I am cautious about my secure browsing. One thing I do is that from time to time, I’ll click on the Secure button in the Chrome location bar to check on the SSL certificates of the HTTPS websites I visit. I was really annoyed when in Chrome version 56, Google got rid of that simple functionality in favour of a “Learn more” link.
There are reasons why I want to inspect the certificate details. I’ll talk about this later.
It might not have been so bad had that link led to the original functionality to view the certificate details. But no, the link sent you to a Google support page. The ability to view certificate details was still available other ways, but buried under the Security tab of the Developer Tools, it was really inconvenient to access.
Of course, if you only rarely wanted to check SSL certificate details, this inconvenient access isn’t a big deal. But these extra steps makes it highly inconvenient to casually check SSL certificate details on a more frequent basis. Now, I don’t check all, not even anywhere most, website SSL certificates, but I will take a peek every once a while.
There’s a long thread in the Google product forum. Just about everyone found it completely absurd that Google would take away such a functionality, or bury it someone so inconvenient. The apparent reason was to simplify that Secure button to not confuse clueless users. Yeah, I don’t have a problem with that. But surely there could be a way to work out an UI that meets both groups of users?
It was a really long wait, but finally in Chrome version 60, this functionality resurfaced again in a reasonably convenient way. However, it is not turned on by default. You need to enable a Chrome feature flag. Type this in the Google location bar:
That takes you directly to the “Show certificate link” setting and click on Enable.
With this simple change, whenever you visit a HTTPS website, you can click on the Secure button in the location bar, then click on “valid” link under the Certificate section.
So there now I can easily, casually, browse the SSL certificate details.
Most of the times, I’m just curious about the SSL certificates in a broad, general, way. For example, I want to know if the website uses older RSA-based certificates, or the better ECDSA-based certificates.
Or, who the issuer of the certificate is. For example, if some biggish business uses free certificates from Let’s Encrypt.
More importantly. it may be revealing to discover a suspicious issuer CA. For example, a dubious CA may have facilitated a website hijack by issuing an alternative certificate. It would be rare to discover this, but alarm bells should go off if you discover the use of an unusual issuing CA for a particular website you’re already familiar with.
I’m mostly just being kaypoh. But with security being all so important, it helps every way that tools are available to help you stay secure easily.