Tuesday, November 01, 2011

#Chrome #security is a bit too much

The logo for the Hindi #Wikipedia is used as an illustration on a previous post. Illustrations like this can be saved from the "page view info" that is available by right clicking a web page.

Chrome apparently does not like the Hindi Wikipedia; it does not only prevent me from accessing the page view info, the information is incorrect as well.

I did use Chrome before today. I am quite happy for Chrome to provide me with a security warning; I hate it when it prevents me to do my job.

Particularly nasty is the warning:
The site uses SSL, but Google Chrome has detected either high-risk insecure content on the page or problems with the site’s certificate. Don’t enter sensitive information on this page. Invalid certificate or other serious https issues could indicate that someone is attempting to tamper with your connection to the site.
Such warnings should be taken seriously and reported but I am quite happy to use Firefox in stead.


brion said...

As far as I can see it's actually doing just fine -- it was whinging because hi.wikipedia.org was loading several JavaScript enhancements explicitly over http.

Various browsers have different behavior in this case; Firefox can throw up a scary dialog box on every page view (and even if you disable that, it still colors the URL bar as if you were on an unencrypted page). Chrome does the big scary X-ing out of the 'https', and shows you scary details in the page info popup. IE in latest versions just ignores any of the content that came over HTTP unless you opt back into it by clicking on a little bar at the bottom of the window.

In any case, I've fixed the scripts to load using protocol-independent links and all seems happier now. :)

Ryan Lane said...

Yeah. Mixed-content is the problem (content loading over http instead of https), and chrome is correct in warning you against it. Mixed-content is evil. It can be used to attack you while in https mode.

Fixing the content to load using protocol-relative urls, like Brion so kindly did (thank you Brion) solves the problem.

Basically, at this point in time, most of the things that cause mixed content to load are site javascript and CSS. Site admins should be chasing this stuff down when they see it :).

Arkanosis said...

“I hate it when it prevents me to do my job” — well, what is does is preventing you from sending your password and your cookies to everyone on the Internet. I hate it as much as firemen preventing me from working in a burning office :-)