Change connection info strings (e.g. SHA-1 cert warnings) to be more
clear to developers.
This commit includes 5 changes that make OIB connection info strings
more clear to developers (and advanced users). Since it has become
impractical to target "normal" users with these strings, the focus is on
using exact terminology instead of "friendly" alternatives. This should
help developers to understand the page's issues at a glance:
https://docs.google.com/document/d/1YgavRvC7_6PoOYHjUuKQL1Mlc718z7F1AnTNGrM92W4/edit#heading=h.kldzb7b775ri
Changes in this commit:
1. The identity section explicitly mentions when an error was caused by
SHA-1 in the certificate chain, instead of referencing "outdated
security settings" (there are no such settings apart from SHA-1
signatures right now). (https://crbug.com/437466)
2. Mentions of "public audit records" have been replaced with mentions
of "Certificate Transparency". The phrase "Public audit records" was
hinging at the implications of CT, but a full understanding the
string requires knowledge of CT.
Also, the mention of CT has been split into a separate sentence. The
presence of "but" had a strong but incorrect implication that this
affects the lock icon (which will not be the case for non-EV sites in
the near future).
3. The phrase "modern cryptography" is now "modern cipher suite" in
order to distinguish the kind of cryptography in question. (Similarly
for "obsolete cryptography".) This technically doesn't mention the
protocol; however, the main problem usually lies with the cipher
suite rather than the protocol, and all the cipher suites we
currently consider good require TLS 1.2 (or, say, QUIC) as a
prerequisite.
4. Mixed content message: Instead of "However", the sentence now starts
with "Further" so that it still makes sense when the protocol/cipher
suite is obsolete (https://crbug.com/434617).
5. The "SHA1 for message authentication" string (for ciphers with a MAC)
now displays SHA1 as HMAC-SHA1, to be more suggestive that this a
different use of SHA-1 than for cert signatures. (Similarly for other
TLS MACs.)
Design constraint: In order to make this change as simple as possible,
the code logic has not been touched. The string contents have been
changed, but all strings keep their identifiers and semantics. Also,
these changes are definitely meant as a band-aid. In the medium-long
term, the plan is to remove the connection tab from the OIB and offer
the information in DevTools. (However, we have yet to decide on a plan
to supplant it on mobile.)
Test pages:
#1: https://sha1.badssl.com/
#2:
- DV, no SCT: https://garron.net/
- DV, SCT: https://embed.ct.digicert.com/
- EV, no SCT: https://www.mozilla.org/
- EV, SCT: https://www.bankofamerica.com/
#3:
- "modern": https://garron.net/
- "obsolete": https://rc4.badssl.com/
#4: https://mixed.badssl.com/
#5: https://rc4.badssl.com/
Note that this commit roughly coincides with the reintroduction of
connection info on Android:
- https://crbug.com/425158#c41
- https://chromium.googlesource.com/chromium/src/+/f21c52aeafa701b18ed505347ee0e7a7d07e5d53
Android Chrome users haven't been able to access this information for
the last half year, and will see these new strings directly.
BUG=461045, 434617, 437466
TEST=Visit the test pages (listed above).
Review URL: https://codereview.chromium.org/1109283003
Cr-Commit-Position: refs/heads/master@{#328502}
4 files changed