SSL Notifications in Chrome

Here we would like to explain the notifications related to HTTPS connection and SSL certificates in Chrome (version 39+). After installing the certificate and browsing the site via https:// one may see the following warnings in Chrome:

  • Further, this page includes other resources which are not secure. These resources can be viewed by others while in transit, and can be modified by an attacker to change the look of the page.
  • Your connection to domain.com is encrypted using an obsolete cipher suit.
  • This site uses a weak security configuration (SHA-1 signatures), so your connection may not be private. <...> The certificate chain for this website contains at least one certificate that was signed using a deprecated signature algorithm based on SHA-1.
  • No Certificate Transparency information was supplied by the server.

To check these messages in Chrome, click on the padlock or green bar => Connection.

http://helpdesk.ssls.com/hc/en-us/article_attachments/202370902/chrome-1.jpg

1) “Further, this page includes other resources which are not secure. These resources can be viewed by others while in transit, and can be modified by an attacker to change the look of the page.“

http://helpdesk.ssls.com/hc/en-us/article_attachments/202358271/chrome-2.jpg

This warning is related to the insecure content issue and can be easily fixed by updating the links to all images, scripts, css or js files to use the secure HTTPS protocol. A good alternative is creating relative URLs in HTML code of web pages. More details on this matter can be found here.

2) “Your connection to domain.com is encrypted using an obsolete cipher suit.”

http://helpdesk.ssls.com/hc/en-us/article_attachments/202358261/chrome-3.jpg

The cipher suite is used by a server to perform encryption and secure negotiation with clients. This issue is not related to the SSL certificate itself, as it is a specific server configuration that can be modified if you have root access. Otherwise, feel free to contact your server provider for assistance with this matter.

These articles on server SSL/TLS protocols and configuration may be useful:

Apache and Nginx

Windows-based servers

3) This site uses a weak security configuration (SHA-1 signatures), so your connection may not be private. <...> The certificate chain for this website contains at least one certificate that was signed using a deprecated signature algorithm based on SHA-1.

http://helpdesk.ssls.com/hc/en-us/article_attachments/202358241/chrome-4a.jpg

http://helpdesk.ssls.com/hc/en-us/article_attachments/202370892/chrome-4.jpg

This warning usually appears for the web sites with the certificate installed long ago, as the Certificate Authorities used to sign certificates with SHA1 signature before. Now this signature algorithm is being deprecated due to its vulnerability to attacks. If you see this warning in Chrome, please reissue the certificate and reinstall it on the server.

We performed a full transition to SHA-2 in our system on November 6, 2014, so all the new and reissued certificates are signed with the latter-day sha256withRSAEncryption algorithm.

4) “No Certificate Transparency information was supplied by the server.”

http://helpdesk.ssls.com/hc/en-us/article_attachments/202358251/chrome-5.jpg

This message refers to Certificate Transparency project. It does not affect the padlock in any way. The project is designed for monitoring SSL certificates in real time, making issuance and use of fake SSLs almost impossible.

Among the certificates we provide, only extended validation ones support Certificate Transparency so far. As per recent update, since October, 2017 all Domain and Organization SSL certificates should also support CT to be trusted in Google Chrome browser.

 

Powered by Zendesk