The Map Is Not The Territory

A blog by Christian Willmes.

Misleading Chromium and Google Chrome warning message for self signed SSL certificates

| categories: webdev, ubuntu, open source, server | View Comments

Since some time, I am aware of a new Chromium or Google Chrome web browser warnig message concerning not "trusted" SSL certificates for SSL secured websites.

I guess that this new warnig message is part of Google's (basicaly good) campaign to support and promote the use of SSL. Google announced this campaign under the title HTTPS Everywhere at Google I/O 2014. They are talking about things like good citizenship of the web in the context of SSL.

Screenshot of the Chromium "Privacy error" warning, shown on accessing my own server via HTTPS.

The problem with that message is, that colleagues and freinds with whom I want to share data through my server, get scared by this misleading message from Chromium and Chrome, they get back to me saying that there might be somethig not working or wrong with my server. Then I have to try to explain to people, mostly barely knowing the difference between a website and a server, about SSL certificates and HTTPS, and convince them to trust me and not that serious appearing message... This does basically only work for people I know a fair bit. Some people with whom I need to work, but not know, will most probably not trust me and are scared away by this message, if they don't know enough about the matter of SSL encrypted HTTPS. And sorry Google, this is not good.

Even more misleading message chown by Chrome/Chromium if the user proceeds through the "Advanced" option.

In my view this warning message is not just very suggestive, in a way that it compromises the trust in accessing data and web applications on my server through HTTPS, it is also wrong in the content it claims. It says that accessing my server is unsafe. Which is not the case! And anybody who thinks that is the case when using a self signed certificate, please comment to this post and educate me.

I have now issued a free SSL certificate from StartSSL for the HTTPS configuration of my webserver, to get rid of this wrong and annoying warning by Chrome/Chromium. Which I am very uncomfortable with, because I do not trust this company in any way. And why the heck should I or anyone? I do not know anything about the people behind this company. And why the heck should I care? I just want to have a minumum protection for entering passwords and data into my webapplictation by providing HTTPS connection to my server. Since the Snowden revelations it is clear that SSL can be decrypted by knowledgeable enough "agency" anyway.... None the less, I am forced to trust in some company, which sells trust (which is plain wrong on so many different levels of implementation and from so many different angles of view on that matter). And I also need to force my colleagues and friends to trust in this company, from which I got some trust... This trust I gained throgh receiving and confirming an email send to an address on my domain name. That I host my Email not on the server, the domain is registered for, and where I use that certificate, does not matter for that company to trust me... :P.

On a side note, the warnings issued by FireFox or IE are way more polite, and do not scare away people from accessing my server (using a self signed certificate), they just accept the "asumed" and way less severe risk warnigs of those browsers notifications.

Finally, I have a question to you all. Please tell me, how a Self Signed Certificate is in any way less secure, than a "certified" and "trusted" one? The connection itself is not more or less secure, its just the trust. And as said, I am not comfortable with trusting some companies who can grant (sell) trust... This trust must come from the provider of the application and maintainer of the server that is to be accessed, I think.

Have fun and a good start into 2015!


comments powered by Disqus

blog comments powered by Disqus