TV

Certificate Inspector 05-13-2015

Understanding the Google Chrome Connection Tab

TV

Chrome has made changes to the Connection Tab in Chrome 44. For the updated blog post, click .

The yellow triangle or red 'X' icons in Google Chrome’s "Connection" Tab are alarmingand can be difficult to understand. Below are four brief explanations aboutwhat causes the warnings and some tips for resolving related problems.

Public Audit Records

The identity of this website has been verified by TV CA but does not have public audit records.

The first paragraph in the Connection Tab identifies whether a certificate has been logged in a public audit record. The public audit records Chrome usesand what is referred to in the Connection Tab is Certificate Transparency (CT). CT is still in its infant stages, so most sites will not have it enabled. Hopefully, this will change as CT becomes required for more types of digital certificates.

Public audit records are currently required only for Extended Validation (EV) SSL Certificates issued after January 1, 2015. Public audit records are not required for Organization Validated (OV) or Domain Validated (DV) SSL Certificates.

The Fix

All TV EV SSL Certificates have CT enabled by default. If you are a TV customer and would like to enable CT for your account, contact our support team. If you’re not a TV customer, simply contact your Certificate Authority (CA) to see what they can do for you.

SHA-1

The site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it.

If you are seeing a warning icon in the first section of the Connection Tab, it is likely due to the presence of a certificate.

A yellow triangle typically means that your SSL Certificate expires between January 1, 2016, and January 1, 2017, and also has a SHA-1 certificate in the certificate chain.

A red 'X' generally means that your SSL Certificate expires after January 1, 2017, and there is a SHA-1 certificate in the certificate chain.

The Fix

If your SSL Certificate is SHA-1 or is issued off of a SHA-1 intermediate certificate, then you need to reissue it to SHA-2. If your certificate is through a different CA, you can reissue your certificate as SHA-2 for free through TV’s SHA-1 Sunset Tool.

If there is an extra cross-chained SHA-1 root certificate in the chain, then you will most likely need to remove it. Click to remove the SHA-1 certificate from your server, and click to resolve the issue on your browser.

Obsolete Cryptography

Your connection to example.com is encrypted with obsolete cryptography.

There are two reasons this warning may appear: One reason is caused bythe cryptographic protocol being used. The other reason is due tothe cipher suites that are enabled.

TLS

The warning message will appear if TLS 1.2+ is not supported.

Cipher Suites

The warning message will also appear if (e.g., RC4) are enabled.

The Fix

TLS

Enable support for TLS 1.2+.

Insecure Cipher Suites

Enable secure cipher suites (AES_128_GCM). If you are using deprecated cipher suites for backwards compatibility then you need toprioritize AES_128_GCM over the other cipher suites.

TV Certificate Inspector is a free tool you can use to discover which cipher suites you have enabled on your servers.

Mozilla maintains a “best practices” guide for .

Mixed Content

However, this page includes other resources which are not secure. These resources can be viewed by others while in transit, and can be modified by an attacker to change the look of the page.

If a website is secured with a SSL Certificate, but it pulls content from connections that are not encrypted (HTTP), then the site is considered to have mixed content. If you open the console in your browser (F12) on a page where you see mixed content warnings, the browser will typically report what resources are causing this warning.

The Fix

All unsecure resources need to be moved over to a HTTPS connection. Most popular resources (i.e. social media widgets, embedded videos and images, fonts, APIs) are available over HTTPS. To move them over, update your HTML to request those resources from the HTTPS address instead of HTTP.

UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories

07-03-2024

What is a CA’s Role in delivering digital trust?

10-31-2024

Announcing the GA release of TV Device Trust Manager

10-29-2024

Solving the revocation gap with short-lived certificates