29

Accessing the chrome://settings page, I see two things contradicting each other:

chrome settings page

  • The ribbon below the address bar shows "You're viewing a secure Chromium Page."

  • On the other hand, the security overview under the security tab in Chromium developer tools says "This Page is not secure".

Does anyone have any idea what's going on here?

  1. Why these two conflicting messages ? Any vulnerability here?
  2. Is the chrome://settings page really secure?
  3. If not secure, does it impact the browser or anything like that?
  4. What could be possible resolution?

EDIT : I want to clarify that my question is Why these two conflicting security messages ? and only after then the security stuff that is well answered by question that everybody just seems to mark this question a duplicate of :

How do browsers make sure their settings page is secure ?

So, please consider answering question 1 in the OP and then follow the rest.

If you still think the question is a duplicate, please read the answers below first and then compare it with answers given to the questions for which you think this question is a possible duplicate of.

Thanks.

C0deDaedalus
  • 728
  • 1
  • 8
  • 17
  • 4
    Then it's one of two things: they assume anyone likely to use "developer tools" will know enough to realize that warning doesn't apply to built in settings pages, or they simply didn't consider it at all. – AndrolGenhald Mar 19 '18 at 19:03
  • 2
    Isn't it obvious that `It's one of two things`. I want to know which one it is and how ? Could you please explain it in an answer ? – C0deDaedalus Mar 19 '18 at 19:08
  • 1
    What do you mean secure? What kind of security do you expect from a built-in page? – gre_gor Mar 19 '18 at 22:27
  • I am clarifying it again that Question 1 in OP is the main question to ask. Rest of the questions 2,3,4 just covers the security side (If there is) of the phenomenon. So OP is not a duplicate of question being advised by @AndrolGenhald. Also, I cannot explain or edit my question furthermore , so please remove the duplicate question advise. – C0deDaedalus Mar 20 '18 at 02:45
  • This question has been asked before, has it not? – MCMastery Mar 20 '18 at 18:22
  • 1
    @C0deDaedalus The `It's one of two things` referred here, is not the same as the two things you refer to. It's not between is secure or is not secure. Both of the "things" they mention are secure. It's an "in any case" argument – Cruncher Mar 20 '18 at 22:04
  • @MCMastery, My question is `Why these two conflicting messages` ( that's already very well answered by @arminius ) and after then the security stuff. If you think question has been asked before, then please point to that by a link in the comment. Also please read the answers and then compare to answers of the question already asked. – C0deDaedalus Mar 21 '18 at 06:23
  • @C0deDaedalus I'm sorry, I just clearly remember a question asking about the Chrome settings security message in dev tools, but I can't find it... I must be going crazy – MCMastery Mar 21 '18 at 15:22
  • Possible duplicate of [How do browsers make sure their setting page is secure](https://security.stackexchange.com/questions/173685/how-do-browsers-make-sure-their-setting-page-is-secure) – Xiong Chiamiov Mar 21 '18 at 16:31
  • @XiongChiamiov I already proposed the duplicate, but it was rejected by OP. – AndrolGenhald Mar 22 '18 at 14:37

1 Answers1

46

Yes, your settings page is secure. What you're seeing is just an inconsistency on Chrome's side.

In the devtools, only valid HTTPS connections are labeled "secure". Other documents, including local files and settings pages, are shown as "not secure", even if they don't ever go through a network. The notion of a "secure connection" just doesn't apply to local resources. (A settings page is local, too.)

Why? Because the label is based on a site's SecurityState which is set to "neutral" for plain HTTP sites, local files and settings pages alike. And a "neutral" security state is verbalized as "not secure":

const summaryExplanationStrings = {
  'unknown': Common.UIString('The security of this page is unknown.'),
  'insecure': Common.UIString('This page is not secure (broken HTTPS).'),
  'neutral': Common.UIString('This page is not secure.'),
  'secure': Common.UIString('This page is secure (valid HTTPS).')
};

(Source)

In the address bar, however, Chrome has a special label for viewing an internal page:

<message name="IDS_PAGE_INFO_INTERNAL_PAGE" desc="Message to display in the page
 info bubble when the page you are on is a chrome:// page or about:something.">
    You are viewing a secure Google Chrome page.
</message>

(Source)

Hence, the texts differ. Ultimately, the security indicators in the address bar should be your preferred means of verification. In other places, such as the devtools, the UI may be not as clear.

Arminius
  • 43,922
  • 13
  • 140
  • 136
  • 5
    +1 for pointing to source code. How you found that ? – C0deDaedalus Mar 19 '18 at 19:23
  • 22
    @C0deDaedalus Just grepped `You're viewing a secure Chromium page` in the Chromium source and looked where it's used. – Arminius Mar 19 '18 at 20:09
  • @C0deDaedalus I usually search the [github](https://github.com/chromium/chromium/search?utf8=%E2%9C%93&q=You%27re+viewing+a+secure+Chromium+page&type=) – Namaskar Mar 20 '18 at 14:02
  • @Arminius, as you have answered it very well, So you know the question very well. In that case can you please tell the community that the question is not a duplicate of [link everyone is pointing to](https://security.stackexchange.com/questions/173685/how-do-browsers-make-sure-their-setting-page-is-secure). I believe you have enough reputations for this. – C0deDaedalus Mar 22 '18 at 06:37
  • @C0deDaedalus I think you have sufficiently clarified it yourself. Unless the question actually gets enough close votes, I think you're fine. If it actually gets closed, you can raise the problem on [meta](https://security.meta.stackexchange.com/) and the community will help you resolve it. – Arminius Mar 22 '18 at 14:46