Chrome 54 Features Better Messaging For Server Admins.
Google Chrome 54 released last week, and like every new version of Chrome, there have been some changes to Chrome’s SSL/TLS and networking capabilities and features.
The most notable changes in Chrome 54 are expanded information in the Security panel in Developer Tools, along with fixes for two problematic bugs in macOS Sierra.
Improved Messaging In Developer Tools
Lots of useful information about a site’s SSL configuration lives in the Security panel in Chrome’s Developer Tools. This is where you must now go for any serious information after Chrome removed the Connection panel (which was accessible by clicking the lock icon in the address bar) a few versions ago.
With the release of Chrome 54, the Security panel now provides additional information about bad SSL configurations, giving server admins a helping hand to improve their site’s SSL security.
The Security panel will specifically call out weak ciphers and blocked mixed content in grey info bullets, as seen in the screenshot below.
Another small, but helpful improvement has been made to the full-page interstitial errors that appear for major problems with a site’s SSL configuration (expired certificate, obsolete protocol, etc). A “Learn More” link to a support page about how to “Fix connection errors” has been added to these Interstitial error pages to provide a bit more context to people who encounter them.
Certificate Chain Fetching Bug Fixed In Sierra
Google Chrome has a functionality known as AIA fetching to retrieve the needed intermediate certificates when a server has not been properly configured to provide them. This allows Chrome to successfully make an HTTPS connection to a site and avoids a “Your connection is not private” interstitial error.
Changes to OS functions in macOS X Sierra broke this functionality, causing a four-fold increase in errors related to missing/incorrect certificate chains.
Chrome 54 for Mac ships with a fix for this bug that restores AIA fetching. Chrome’s team refers to this as a “hack” because it will introduce some performance penalties and they are still looking for a proper solution.
New Certificate Transparency Logs
Certificate Transparency allows Certificate Authorities (CAs) to publically log certificates, providing proof of their issuance and allowing third-parties to audit their activity. In just a few short years Certificate Transparency has become one of the most important tools for strengthening the CA model and closing the gap on CA malfeasance.
As a technical mechanism, Certificate Transparency is quite complex. It is important to have a variety of “logs” where certificates can be publicly recorded in order to insure the accuracy, reliability, and diversity of the system.
In Chrome 54 two new logs have been approved, and are now accepted as valid sources for CT information. These logs are operated by WoSign and StartCom, and both are public logs that will provide free logging of any certificates issued from roots in Mozilla’s CA Program. These two join a short list of internationally hosted logs.
These logs are also now indexed by crt.sh, a Certificate Transparency search engine operated by Comodo.
Post-Quantum Cipher Support
CECPQ1 is Google’s first attempt at designing a cipher suite that is resistant to quantum computing. Google originally launched this cipher a few months ago in Canary, and has now enabled it in a select number of clients in the stable release of Chrome 54.
This is primarily a research experiment that is collecting real world data for future cipher designs. Unless you are looking out for it, you will likely never notice its existence.
Only a few websites are configured to use this cipher. If you want to see if your client has support enabled, visit play.google.com and look for “CECPQ1” listed as the Key Exchange method.
Certificate Viewer Bug Fixed in Sierra
Sierra has another bug, this one affecting the OS’ Certificate Viewer Window where you can view the certificate’s details. It currently has a bug where the Window’s height is set higher than the screen height and it cannot be used.
Chrome has another “hack” fix for this one that should restore functionality while a more permanent solution is sought.
HTTP/0.9 Disabled Over Non-Default Ports
At this point, HTTP/0.9 is absolutely ancient. While the internet is busy migrating to HTTP/2, there are still some legacy and consumer networking devices holding onto the past.
In order to encourage a timely move away from HTTP/0.9, and also reduce compatibility issues some users are experiencing, HTTP/0.9 will only work over default ports (80 and 443) in Chrome 54.
Chrome plans on removing support for HTTP/0.9 altogether within a few versions.
That’s is for Chrome 54! Lots of small changes this release.
If Chrome Canary is an accurate indicator, we will see some bigger changes coming in Chrome 55/56 – including the addition of a “Secure” indicator next to HTTPS sites, which Google designed based on new user research conducted earlier this year.