why does Google Chrome only warn about certain unencrypted connections? - google-chrome

Compare the 2 screencaps below.
Each is to a different unsecured page where a login can be performed.
Why does Chrome warn only in the first instance and not the second?
I'm assuming it is something to do with encryption... and if yes, what exactly?
Note:
the first screencap is from a visit to: http://test.idempiere.org/
the second screencap is from a visit to a PrestaShop installation on a private VPS. PrestaShop is a popular e-Commerce CMS

If you use http connections you are always prone to many attack vectors, but they are still so used that no browser warns about them yet (although, see Mozilla proposal for deprecating unencrypted http). But you are right, those connections are definitely insecure.
However, currently HTTPS connections are checked against "known good" Certificate Authorities. If your connection does not have a trusted certificate chain, it is frowned upon.
Thankfully, these days you can get a free HTTPS validation thanks to EFF's initiative Let's Encrypt.

First the SSL Certificate is created by PrestaShop, not by an SSL company, your os does not know the issuer of the SSL Cert. And the cert is expired. You can make a certificate at letsencrypt, if you want to make it free: https://letsencrypt.org/.
That was my browser say(in german)

Related

HSTS workaround for Chrome for Dev Environment

We are looking for a way to have Chrome bypass the HSTS requirements for our dev environment.
We are working on a project for https://foo.com.
Within our organizations internal dns we have DNS entries for foo.com.dev which points to our internal dev server which has historically allowed us to reach our dev server via https://foo.com.dev. Secure web requests to this site have always been met with a security warning that we have been able to bypass but in a recent build of Chrome it seems that the ability to bypass the warning has been removed. We can continue to use this method in IE but would like to be able to test Chrome as well.
Additionally, developers have been able to use there own machine names as suffixes. For example a https://foo.com.workstation10
Any suggestions would be very welcome because the prospect of reconfiguring our entire dev environment is not a pleasant one.
To be clear - access to these sites are entirely limited to internal users by both firewall setup and dns configuration.
You can try one of the following options:
Send the Strict-Transport-Security header only for foo.com, and do not specify includeSubDomains.
Make self-signed certificates for foo.com.dev on server and import in on your local device's chrome.
If your target domain is restricted only for internal purpose, you can bypass it just typing badidea in the chrome window. Further details are available here
For more details about HSTS refer HSTS RFC

Site loads on HTTP but not on HTTPS

Is there any reason why a file may load over http but not over https?
I am curious because I just enabled ssl on a subdomain and it does not seem to be properly. I can see the green lock but if i load the site with it, i see no files.
Like if I have a file at
http://site.exmpl.org/file.html
when i go to
https://site.exmpl.org/file.html
it does not load.
I have ssl enabled because i have the green lock, also i am using cloudflare if that helps
I assume that you may have your SSL mode configured to "Full" in the CloudFlare Crypto section- But lack a ssl certificate installation on your subdomain.
--If not--
You may not have SNI or a Dedicated IP setup for your website then your apache server is likely using your certificate, but connecting to the web space of whoever first setup a SSL Certificate on that server. This is often a problem on shared web hosting environment. You can attempt to contact your provider to ask for help in getting SNI properly configured. You can also acquire a Dedicated IP from your provider.
in cloudflare dashboard under SSL/TLS section go to Edge Certificate instead of overview.
In Edge Certificate there is option called "Always Use HTTPS" which explains "Redirect all requests with scheme “http” to “https”. This applies to all http requests to the zone." just turn in on and after sometimes you are good to go.

Site uses SHA-2 but Chrome still warns about weak SHA-1

I have multiple sites secured with SSL. All is from the same provider. At one domain Chrome says:
This site uses a weak security configuration (SHA-1 signatures), so
your connection may not be private.
I tested the domain with ssllabs.com and I got an A. Also tested with shaaaaaaaaaaaaa.com and it says, my domain has a verifiable certificate chain signed with SHA-2.
Here are my SSL settings in Apache2:
SSLEngine on
SSLProtocol all -SSLv3 -SSLv2
SSLHonorCipherOrder On
SSLInsecureRenegotiation off
SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
SSLCertificateFile /etc/ssl/certs/xxxcert.cert
SSLCertificateKeyFile /etc/ssl/private/xxxkey.key
SSLCertificateChainFile /etc/ssl/certs/sub.class1.server.ca.pem
I haven't got any errors in my error.log. Can somebody help me, where should I continue the debugging?
The problem is likely that a certificate upwards in the chain is using SHA1, whereas your own one is using SHA2. My advice is to see if you can find an updated version of your chain file which uses SHA2.
Given that Google announced this in September 2014, you would think any reputable certificate authority would be supplying secure chain files by now.
You can find more information on this particular issue here: Why Chrome Thinks your SHA-2 Certificate Chain is "Affirmatively Insecure"
More information on why Google are sunsetting SHA1 is available here: Why Google is Hurrying the Web to Kill SHA-1.

How to fix Chrome's Refused to set unsafe header "Connection"

I'm using Advanced REST Client to test external API which requires me to specify
Connection: Keep-Alive. The connection fails (NO RESPONSE) and inspecting Chrome console I noticed Refused to set unsafe header "Connection" followed by net::ERR_INSECURE_RESPONSE
Is there any Chrome settings that allow me to override this? BTW, the API works when I use external tools like APIGee. I've tried Chrome CORS extension (Allow Control Allow Origin) but still unsuccessful.
The issue is that chrome is refusing to load a resource that has an invalid or expired SSL certificate. Even if you could get it to bypass that it would be a bad idea as it would make man in the middle attacks easier in your application.
My suggestion would be (if you trust the server or if it's running locally) to import that certificate to your store so it's trusted in your development environment. If the cert is expired and it's hosted locally look at the documentation on how to change the certificate or to add a self signed one (which you then also would add to your trusted sites)
How to add a self signed very to your store
For Mac
For windows
You'll have to restart chrome for it to see the certs in the store after doing this
Again, be sure you trust these certs origin as they'll be considered trusted as if a legit CA HAD issued them

How to Disable the Check for Server Certificate Revocation in windows phone 8

In my wp8 app,
I enter a open wifi which is operated by communication operator
blocked by a portal page that needs using account and password to log in
after I post some data to a https url
I have the ability to use the wifi network to access to internet freely.
Now,I encounter a problem:
before the https connection established successfully,it will be running the Online Certificate Status Protocol (OCSP)
OCSP needs to access to CA like veriSign to verify the server certificate status
but I have no internet access at this moment.
So,my app return a Webexception whose description is "The remote server returned an error: NotFound".I think it is because of the failure of OCSP.
Based on above,I want to find a solution to sovle this:
My point is to disable the OCSP mechanism,Do you know how to do this?
And I also would like to know if there is another solution to sovle the problem.
Hope your advice,Thanks!
The way you'd do that on .NET is to set the ServicePointManager.ServerCertificateValidationCallback delegate and perform the logic you want to perform. But, unfortunately that is not yet available on Windows Phone.
There are various uservoice suggestions related to this, for example:
http://windowsphone.uservoice.com/forums/101801-feature-suggestions/suggestions/2146033-allow-self-signed-and-corporate-certificates-for-s
http://windowsphone.uservoice.com/forums/101801-feature-suggestions/suggestions/4299617-client-ssl-certificate-authentication
They don't apply to you directly, but if they end up gaining access to ServicePointManager then you'll be able to do what you want to do.