What is Screwing Up Chrome This Morning?

All sorts of sites that I use are now "Not Secure" and everything on
them is highlighted and the links don't work. No problems with
Firefox yet. Does this have something to do with the overnight
Windows Update?

Ricardo Jimenez wrote:
All sorts of sites that I use are now "Not Secure" and everything on
them is highlighted and the links don't work. No problems with
Firefox yet. Does this have something to do with the overnight
Windows Update?

Do you have a sample site we could test ?

Sites are not secure, all the time, and at least, I'd want
to compare the response of several different browsers to
understand why.

Paul

Ricardo Jimenez wrote:

All sorts of sites that I use are now "Not Secure" and everything on
them is highlighted and the links don't work. No problems with
Firefox yet. Does this have something to do with the overnight
Windows Update?

Any program you use that intercepts web traffic can screw up security.
Google is more strict regarding certificate validity. They've done it
in the past and may have done so again.

For example, when they required that the Subject Alternative Name field
be populated for a multi-domain certificate, some companies got nailed
that include and use their own self-signed certs (no CA is associated to
the cert) with their programs. Applian's Replay Media Capture (RMC), a
streaming video capture tool, could no longer run when Google got more
strict on certs demanding the SAN field be populated. Firefox was more
lax (less secure) so RMC users had to switch to Firefox instead of
Google Chrome. Eventually Applian fixed the fields in their new
self-signed cert (which they demand their customers buy v7 of RMC
despite the new cert would work just as well with v7, and earlier). The
cert gets put into the global cert store you see using certmgr.msc
except for Firefox where Mozilla decided to wrest control on certs by
using its own private cert store. The local cert is needed for a MITM
scheme to intercept encrypted web traffic to allow capture from HTTPS
sites; else, you can only intercept traffic from HTTP sites but most
video sites are now HTTPS.

Using a self-signed cert in a MITM scheme is hardly new. Companies use
them on their workstations to allow them to monitor the content of HTTPS
traffic generated by employees who are supposed to be working when at
work and using company property and company resources. Local certs for
the MITM scheme is also how several anti-virus programs work to
interrogate HTTPS traffic; e.g. Avast uses one, by default, so they can
inspect HTTPS traffic for malicious content (but their self-signed cert
was created correctly and didn't trigger Chrome to start reporting HTTPS
sites as insecure).

When Google decides to lockdown on certificates to enforce the security
they are supposed to offer, some sites and programs get nailed because
they were sloppy, uneducated, or their cert issuer was so. You didn't
provide any real examples of sites you visit where Google Chrome reports
a problem but then you didn't even say what Google Chrome reports as the
problem (is "not secure" all that Google Chrome reports?).

You might also want to look under Internet Options - Connections - LAN
Settings to make sure you are NOT using a proxy through which to pipe
your web traffic. As another example, a long time ago RMC used a
non-transparent proxy so it changed these settings to make web traffic
go through its local proxy. If RMC crashed or was killed, it never got
to its code to restore the proxy settings (to delete them and have
clients go direct to the network). With its proxy killed but with proxy
settings still pointing to it, all web access was lost -- until you went
into the proxy settings to clear them. Back then I created a .reg file
saved for when the proxy settings were blank so I could click on a
shortcut to reload that .reg file to clear the proxy settings instead of
having to wade through the Internet Options dialogs. So check if you
are stuck using a proxy for your web traffic.

On Mon, 11 Dec 2017 11:33:48 -0500, Paul
wrote:

Ricardo Jimenez wrote:
All sorts of sites that I use are now "Not Secure" and everything on
them is highlighted and the links don't work. No problems with
Firefox yet. Does this have something to do with the overnight
Windows Update?

Do you have a sample site we could test ?

Sites are not secure, all the time, and at least, I'd want
to compare the response of several different browsers to
understand why.

Paul

www.talkleft.com
www.stopandshop.com

Ricardo Jimenez wrote:
On Mon, 11 Dec 2017 11:33:48 -0500, Paul
wrote:

Ricardo Jimenez wrote:
All sorts of sites that I use are now "Not Secure" and everything on
them is highlighted and the links don't work. No problems with
Firefox yet. Does this have something to do with the overnight
Windows Update?
Do you have a sample site we could test ?

