Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Change connection info strings (e.g. SHA-1 cert warnings) to be more
clear to developers. This commit includes 5 changes that make OIB connection info strings more clear to developers (and advanced users). Since it has become impractical to target "normal" users with these strings, the focus is on using exact terminology instead of "friendly" alternatives. This should help developers to understand the page's issues at a glance: https://docs.google.com/document/d/1YgavRvC7_6PoOYHjUuKQL1Mlc718z7F1AnTNGrM92W4/edit#heading=h.kldzb7b775ri Changes in this commit: 1. The identity section explicitly mentions when an error was caused by SHA-1 in the certificate chain, instead of referencing "outdated security settings" (there are no such settings apart from SHA-1 signatures right now). (https://crbug.com/437466) 2. Mentions of "public audit records" have been replaced with mentions of "Certificate Transparency". The phrase "Public audit records" was hinging at the implications of CT, but a full understanding the string requires knowledge of CT. Also, the mention of CT has been split into a separate sentence. The presence of "but" had a strong but incorrect implication that this affects the lock icon (which will not be the case for non-EV sites in the near future). 3. The phrase "modern cryptography" is now "modern cipher suite" in order to distinguish the kind of cryptography in question. (Similarly for "obsolete cryptography".) This technically doesn't mention the protocol; however, the main problem usually lies with the cipher suite rather than the protocol, and all the cipher suites we currently consider good require TLS 1.2 (or, say, QUIC) as a prerequisite. 4. Mixed content message: Instead of "However", the sentence now starts with "Further" so that it still makes sense when the protocol/cipher suite is obsolete (https://crbug.com/434617). 5. The "SHA1 for message authentication" string (for ciphers with a MAC) now displays SHA1 as HMAC-SHA1, to be more suggestive that this a different use of SHA-1 than for cert signatures. (Similarly for other TLS MACs.) Design constraint: In order to make this change as simple as possible, the code logic has not been touched. The string contents have been changed, but all strings keep their identifiers and semantics. Also, these changes are definitely meant as a band-aid. In the medium-long term, the plan is to remove the connection tab from the OIB and offer the information in DevTools. (However, we have yet to decide on a plan to supplant it on mobile.) Test pages: #1: https://sha1.badssl.com/ #2: - DV, no SCT: https://garron.net/ - DV, SCT: https://embed.ct.digicert.com/ - EV, no SCT: https://www.mozilla.org/ - EV, SCT: https://www.bankofamerica.com/ #3: - "modern": https://garron.net/ - "obsolete": https://rc4.badssl.com/ #4: https://mixed.badssl.com/ #5: https://rc4.badssl.com/ Note that this commit roughly coincides with the reintroduction of connection info on Android: - https://crbug.com/425158#c41 - https://chromium.googlesource.com/chromium/src/+/f21c52aeafa701b18ed505347ee0e7a7d07e5d53 Android Chrome users haven't been able to access this information for the last half year, and will see these new strings directly. BUG=461045, 434617, 437466 TEST=Visit the test pages (listed above). Review URL: https://codereview.chromium.org/1109283003 Cr-Commit-Position: refs/heads/master@{#328502}
- Loading branch information
