Encryption 09-25-2015

Understanding the Google Chrome 45 Connection Tab

Mark Santamaria

The yellow triangle or red 'X' icons in Google Chrome’s "Connection" Tab are alarming and can be difficult to understand. Below are four brief explanations about what causes the warnings and some tips for resolving related problems.

Certificate Transparency Information

The identity of this website has been verified by DigiCert SHA2 Secure Server CA. No Certificate Transparency information was supplied by the server.

Screenshot1-PublicAuditRecords

The first paragraph in the Connection Tab identifies whether a certificate has been logged in a public audit record. The public audit records Chrome uses and what is referred to in the Connection Tab is Certificate Transparency (CT). CT is still in its infant stages, so most sites will not have it enabled. Hopefully, this will change as CT becomes required for more types of digital certificates.

CT information is currently required only for Extended Validation (EV) SSL Certificates issued after January 1, 2015. CT information is not required for Organization Validated (OV) or Domain Validated (DV) SSL Certificates.

The Fix

All DigiCert EV SSL Certificates have CT enabled by default. If you are a DigiCert customer and would like to enable CT for your account, contact our support team. If you’re not a DigiCert customer, simply contact your Certificate Authority (CA) to see what they can do for you.

SHA-1

The certificate chain for this website contains at least one certificate that was signed using a deprecated signature algorithm based on SHA-1.

Screeenshot2-SHA-1

If you are seeing a warning icon in the first section of the Connection Tab, it is likely due to the presence of a SHA-1 certificate.

A yellow triangle typically means that your SSL Certificate expires between January 1, 2016, and January 1, 2017, and also has a SHA-1 certificate in the certificate chain.

A red 'X' generally means that your SSL Certificate expires after January 1, 2017, and there is a SHA-1 certificate in the certificate chain.

The Fix

If your SSL Certificate is SHA-1 or is issued off of a SHA-1 intermediate certificate, then you need to reissue it to SHA-2. If your certificate is through a different CA, you can reissue your certificate as SHA-2 for free through DigiCert’s SHA-1 Sunset Tool.

If there is an extra cross-chained SHA-1 root certificate in the chain, then you will most likely need to remove it. Click here to remove the SHA-1 certificate from your server, and click here to resolve the issue on your browser.

Obsolete Cipher Suite

Your connection to example.com is encrypted using an obsolete cipher suite.

Obsolete Cipher Suite

There are two reasons this warning may appear: One reason is caused by the cryptographic protocol being used. The other reason is due to the cipher suites that are enabled.

TLS

The warning message will appear if TLS 1.2+ is not supported.

Cipher Suites

The warning message will also appear if insecure cipher suites (e.g., RC4) are enabled.

The Fix

TLS

Enable support for TLS 1.2+.

Insecure Cipher Suites

Enable secure cipher suites (AES_128_GCM). If you are using deprecated cipher suites for backwards compatibility then you need to prioritize AES_128_GCM over the other cipher suites.

DigiCert Certificate Inspector is a free tool you can use to discover which cipher suites you have enabled on your servers.

Mozilla maintains a “best practices” guide for configuring Server Side TLS.

Mixed Content

Further, this page includes other resources which are not secure. These resources can be viewed by others while in transit, and can be modified by an attacker to change the look of the page.

Mixed Content

If a website is secured with a SSL Certificate, but it pulls content from connections that are not encrypted (HTTP), then the site is considered to have mixed content. If you open the console in your browser (F12) on a page where you see mixed content warnings, the browser will typically report what resources are causing this warning.

The Fix

All unsecure resources need to be moved over to a HTTPS connection. Most popular resources (i.e. social media widgets, embedded videos and images, fonts, APIs) are available over HTTPS. To move them over, update your HTML to request those resources from the HTTPS address instead of HTTP.

UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories

07-03-2024

What is a CA’s Role in delivering digital trust?

Why Matter needs to toughen up

National Cybersecurity Awareness Month:
October 2024