Sites are not secure, all the time, and at least, I'd want
to compare the response of several different browsers to
understand why.

Paul

www.talkleft.com
www.stopandshop.com

OK, your first link doesn't accept https:// secure protocol.
It only accepts http:// . There is an Internet campaign underway,
to make every site use https, but the thing is, the various
crypto suites means that maybe someone on Win98 or WinXP,
no longer has access to a good browser for the job, so they'd
be denies access to the web.

The https is preferred for business sites, because it
prevents eavesdropping. And Google Chrome has a relatively
high default security suite it uses. A commercial site
with a lot of third-party links on it, the web page ends
up with a "mixed" status, where the main page is secure,
but the adverts are not, or the adverts use a different
crypto.

To study suites, there are some ssllabs web sites.

One checks your browser, for what suites it uses.
Maybe it's AES-128 and Dxxxx (some five letter acronym
that didn't stick in my head). There will be a list of
possible combinations. At one time, were were ruling
out 40 bit encryption standards (because they can be
cracked in a short time).

https://www.ssllabs.com/ssltest/viewMyClient.html

The other page, checks a web site, to see how well "armored"
it is. For example, the first site is going to get a "lesser"
grading, because it doesn't support https at all. And the
ssllabs web checker only checks for https suites (to
detect the weak ones or the ones that are already
compromised). You could plug in the stopandshop link
into this one, and have the server analyzed, to see
if it has a crypto suite that Chrome would also like.
If the page has a mixed status, I would hope the scan
here identifies the mixed levels of protection offered.

https://www.ssllabs.com/ssltest/

The suites are large, so that the two ends of the link
can negotiate and pick the best crypto they jointly share.

You can run some tests now, to see which end is at
fault. There's no need to scan your first link, because
it doesn't accept https at all, so right away Chrome
will be annoyed with it. For actual https sites,
as newer versions of Chrome comes out, Google will
"raise the bar" on the crypto suite considered
sufficient.

On certificates for https, they've switched from
SHA1 to SHA256, which at the time broke some browsers.
One Internet company recommended "fallback" behavior,
so that SHA1 was still available for older browsers.
But this won't last forever, and an older browser is
going to throw an error if it doesn't support some
newer choice of standard.

It all boils down to an evil campaign to kick Win98
and WinXP people off the Internet :-) Keeping the NSA
out of the loop, is their "excuse". And, when these
companies do this, they[re doing it so that you have
to use their new browser, with compromised privacy
features (so they can track what sites you're visiting).
It makes incognito browsing all that much more important.

This is why modern browsers use omniboxes, with both
search and URL in the same box. It means if every
typed-in URL is also considered an attempt to
"search", then your URL can be logged while
phoning home. Firefox can make some good money from
Google, for this kind of drooling data stream. If
you search for a pair of socks on Walmart, the CNN
news page will be covered in sock adverts :-)

Paul

On 12/11/2017 04:45 PM, Ricardo Jimenez wrote:
On Mon, 11 Dec 2017 11:33:48 -0500, Paul
wrote:

Ricardo Jimenez wrote:
All sorts of sites that I use are now "Not Secure" and everything on
them is highlighted and the links don't work. No problems with
Firefox yet. Does this have something to do with the overnight
Windows Update?

Do you have a sample site we could test ?

Sites are not secure, all the time, and at least, I'd want
to compare the response of several different browsers to
understand why.

Paul

www.talkleft.com
www.stopandshop.com

In Firefox the stopandshop comes up but hitting the site info says that
the main site is secure and images and external links are not. Thus the
insecure logo in Firefox. I'm going to guess that Chrome puts up a
more offensive opposition. Luckily FF just changes a little icon in
the URL bar.

Ricardo Jimenez wrote:

Paul wrote:

Ricardo Jimenez wrote:
All sorts of sites that I use are now "Not Secure" and everything on
them is highlighted and the links don't work. No problems with
Firefox yet. Does this have something to do with the overnight
Windows Update?

Do you have a sample site we could test ?

Sites are not secure, all the time, and at least, I'd want
to compare the response of several different browsers to
understand why.

