privacy policy ======== This error message is not user friendly as the user has no idea why the site is not working. Additionally, it will be hard for gCon to separate out users who have encountered a site with this error from a user who is encountering another problem like captive portal, HSTS, ect. We've found in user feedback that the user searches for help content on "Your connection is not private" and do not specifically search for "ERR_CERT_WEAK_SIGNATURE_ALGORITHM". Can we make the following request: 1) Have a dedicated error string specifically mentioning SHA1 2) Let the user know in the error message (or link to help content) so that the user is aware they cannot access the site, and that the website owner will need to update their certificate? It is super frustrating for the user who spends time trying to troubleshoot an error they cannot fix. (Our help center already has steps to fix general Connection Not Private errors: https://support.google.com/chrome/answer/6098869?hl=en, and the user may try these steps in vain) Example user report: https://goto.google.com/crbug-675229-report
,
Dec 16 2016
Emily, where did we land on the advanced/details string for SHA1? I'd prefer not to change the top level title and body message strings but (per our usual pattern) am happy for the details section to include information that is more technical and err-code specific.
,
Dec 16 2016
(+shimi as FYI)
,
Dec 16 2016
https://bugs.chromium.org/p/chromium/issues/detail?id=653691#c15 has the updated CL for the string The details string (now) says "the server presented a certificate signed using a weak signature algorithm (such as SHA-1)" Melody: Are your concerns at all ameliorated knowing that Firefox is releasing this blocking as well (in their Jan release) and Microsoft IE/Edge are landing it on Feb 14? Apple's also said apps deploying exceptions (to allow SHA-1) will have to be granted exemptions by the appstore starting Jan 2017.
,
Dec 17 2016
I believe we added "(such as SHA-1)" to the advanced text.
,
Dec 19 2016
I did. I've also pinged bustamante@ via email a few times about merging the string to M56, but haven't gotten a reply.
,
Dec 19 2016
,
Dec 19 2016
cc manji@ as it sounds like this requires translation of a new string on 56
,
Dec 19 2016
Alright, popkin@ checked with bustamante@. Requesting a merge of https://chromium.googlesource.com/chromium/src.git/+/e7f8c938ab86d0c66604bbb9ce0c701c4985ff92 (crbug comment for the CL: https://bugs.chromium.org/p/chromium/issues/detail?id=653691#c15)
,
Dec 19 2016
Oh, wait, that commit is actually *already* a merge by awhalley@ to M56. manji@: Let me know if I need to follow up with anything for translations.
,
Dec 19 2016
lgarron: Could you clarify what you're requesting a merge for? https://storage.googleapis.com/chromium-find-releases-static/e7f.html#e7f8c938ab86d0c66604bbb9ce0c701c4985ff92 was integrated into M-56, it sounds like the issue is that the string needs to be re-sent to translators? (per Comment #8)?
,
Dec 27 2016
Re #2, yep this is the change Lucas made! Re #11, https://codereview.chromium.org/2504233005 |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by melodychu@chromium.org
, Dec 16 2016