Paul

www.talkleft.com
www.stopandshop.com

Yep, Google Chrome says "Not Secure" but does not block the client from
connecting to that site. A site can only be secure if they use a
certificate to both authenticate their identity (through a CA -
Certificate Authority - like Verisign) and to allow encryption of the
traffic between the endpoints. Well, talkleft. is *NOT* an HTTPS web
site. While you gave www.talkleft.com which specifies only the hostname
at a domain, you left out that the full URL is http://www.talkleft.com/.
That's not an HTTPS site.

The 2nd site, www.stopandshop.com, is an HTTPS site. Its full URL is
https://stopandshop.com/. Google Chrome does not report "Not Secure"
for that site because its site cert is still valid. However, the
"Secure" prefix field is missing because that site chooses to mix secure
and insecure content. That is, some of the page is delivered under
HTTPS while some of its content is delivered via HTTP. It is referred
to as mixed content. Any web page that is not 100% secure for all its
content is not a secure web page. Often mixed content results from a
site allowing content from external resources, like ad servers, or
getting images from a resource that doesn't use the overhead of HTTPS to
deliver what they consider to be publicly-accessible content.
Encryption isn't needed for content that doesn't need to be secured.

https://developers.google.com/web/fu...-mixed-content

The default of most web browsers is to allow mixed content. That is
because discarding or blocking HTTPS content for an HTTPS web page can
result in a rendered document that isn't usable (well, as far as the
site is concerned). Not allowing mixed content will break many web
sites. Mozilla takes the approach that mixed content is allowed but you
can change it. For a long time, Mozilla allowed mixed content by
default and users had to go into about:config to force an HTTPS
delivered web page to only allow HTTPS for all of its content.
Eventually Mozilla decided to warn about mixed content and added the
security.mixed_content.block_active_content setting; see
http://www.thewindowsclub.com/disabl...ontent-firefox and
https://support.mozilla.org/en-US/kb...ocking-firefox.
When visiting stopandshop.com using Firefox, you will see a yellow
exclamation character overlay atop the padlock icon in the address bar.
Click on it and you'll see the stopandshop.com is *NOT* secu it
allows mixed content. The WindowsClub article mentions how to disable
the active content check; however, the normally expected passive content
that typically results in a mixed content page is the display content
(affected by the security.mixed_content.block_display_content) as that
would block HTTP content delivered via an HTTPS web page. If you
changed that setting (from false to allow mixed display content) to True
then the HTTPS delivered content would get blocked and the page may not
render fully since the insecurely delivered display content got
blocked.

The first site is properly identified as "Not Secure" because, well, it
is not secured by a site certificate. It just uses HTTP. The 2nd site
is also identified as insecure (click on the circled "i" icon at the
left of the address bar): it uses HTTPS to deliver the guts of the web
page but some of the content is delivered via HTTP. Either a web page
is secure or it is not. Mixed content, even if allowed, means the web
page is NOT secure. There is no such thing as partially secure since
all that means it is not fully secure which means not secure.

If you don't want to configure the web browser to reject all insecure
(HTTP) content when visiting what is supposedly a secure (HTTPS) site
then complain to the site admin that their secure web pages are insecure
because they deliver content via HTTP, not all of it via HTTPS.

On Mon, 11 Dec 2017 17:34:38 -0500, Paul wrote:


It all boils down to an evil campaign to kick Win98
and WinXP people off the Internet :-) Keeping the NSA
out of the loop, is their "excuse". And, when these
companies do this, they[re doing it so that you have
to use their new browser, with compromised privacy
features (so they can track what sites you're visiting).
It makes incognito browsing all that much more important.

This is why modern browsers use omniboxes, with both
search and URL in the same box. It means if every
typed-in URL is also considered an attempt to
"search", then your URL can be logged while
phoning home. Firefox can make some good money from
Google, for this kind of drooling data stream. If
you search for a pair of socks on Walmart, the CNN
news page will be covered in sock adverts :-)

Paul

Google has been pulling some **** on my end lately where I type in a
search term, and I get something saying I have to prove I am a not a
robot. I have to hit a submit button and answer presonal info. I'm using
Firefox. Well, I am going to say the exact words I said out loud. "****
YOU GOOGLE, THERE ARE OTHER SEARCH ENGINES". Not only did I change my
default search engine to another one, I added google.com and a few other
incarnations of google, such as adservice.google.com, to my hosts
file.Google thinks they own the internet. **** GOOGLE!

And now, Chrome can't handle www.nytimes.com !!
Thanks to those who have explained why. Could you make it simple? Is
the following correct? There is nothing I can do except use a
different browser. TIA

On 12/12/2017 14:54, Ricardo Jimenez wrote:
And now, Chrome can't handle www.nytimes.com !!
Thanks to those who have explained why. Could you make it simple? Is
the following correct? There is nothing I can do except use a
different browser. TIA


Actually, you can do something and it is pretty much easier. You can
create a new Windows profile (some call this windows Account) and use it
to see if Google Chrome works from that new account. If it does then
you know that your old profile is somewhat corrupted and so you can post
back so that a fix can be suggested.

Good luck.



--
With over 600 million devices now running Windows 10, customer
satisfaction is higher than any previous version of windows.

On Tue, 12 Dec 2017 09:54:43 -0500, Ricardo Jimenez
wrote:

And now, Chrome can't handle www.nytimes.com !!
Thanks to those who have explained why. Could you make it simple? Is
the following correct? There is nothing I can do except use a
different browser. TIA

I've just been to https://www.nytimes.com/site using Chrome and it
worked OK.

I think you have some setting wrong.

Steve

--
http://www.npsnn.com

On Tue, 12 Dec 2017 09:54:43 -0500, Ricardo Jimenez wrote:

And now, Chrome can't handle www.nytimes.com !!
Thanks to those who have explained why. Could you make it simple? Is
the following correct? There is nothing I can do except use a
different browser. TIA

Seems fine here in the UK
--
Jim S

On Tue, 12 Dec 2017 02:49:55 -0600, wrote:

On Mon, 11 Dec 2017 17:34:38 -0500, Paul wrote:


It all boils down to an evil campaign to kick Win98
and WinXP people off the Internet :-) Keeping the NSA
out of the loop, is their "excuse". And, when these
companies do this, they[re doing it so that you have
to use their new browser, with compromised privacy
features (so they can track what sites you're visiting).
It makes incognito browsing all that much more important.

This is why modern browsers use omniboxes, with both
search and URL in the same box. It means if every
typed-in URL is also considered an attempt to
"search", then your URL can be logged while
phoning home. Firefox can make some good money from
Google, for this kind of drooling data stream. If
you search for a pair of socks on Walmart, the CNN
news page will be covered in sock adverts :-)

Paul

Google has been pulling some **** on my end lately where I type in a
search term, and I get something saying I have to prove I am a not a
robot. I have to hit a submit button and answer presonal info. I'm using
Firefox. Well, I am going to say the exact words I said out loud. "****
YOU GOOGLE, THERE ARE OTHER SEARCH ENGINES". Not only did I change my
default search engine to another one, I added google.com and a few other
incarnations of google, such as adservice.google.com, to my hosts
file.Google thinks they own the internet. **** GOOGLE!

Bing is pretty good nowadays. I'm sure that there is some censorship
on the engine of conservative sites, but I haven't yet seen it myself.

On Tue, 12 Dec 2017 09:54:43 -0500, Ricardo Jimenez
wrote:

And now, Chrome can't handle www.nytimes.com !!
Thanks to those who have explained why. Could you make it simple? Is
the following correct? There is nothing I can do except use a
different browser. TIA

What exactly does it do when you venture onto the site with Chrome?
Can you post a screenshot, per chance?

On Tue, 12 Dec 2017 12:28:20 -0500, Doomsdrzej wrote:

On Tue, 12 Dec 2017 09:54:43 -0500, Ricardo Jimenez
wrote:

And now, Chrome can't handle www.nytimes.com !!
Thanks to those who have explained why. Could you make it simple? Is
the following correct? There is nothing I can do except use a
different browser. TIA

What exactly does it do when you venture onto the site with Chrome?
Can you post a screenshot, per chance?

As far as www.nytimes.com , it will come up sometimes as
http:/www.nytimes.com and at other times as https://www.nytimes.com In
the first case, there will be an insecure message in the address bar
and the site is unusable. Just adding the s in the address bar seems
to work for some sites but not for others like www.talkleft.com I
think that Chrome preventing http sites from working just started this
week, at least for Windows10.